The Last Watchdog

on Internet security by Byron Acohido

Lack of transparency on Heartland breach

Posted on | January 21, 2009 | 6 comments

visamastercard_apHow long can Heartland Payment Systems, Visa and MasterCard obscure the total number of records data thieves swiped in a caper that almost certainly will surpass the TJX hack? Is it 100 million? 150 million?

Once again, we have a case where more transparency would clearly serve the greater good of making the Internet incrementally safer. Instead, what appears to be unfolding is yet another demonstration of plausible deniability by the centrally involved financial institutions, as each tries to dodge liability.

Depending on the results of the on-going investigation, Heartland will face the threat of litigation from issuing banks, merchants and consumers, says Scott Vernick, an attorney with Fox Rothschild LLP in Philadelphia, who specializes in data breach cases.

” The businesses that use Heartland as a credit card processor, as well as thousands of consumers, will be anxiously watching for any negative impact, including harm to their business reputations, and the real possibility of identity theft or fraud,” says Vernick.heartland_logo_180

Heartland insists that anouncing the breach on Inauguration Day was pure coincidence. Let’s grant them that, and focus on the months before the announcement. Heartland President and CFO Robert Baldwin has been accessible and forthcoming–to a point–in two interviews I’ve had with him.

He says Visa and Mastercard tipped Heartland off to a likely breach of Heartland’s systems last fall. He also told the New York Times that malware may have been implanted in Heartland’s system, which processes 100 million transactions per month for 175,000 restaurants and smaller merchants across the nation, as early as May 2008. He told me  Heartland’s IT staff spent from late fall to mid-December or so trying to root out the malware, with no success. So they called in a forensic specialist, who then took about a month to ferret out clear evidence of the malware. A week later, on Jan. 20, Heartland went public about the breach.

Baldwin insists this was not an inside job; he says that the US Secret Service and Dept. of Justice tell him the caper is similar to recent hacks at other institutions. That, in an off itself, raises a lot of questions. What other institutions? Perhaps Star Processing, which handles card transactions for Forcht Bank of Kentucky? Forcht on Jan. 12 began replacing debit cards for 8,500 customers. Could these two separate breaches be part of a much larger global scam? How big is the combined pool of stolen records from recent hacks of these and other institutions?

One indicator of a larger criminal nexus at work comes from CardCops president Dan Clements, who keeps an eagle eye on the chat rooms where criminals test stolen card numbers on tools that run  scripts merchants use to authorize card use.  “We have seen an increase of at least 20% over the last six months in online chat room activity where hackers are testing out stolen credit and debit cards to make sure that they are active,” says Clements. Large batches of numbers are being tested. Clements believes that the numbers “could have come from a processor like Heartland or some other source that has access to a lot of customer data but is not a retailer.”

Back to Heartland. How did the data thieves crack in?

Matt Pauker co-founder of Voltage Security suggests it was most likely via a Heartland server connected to the Internet. Perhaps the bad guys obtained stolen administrator login credentials, as per the attack on Monster.com that netted 1.3 million records.  Or maybe they executed a  successful SQL injection attack. This recent report by IBM ISS notes that SQL injection vulnerabilities and public attacks on them are on the rise.

“Once the system was compromised, the hackers likely hopped from machine to machine until they reached the credit card processing system,” Pauker surmises. “There, they were able to install software that enabled them to ‘listen in’ to transactions as they were passing through.”

Rob Rachwald, Fortify’s director of product marketing, envisions a similar scenario: “Our best guess is that the software was either installed by a sleeper, a rogue employee working inside the firm who passed the usual vetting procedures, or a direct systems attack followed by the insertion of a custom application on Heartland’s IT resources,” he says.

So will federal authorities some day divulge the actual modus operandi so lessons can be duly learned by one and all? “I somehow think this will not happen,” says Rachwald.

Adds Pauker: “This attack vector is similar to what was used in the attack on TJX, where attackers first compromised a wireless network in a store, then used that opening to work their way into the corporate systems.”

Maybe. No one outside of law enforcement knows the definitive cause of the TJX hack. I’ve heard of a scenario where the bad guys hacked in via a job applicant’s PC kiosk at the back of a TJ Maxx. We really have no definitive lessons learned from TJX, save for how much TJX had to set aside in reserves to clean up the aftermath-$197 million-and, much later, that PCI compliance might not have made any difference. TJX was famously not in compliance with PCI data handling security standards.

The fact that Heartlands’ system were certified as being fully in compliance with PCI  standards underscores questions about the efficacy of the PCI rules. Afterall, Hannaford Brothers grocery chain, likewise, met PCI rules, but had 300 store hacked for 4.3 million records.

“As the Heartland breach illustrates, you can be PCI compliant and still be breached,” said Phil Neray, VP/Security Strategy at Guardium, a database security vendor. “Good compliance does not mean good security.”

Mark Bower, Director of Information Protection Solutions at Voltage, points out that most PCI compliant payment processors have sections of their network where data is not encrypted, moving  “in the clear” so as to communicate with upstream partners, like Visa and Mastercard.

“These gaps create excellent attack points for hackers, as data is fully exposed,” says Bower. “The only solution to eliminate this threat is end-to-end encryption.”

Perhaps. But again, the big missing ingredient is public awareness. Without a higher degree of transparency of major breaches, and open discussion and collaboration among the good guys, movement toward a safer Internet will continue to be constrained.

Bookmark and Share
Category: For consumers, Imminent threats

Comments

6 Comments »

  1. It’s funny how Heartland revealed their data breach on inauguration day, and RBS WorldPay admitted its incident that has affected 1.5 million people on 23 December.

    Maybe we should work out other “big dates” and “holidays” coming up in advance, and run a sweepstake on which companies may be trying to slip out their bad news then?

    Comment by Graham Cluley, Sophos — 1/22/2009 @ 10:53 am

  2. Anyone in security or involved with PCI DSS knows that compliance does not indicate that a breech will not occur. Compliance is expensive and the dirty little secret is that many companies will try to get compliant as quickly and inexpensively as possible. I’m not convinced that PCI DSS compliance is not a safety for a breech. Some questions that lead us don other paths are: Who certified the breeched companies as compliant? Is there a pattern with the certifying company? What type and level was the breeched company? A pattern may develop there as PCI DSS requirements vary on the type and level. When the breeched companies answered the PCI DSS questionnaires, what answers did they provide? It is unlikely anyone will gain access to the questionnaires, but it would be interesting to have an independent 3rd party go through the questionnaires to confirm and find patterns.

    Comment by JT Pickering — 1/22/2009 @ 11:52 am

  3. The Heartland breach is but another confirmation that the level of hacker sophistication continues to evolve and that we must never underestimate their ingenuity or capacity for stealth. Unfortunately, I anticipate that this type of criminal activity will become even more prevalent during this period of economic turmoil. Therefore, it is imperative that business, the Obama Administration and the new Congress keep privacy, security and identity theft issues on the front burner.

    Just as many public companies time the release of negative earnings reports to coincide with the end of the trading day on Friday, I am not surprised that disclosure of this particular breach was made on Inauguration Day – certainly one of the most heavily anticipated political events of our generation.

    This breach is yet another reminder of why consumers must spend a few minutes every day reviewing online the activity in their bank and credit card accounts and feeling completely comfortable that every transaction they see is correct.

    All the best,

    Adam K. Levin
    Chairman and Co-Founder
    Identity Theft 911

    Comment by Adam Levin — 1/22/2009 @ 2:14 pm

  4. You wrote “Heartland insists that announcing the breach on Inauguration Day was pure coincidence. Let’s grant them that.”

    Are you kidding???
    There are no coincidences when a CEO like Bob Carr from Heartland Payment Systems issues a press release like this.
    Bob has though about every angle (ten times over) to try and minimize the damages to his company.
    Issuing a press release on Barack Obama’s inauguration day was both sneaky as it was brilliant.

    Here is a good video regarding this angle:
    http://www.youtube.com/watch?v=fMYdxCvM3do&feature=channel_page

    Best regards,
    Keith
    http://www.insideIDtheft.info

    Comment by Identity Theft Expert — 1/22/2009 @ 3:03 pm

  5. I don’t think it matters how many identities were compromised. I can safely say it’s greater than 1 million and probably less than a billion. Worrying about Heartland (and TJX for that matter) divulging that information is more about headline fodder for reporters than dealing with the root cause of the problem.

    This is the 2nd “PCI compliant” firm suffering a massive data breach. PCI will face a crisis of confidence unless the standards council figures out how to make the requirements more relevant to today’s new attack vectors.

    I wrote a piece on the eIQ blog about the breach and one potential approach to defend against these kinds of attacks. http://blog.eiqnetworks.com/2009/01/22/heartland-proves-that-log-data-is-not-enough/

    As another commenter made the point, you can’t stop these attacks. But you can find out about them much faster and contain the damage.

    Comment by Mike Rothman — 1/22/2009 @ 4:19 pm

  6. I’m one whose credit card info was poached, and I’m just not as charitable as you, Byron. Intentional or not, Heartland’s announcement was lost in all the inaugural frenzy. And Heartland hasn’t yet offered credit monitoring to affected consumers.

    So it would seem that you’re right: Heartland hasn’t learned ANY lessons from the TJX corp’s mishandling of the fallout of their breach.

    But having lived with credit/data “vulnerability” as a result of one Heartland hack and 2 corporate laptop thefts, I’ve learned a lesson: I do not trust that corporate or civil entities are concerned with protecting my personal information.

    O/T — Congrats from a fellow OLS alum on your new book, Byron! Starting it this weekend.

    Comment by Mary CO — 2/13/2009 @ 3:35 pm

RSS feed for comments on this post.

Leave a comment

Search Last Watchdog

Navigate Last Watchdog