How long can Heartland Payment Systems, Visa and MasterCard obscure the total number of records data thieves swiped in a caper that almost certainly will surpass the TJX hack? Is it 100 million? 150 million?
Once again, we have a case where more transparency would clearly serve the greater good of making the Internet incrementally safer. Instead, what appears to be unfolding is yet another demonstration of plausible deniability by the centrally involved financial institutions, as each tries to dodge liability.
Depending on the results of the on-going investigation, Heartland will face the threat of litigation from issuing banks, merchants and consumers, says Scott Vernick, an attorney with Fox Rothschild LLP in Philadelphia, who specializes in data breach cases.
” The businesses that use Heartland as a credit card processor, as well as thousands of consumers, will be anxiously watching for any negative impact, including harm to their business reputations, and the real possibility of identity theft or fraud,” says Vernick.
Heartland insists that anouncing the breach on Inauguration Day was pure coincidence. Let’s grant them that, and focus on the months before the announcement. Heartland President and CFO Robert Baldwin has been accessible and forthcoming–to a point–in two interviews I’ve had with him.
He says Visa and Mastercard tipped Heartland off to a likely breach of Heartland’s systems last fall. He also told the New York Times that malware may have been implanted in Heartland’s system, which processes 100 million transactions per month for 175,000 restaurants and smaller merchants across the nation, as early as May 2008. He told me Heartland’s IT staff spent from late fall to mid-December or so trying to root out the malware, with no success. So they called in a forensic specialist, who then took about a month to ferret out clear evidence of the malware. A week later, on Jan. 20, Heartland went public about the breach.
Baldwin insists this was not an inside job; he says that the US Secret Service and Dept. of Justice tell him the caper is similar to recent hacks at other institutions. That, in an off itself, raises a lot of questions. What other institutions? Perhaps Star Processing, which handles card transactions for Forcht Bank of Kentucky? Forcht on Jan. 12 began replacing debit cards for 8,500 customers. Could these two separate breaches be part of a much larger global scam? How big is the combined pool of stolen records from recent hacks of these and other institutions?
One indicator of a larger criminal nexus at work comes from CardCops president Dan Clements, who keeps an eagle eye on the chat rooms where criminals test stolen card numbers on tools that run scripts merchants use to authorize card use. “We have seen an increase of at least 20% over the last six months in online chat room activity where hackers are testing out stolen credit and debit cards to make sure that they are active,” says Clements. Large batches of numbers are being tested. Clements believes that the numbers “could have come from a processor like Heartland or some other source that has access to a lot of customer data but is not a retailer.”
Back to Heartland. How did the data thieves crack in?
Matt Pauker co-founder of Voltage Security suggests it was most likely via a Heartland server connected to the Internet. Perhaps the bad guys obtained stolen administrator login credentials, as per the attack on Monster.com that netted 1.3 million records. Or maybe they executed a successful SQL injection attack. This recent report by IBM ISS notes that SQL injection vulnerabilities and public attacks on them are on the rise.
“Once the system was compromised, the hackers likely hopped from machine to machine until they reached the credit card processing system,” Pauker surmises. “There, they were able to install software that enabled them to ‘listen in’ to transactions as they were passing through.”
Rob Rachwald, Fortify’s director of product marketing, envisions a similar scenario: “Our best guess is that the software was either installed by a sleeper, a rogue employee working inside the firm who passed the usual vetting procedures, or a direct systems attack followed by the insertion of a custom application on Heartland’s IT resources,” he says.
So will federal authorities some day divulge the actual modus operandi so lessons can be duly learned by one and all? “I somehow think this will not happen,” says Rachwald.
Adds Pauker: “This attack vector is similar to what was used in the attack on TJX, where attackers first compromised a wireless network in a store, then used that opening to work their way into the corporate systems.”
Maybe. No one outside of law enforcement knows the definitive cause of the TJX hack. I’ve heard of a scenario where the bad guys hacked in via a job applicant’s PC kiosk at the back of a TJ Maxx. We really have no definitive lessons learned from TJX, save for how much TJX had to set aside in reserves to clean up the aftermath-$197 million-and, much later, that PCI compliance might not have made any difference. TJX was famously not in compliance with PCI data handling security standards.
The fact that Heartlands’ system were certified as being fully in compliance with PCI standards underscores questions about the efficacy of the PCI rules. Afterall, Hannaford Brothers grocery chain, likewise, met PCI rules, but had 300 store hacked for 4.3 million records.
“As the Heartland breach illustrates, you can be PCI compliant and still be breached,” said Phil Neray, VP/Security Strategy at Guardium, a database security vendor. “Good compliance does not mean good security.”
Mark Bower, Director of Information Protection Solutions at Voltage, points out that most PCI compliant payment processors have sections of their network where data is not encrypted, moving “in the clear” so as to communicate with upstream partners, like Visa and Mastercard.
“These gaps create excellent attack points for hackers, as data is fully exposed,” says Bower. “The only solution to eliminate this threat is end-to-end encryption.”
Perhaps. But again, the big missing ingredient is public awareness. Without a higher degree of transparency of major breaches, and open discussion and collaboration among the good guys, movement toward a safer Internet will continue to be constrained.
Photo: Robert Carr, chairman, and CEO, Heartland Payment Systems rings the Opening Bell on August 12, 2005 at the New York Stock Exchange. (NYSE)