Hackers Tested Credit Card Vulnerable System

The number, scale and sophistication of data breaches fueled by hackers last year is rekindling the debate over the efficacy of the credit card industry's security standards for safeguarding customer data.

All merchants that handle credit and debit card data are required to show that they have met the payment card industry data security standards (PCI DSS), a set of technical and operational requirements designed to safeguard cardholder information from theft or unauthorized access.

Yet, some of the most notable data breach incidents last year targeted companies that had recently been certified as compliant with those standards, raising the question of whether the standards go far enough, or if entities that experienced a breach are falling out of compliance with the practices that led to their certification.

In a recent hearing on PCI standards at a House Homeland Security Committee panel, experts from the retail sector charged that the entire PCI scheme is only a tool to shift risk off the banks and credit card companies' balance sheets.

"The premise behind PCI -- that millions of retail establishments will systematically keep pace with the ever-evolving sophistication of today's professional hacker -- is just not realistic," said David Hogan, senior vice president and chief information officer for the National Retail Federation.

Merchants and retailers who experience a breach and are later found to be out of compliance with the PCI standards face steep fines from the credit card companies, and may eventually be forced to pay banks the costs of reissuing compromised cards.

Michael Jones, chief information officer for Michaels Stores Inc., a craft store chain, maintains that the PCI mandates were developed from the perspective of the card companies, rather than those who are expected to follow them.

For example, major tenet of the PCI standards is that hackers cannot steal credit and debit card data if retailers simply choose not to store the data. But Jones said retailers are required to store the data to defend themselves from chargebacks, a dispute that can be initiated by a bank or by a bank's customer. If a retailer cannot produce a copy of the receipt in the face of a chargeback, that retailer is forced to pay the cost associated with that chargeback, Jones said.

"This could have been fairly easily solved using a unique approval ID for each transaction, thus eliminating the need for credit card number storage by the retailer," but the credit card companies have balked at that suggestion, Jones said.

Also, while retailers that do digitally store cardholder data are required to encrypt the information, the PCI standards do not require merchants to encrypt data as it travels over their internal, private networks. This became an issue last summer, when hackers broke into the internal network of Heartland Payment Systems, a major credit card processor in Princeton, N.J. In that attack, the thieves siphoned card data by installing software that watched for and recorded card data as it was sent unencrytped over the company's internal processing networks.

"The credit card companies' financial institutions do not accept encrypted transactions" over these private networks, Jones said. "We at Michaels have asked for three years for the ability to send encrypted information to the bank. To date, this has not happened."

But Bob Russo, general manager of PCI Security Standards Council, said the council has never found a breached entity that was later found to have been in full compliance with the PCI standards at the time of a breach.

"We also recognize that the dynamic nature of any organization can render a validated system noncompliant almost immediately after a satisfactory compliance report has been issued," Russo said.

Joseph Majka, head of fraud control and investigations at Visa, said while there have been a few cases recently in which a business previously validated for compliance with PCI was a victim of a breach, "in all cases our review concluded gaps in PCI DSS controls were major contributors to the breach."

A study released this week by Verizon Business, a company routinely asked to investigate major corporate data breaches, found that in three-quarters of the confirmed breaches it investigated last year the victims were not compliant with PCI DSS or had never been audited. Another 19 percent were found PCI compliant during their last assessment.

Verizon also found that a common reason among businesses that were not compliant with PCI standards was that they failed to monitor all of their network resources or regularly test security systems and processes.

Those two findings were echoed by Nicholas Percoco, vice president of SpiderLabs, the incident response department at Chicago-based security vendor Trustwave, a company that responded to roughly 150 data breaches last year. Percoco said that in many of those cases, the attackers gained access to data through portions of the company's network that were rarely used, much less monitored or maintained.

"In many cases we investigated, the first entry points were Web pages that had 'Copyright 2005' or 'Copyright 2006' written at the bottom," Percoco said. "We talked to several entities who said they knew the sites were old and were planning to decommission them. In some cases, though, the sites had just been merged into the company's property because of some corporate acquisition, and the people in charge didn't even know the sites existed."

In addition, many of the hacks Trustwave investigated last year dealt with breaches where the attackers were present on the victim's internal networks for weeks, even months at a time. With that kind of time, attackers often will be able to write their own custom hacking tools designed to siphon financial data from the victim's computers and network, tools that could easily evade data storage protections as mandated by the PCI standards.

Percoco said his company has seen breaches involving malicious software designed to attack companies that were encrypting data as it moved from point of sale terminals to the victim's internal computer network. In some cases, the thieves intercepted card data by hacking the USB-based card readers that plug in to point-of-sale terminals, he said.

Verizon's breach report, available here (PDF), describes another advanced technique used to steal card data, called "memory scraping," which involves dumping sensitive data that is stored in a computer's memory before or after it can be encrypted.

"Criminals have re-engineered their processes and developed new tools--such as memory-scraping malware--to steal this valuable commodity," the report reads. "This has led to the successful execution of complex attack strategies previously thought to be only theoretically possible. As a result, our 2008 caseload is reflective of these trends and includes more targeted, cutting edge, complex, and clever cybercrime attacks than seen in previous years."

Regardless of the methods used by the attackers, the most important protection businesses can have in place is the ability to detect breaches quickly after they happen, said Bryan Sartin, vice president of investigations at Verizon Business.

"If there is any one thing you can always learn from a company who's been through one of these big breaches, it's the importance of the ability to react to the underpinnings of a breach before it blows up and becomes a major problem," Sartin said.

http://www.washingtonpost.com