Data Breaches

ATMs that just spit out money - Nice!

As you may know, one of my favorite posting topics has to do with ATMs. I call them Automatic Theft Machines because there are way too many stories of equipment being hacked, and/or swiping hardware being installed, or people just driving away with them.

Well, along comes a story about the progression of this issue: In Eastern Europe, the bad guys have perfected the art of getting the machine to spit out all its money on demand.

According to the article (linked above), authorities say there must be some sort of inside access to allow software to be installed. The articles claims that after unlocking the security, the inside equipment is quite vulnerable.

Hmmm, hard on the outside, yummy and soft on the inside….where have we heard that before? And something else interesting to note: many of the ATMs appear to be Diebolds; the same company that makes voting machines for us……and was implicated in another attack earlier this year, also in Eastern Europe.

The ATMs utilize a scaled down version of Windows XP, which actually doesn’t make me feel any better at all.

Encrypt Your Laptops NOW

SC Magazine has reported that a laptop belonging to the State of Oklahoma was stolen, with 1 million names, Social Security numbers, birth dates and home addresses of Oklahoma’s Human Services’ clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits.

All this was secured with a password. The State of OK seems to think that is adequate protection - has nobody there heard of a Linux boot disk? It will ( and probably already has) taken a cracker ten minutes or less to gather the SAM database, and probably not much time to crack the password.

No excuses! Get it done. The cost of losing a laptop is now estimated at $50,000, after the cost of corporate security efforts, bad publicity, and lawsuits. No one is too small to get sued.

The Beginning of the End for PIN Codes

Yesterday Wired released a story that reveals a startling detail about the TJMaxx data breach: hackers were able to cash in on stolen debit cards because they had a way to crack PINS.

This “minor detail” was buried in an affadavit last year, but Wired has put it together with some other information afloat on the NET, and the article is a really good read on what happens to your PIN from your debit card as it transits various networks to receive approval. Your PIN gets decrypted and re-encrypted by a Hardware Security Module (HSM) each time it transits a network. Lots of opportunities for capture with the help of an insider or some sniffing malware.

“While statistically not a large percentage…in 2008, attacks against PIN information represent individual data-theft cases having the largest aggregate exposure in terms of unique records,” says the report. “In other words, PIN-based attacks and many of the very large compromises from the past year go hand in hand.”

Although there are ways to mitigate the attacks, experts say the problem can only really be resolved if the financial industry overhauls the entire payment processing system.

Ouch.

Clearly, PIN-based authentication has been cracked, and will be cracked more and more. Leave your debit card at home and Pay Cash Instead.

When News Isn’t News

A client of ours was notified recently by their financial institution that some of their credit cards had been compromised by a vendor.

The rational question followed: “Which vendor?” To which the bank replied, we aren’t going to tell you in order to protect the reputation of the vendor. Given that a high percentage of vendors have had more than one security breach, why are banks protecting them? Wouldn’t you want to know which company had been broken into so that you could pay extra attention to transactions from that company?

This kind of financial behavior is what drives people to enacting regulatory requirements for notification.

“Citibank contacted my husband and told him that they would be re-issuing him a new account number because a “major merchant” had notified authorities that its secure data had been compromised. They would not release the name of the merchant, instead saying that it was “the kind of thing we would probably hear about in the news,” she writes.

Why do we have to hear about it from the news? Why are we protecting organizations that are not protecting their data? Because it would cost the vendor money, and that would impact the profits at the bank. It’s the same reason VISA doesn’t shut down big PCI violators - and it’s why we really need independent oversight.

Making it Easy For Hackers

How many rules do you have in your firewall? How many rules allow access directly into your network? How many rules allow ANY/ANY?

The more rules you have in your firewall rulebase, the higher your risk of allowing attackers in. I’m not talking about opening access to your webserver in the DMZ. But the rules are not linear, which many people (including some professionals) do not understand.

Firewall rules are inherited, like Access Control Rules, so that you can end up with some unintended consequences. If the ANY/ANY rule is above the tighter rules, the ANY/ANY rule will prevail. This is exactly what happened in a rulebase I looked at not too long ago. The company was not convinced until we ran a packet capture and I could demonstrate that IP addresses from Russia AND China were banging on internal IP addresses.

Allowing ingress to your internal network using any protocol is fraught with peril. Terminal Services/RDP allowed in? Somebody will be running scripts against the Administrator ID trying to log in all the time. FTP? There are too many ways to badly configure an FTP server. That’s what a DMZ is for. So is your Outlook Web Access. If any internal server is compromised, it becomes a jumping off point into the rest of your network. This goes for printers, too, which have little miniature hard drives.

ANY/ANY rules are red flags to the auditor - they tell me someone is sloppy, and hasn’t taken the time to ascertain what ports are absolutely necessary to open. Yes, we’re all busy, but think how busy you will be cleaning up after hackers. Or, worse yet, cleaning up your resume on the unemployment line.

Have a rule labeled TEMP? Put an expiration date and a contact person in the notes. If you are run over by the turnip truck, the next engineer will have a clue as to what is going on and will offer up burnt offerings in gratitude.

Hijacking Your Website

With all the publicity going on about the Heartland breach, not much attention has been paid to what happened to CheckFree last December. The event is also much more challenging to explain to the average consumer, but it was a significant technical attack that you and I should be aware of.

And they did it without hacking into CheckFree. Simply, they redirected visitors to a faux CheckFree customer login page on a Web site in Ukraine that tried to install password-stealing software.

There’s all sorts of pharming, phishing (I’m getting a little weary of the “ph” naming convention, frankly) out there. What is important here is that the bad guys got into the Domain Registrar in order to redirect traffic. They didn’t go for breaking into domain servers; they used a legitimate admin name and password to log into Network Solutions and change the information.

So think for a moment about how you maintain your domain registration, and how important that is to your company. Over the course of five hours the bad guys captured who knows how many IDs and logins for CheckFree.

CheckFree is not just any company, it’s owned by Fiserv, and is the backend company for financial institutions that utilize billpay services.It manages between 70% and 80% of this type of financial service. So while no data was captured from CheckFree servers, the possible loss of login information is significant. Up to 160,000 users may have been impacted.

Even though the information on Network Solutions was corrected after five hours, the badguys had set up the information to last for 48 hours in the TTL (Time to Live) configuration. So unless a massive PUSH was made (and it wasn’t) DNS servers that received that information didn’t have to check back for another 48 hours.

Registrars are becoming increasingly attractive targets. At one point the IP address in the Ukraine held multiple fake sites.

It’s worth thinking about how your business might be impacted. And what kind of username and password you’re using with your Domain Registrar. How was the ID and password to Network Solutions captured? They don’t know. Can we imagine an admin’s PC getting infected?

The Emperor Has No Clothes

Visa is in a difficult position: it has said that merchants must be compliant, and the ultimate threat is to pull processing permissions from non-compliant merchants.

But if one of the merchants turns out to be a payment processor that generates huge profits for Visa, do they cut off their nose to spite their face? Evidently not. They just make them non-compliant. Sort of.

According to StorefrontBacktalk.com, Visa has declared that Heartland is no longer on the list of “PCI-compliant” vendors. Rather, Heartland is in a probationary period, with increased oversight, audits, etc.

But wait! In response to this announcement, Heartland declares that it had been compliant in 2008, is undergoing its 2009 assessment, and fully expects to be declared compliant.

(If you go to Heartland’s web site, they have quite a set of web pages on what it “means” to be PCI-compliant. The web page is entitled, “Ensuring You are PCI-Compliant.” They must take this literally, since THEY are not compliant (at least for the moment). Does anyone else besides me find this way too ironic?)

Are you confused yet? I sure am, and I’m the one who is supposed to be the auditor.

In a final expression of revisionist history, Visa is now declaring that “As of today, no compromised entity has been found to be compliant at the time of the breach.” So, temporarily, Heartland is not compliant, so no one who was compliant was…….I’m lost.

When is compliant not compliant? The message is, when Visa says it is. Or not.

PCI - Pay Cash Instead.

You May Not Want to Know, But…..

If you are wondering if your banking institution has been affected by the Heartland breach, you can visit bankinfosecurity.com’s web page (updated daily) tracking the number of institutions announcing they have been affected by the breach.

Had your credit/debit card replaced (unsolicited by you) recently? You would be well advised to call and find out why.

ATM Heists Grow in 2007 and 2008

A story on Wired came out recently about a $9 million ripoff of RBS WorldPay. Further reading on Wired led me to articles about, variously, a cracking of an ATM network in 7-Eleven stores that linked to Citibank, iWire cash payment cards, and Direct Cash management cards.

It seems that the bad folks are cracking ATMs and cash/debit/gift cards MUCH faster than the banks and financial services people can keep up. They have gotten adept at being able to clone cards, crack PINS and break account limits in order to drain accounts quickly with a host of people making fast runs on the system. Profits range from $750,000 to, so far, $9 million.

Banks and businesses are being ever more cagey about announcing such breaches, pointing fingers at various processors and claiming they can’t talk due to “ongoing criminal investigations.” This is the claim for the heist of $9 million that happened last November. Frankly, that excuse is getting harder and harder to swallow.

As my last post noted, we are starting to see a pattern of “repeat-offenders.” Companies that are broken into more than once, and don’t seem to be able (or willing) to make changes so that breakins stop happening. Monster.com comes to mind.

Of course, as consumers, we don’t see an impact until our cards get canceled, or God forbid, our accounts get drained. But for people being issued cash cards as a form of payroll, this can have devastating consequences. If you’re living from paycard to paycard, and one paycard gets hacked, what will you do for food, gas other necessary things that week? It might take the card company a week or two to straighten things out - maybe more. What happens until then?

The rising cost of these data losses are being well documented. For now, banks and financial companies are eating the cost out of their profits, and collecting damages from each other. It’s not a pretty picture, and ATMs are a growing part of the mess.

This is liable to get worse before it gets better. Companies tend to be unwilling to spend money on securing data in the best of times; but in these worst of times, securing data is just not happening.

PCI - Pay Cash Instead.

Another Big Processor Breach, But Nobody is Talking

Word is rampant on blogs and security portals that another processor breach (in addition to Heartland) has occurred. Banks are being contacted by Visa and Mastercard, to replace credit cards as well as ATM cards.

The latest, from IdentityTheftBlog.info:

Thanks to a more recent credit union notice that Jai Vijayan of Computerworld uncovered from the Alabama Credit Union, we now know that this is not just credit cards that have been affected, but that the breach also appears to involve “long lists” of compromised ATM/debit cards. Visa and MasterCard remain mute about the source of the breach, although once the confirmation was found, Visa confirmed to Computerworld that a processior “experienced a compromise of payment card account information from its systems,” and MasterCard’s statement referred to the processor as being in the U.S.

The fact that the breach includes ATM cards is scary and disheartening. The fact that another large processor has been breached tells me Heartland and Hannaford were not anomalies - they represent the tip of the iceberg. Cybercrimminals have developed a way to capture streaming card data that’s being transmitted unencrypted on internal networks.

We need to start encrypting card data during every point in the transaction process, whether nor not it’s running across internal networks or sitting in databases.

Next, let’s start monitoring outbound transmissions on our firewalls and get more granular about firewall rules. Servers sitting in stores don’t need to be able to access the Internet. Or set up critical servers in a group and monitor ALL their outbound and inbound transmissions.

Wireless? OK, you say you don’t have them, but what’s to stop an employee from plugging one in? Rogue access point detectors should alert and shut down the port.

How about physical security? Servers installed in stores are the weakest link - I’ve found servers in closets, break rooms, and once, in the Gift Wrap department.

It’s much more expensive to retrofit that to install secure systems - but we are now paying the price.
One of my Rules of Thumb: You can pay now, or you can pay later, but if you pay later, you will always pay more.

I guess we’re paying more, don’t you?