As I predicted in previous posts, the wave of card data breaches is growing and sweeping away everything (meaning, above all things, PCI-compliant merchants) in its path. Brian Krebs stated in his blog that the point of sale software, which is created by Signature Systems and used by Jimmy John's and other retailers for payment processing, was not PCI (PA-DSS) compliant as its formal validation expired in 2013. This fact can be a good excuse for PCI Security Council to blaim the merchants again and say that the breach was made possible because they were not PCI compliant. We all know this isn't true, and PCI compliance wouldn't help them to avoid the breach, as it didn't already for many others. In most cases, including those recent breaches, the attack is done using RAM scraping, aka memory parsing - a special technique that exploits the payment application vulnerability which cannot be mitigated by PCI standards.
The carding industry is constantly evolving and developing new methods of cashing out the stolen credit card data. In addition to standard ways described in my book Hacking Point of Sale, there are a couple of new techniques. Perhaps, those methods are not exactly new but just recently came to my attention.
1. Using gift card as a "new body" for stolen credit card (this information is received from the source working for one of the major payment brands).
The stolen track data is encoded into the plastic decorated as a gift card (or even original gift card is re-encoded with stolen track data). Most gift cards do not have any customer identification information and physical protection features of credit cards, so there is no way for store attendant to authenticate the cardholder. At the same time, gift cards are processed automatically by most point of sale systems in a way similar to credit cards.
2. Using online affiliate programs to make purchases and earn commissions.
The stolen cards are used to purchase goods through online affiliate programs which are intended to sell various pills etc. The cashing out effect is achieved by carders working as affiliates and earning commissions on each such purchase made through their affiliate account.
At the core of the affiliate program is a partnership of convenience: The affiliate managers handle the boring backoffice stuff, including the customer service, product procurement (suppliers) and order fulfillment (shipping). The sole job of the “affiliates” — the commission-based freelance marketers who sign up to promote whatever is being sold by the affiliate program — is to drive traffic and sales to the program.
The phrase "devalue the data" was used several times by new PCI SSC General Manager Steve Orfei in his keynote today during the PCI Community meeting in Orlando. I like the term - data devaluation - and that's obviously the right direction. It means that payment transaction data, even if intercepted and stolen by hackers, cannot be useful for processing new transactions. In payment card industry it can be achieved by using different technologies and their combinations: EMV, P2PE, and Tokenization. But it took the payment industry several decades to realize that the data must be devalued, and it will take many more years to fully implement such devaluation. Unlike PCI, Bitcoin and other crypto currencies are designed in a way that transaction data has not value by definition. So is it worth making efforts and trying to patch the old technologies in order to achieve the same level of security that new technologies already provide out of the box?
I am getting a lot of questions about my opinion on Apple Pay which was announced this morning along with iPhone 6 and Apple Watch. So here are some first thoughts, very briefly.
Regarding the technology - unfortunately, there is no much technical details released by Apple so far, so a serious thorough assessment is impossible right now. However, it looks like Apple Pay uses some form of tokenization, which means that breaches like Target or Home Depot will be impossible as merchants will not be exposed to the sensitive cardholder data. A token, which is generated by the device when you add new payment card to the Passbook, will be stored in the secure element and used instead of actual magnetic track of the card. So far so good.
As far as possible effect on the payment industry - it's still unclear whether this system is open or closed. As many Apple things it can be proprietary, so if others can only imitate it rather than follow, its mainstream acceptance can be limited. NFC is open standard, but NFC is just a communication part of it. There are recent precedents, however, when Apple created a relatively open standard in retail - iBeacon.
And finally, like many things made by Apple - it's simple, elegant, and convenient.
Anyway, I am going to try it as soon as I get my iPhone 6.
It becomes more and more difficult to comment on card data breaches. The news about another attack on US merchant – similar to recent Home Depot card data breach -- are coming almost every day. The scenarios of attacks -- as well as the tools used to penetrate the merchant network and retrieve the sensitive cardholder data -- are always the same or very similar. The security solutions -- which could potentially prevent those breaches but have never been tried -- also remain the same. And nothing changes, so there is no much to talk about...
When you swipe your card in retail store anywhere in the US, the possibility to lose your money today is higher than when you gamble in Las Vegas. Unlike casino, however, in many cases, eventually you can get your money back (I can't tell the same about the merchant though). It's like a total loss insurance play: you recover your money (at least, partially) but never get your beloved car back. And so there are things -- including consumers' trust and confidence in card payment system -- that will never return to the original state.
So what's next - are we going to move back to cash? I doubt it. Plastic cards are too convenient to be abandoned. For many people paying with credit card became a habit so strong that it would require a treatment similar to the one necessary to quit smoking. I don't use credit cards (whenever it’s possible) because I think the idea of paying with credit for day-to-day things is totally wrong. But I still use debit card everywhere. And it is much more convenient than constantly taking care of carrying significant amount of cash which is necessary for daily life activities.
So it looks like finding solution for payment card security problem is inevitable. EMV (chip cards) and Bitcoin (crypto currency) technologies partially solve this problem for brick-and-mortar and online transactions respectively. Since EMV cards are still vulnerable when used for online purchases (and sometimes in physical store as well!), and Bitcoin currently is not suitable to be used in brick-and-mortar merchants, there is no ultimate solution. Perhaps, we should wait until next emerging technology that would combine all the good features of EMV and Bitcoin while being as convenient as plastic cards.
This essay was previously published by VentureBeat on August 20, 2014
Recent card data breaches at Supervalu and Albertsons retail chains are just the latest in a long series of high-scale security incidents hitting large retailers such as Target, Neiman-Marcus, Michael’s, Sally Beauty, and P.F. Chang’s. These breaches are raising a lot of questions, one of the most important of which is: Are we going to see more of these?
The short answer is yes; in the foreseeable future we will continue to see more breaches. Here’s why:
1. PCI DSS (Payment Card Industry Data Security Standard) is failing to protect merchants from security breaches. The original idea behind PCI DSS, which was created 10 years ago, was that the more merchants we have that are PCI compliant, the fewer breaches we’ll see. The statistics shows the exact opposite trend: Most merchants who recently experienced card data breaches are PCI DSS compliant. The problem is that, in the 10 years since PCI DSS debuted, the standard hasn’t evolved to address the real threats, while hackers, who have already learned all the point-of-sale vulnerabilities, have been constantly working to enhance their malware.
2. Merchants and service providers are still not widely implementing P2PE (Point-to-point Encryption) technology, which is the only realistic way to address the payment card security problem. Despite the strong support for P2PE from the payment security community, only four solution providers are certified with the PCI P2PE standard, and at least two of them are located in Europe. The problem with P2PE is that it is very complex and expensive and requires very extensive software and hardware changes at all points of transactions processing — from the POS (point-of-sale) in the store to the back-end servers in the data center.
3. Retailers introduce new payment hardware, including tablets and smartphones, that are neither designed nor tested for security issues they face in the hazardous retail store environment. PCI DSS does not address directly any mobile security issues.
4. Updates and new features to POS and payment software open up new risks. Merchants want more features in their software in order to stay competitive. POS software vendors provide those features atop of existing functionality by supplying endless patches. The complexity builds up, extending the areas of exposure, and security risks grow accordingly. Those risks are not necessarily mitigated by continuously updated software.
5. Vulnerable operating systems make it easier for hackers to penetrate a network and install malware. Most POS systems are running on Windows OS, and some retailers are still using Windows XP, which Microsoft has not supported since April 8, 2014. We don’t know how many “zero-day” vulnerabilities are out there, but we know for sure that those vulnerabilities, even if they are discovered and published, will never be fixed.
6. The traces of many card data breaches often lead to Russia. While the main motivation for all of these attacks is probably still financial, the modern Russian anti-Americanism also encourages Russian hackers to attack U.S.-based merchants more as an act of patriotism rather than a crime. This is a new reality that is different from what we had just a few years ago.
7. Finally, EMV technology, which is supposed to “save” the payment card industry, is not a silver bullet solution. Although this is a topic for full separate article, let’s at least just briefly review the EMV problems and see why it’s not going to bring a total relief.
● Even if the U.S. starts to transition to EMV immediately, it may take a few years until the majority of credit cards are chip cards. During this interim period and even beyond that, merchants will continue accepting the regular magnetic stripe cards, so they will be still vulnerable to existing attack vectors.
● EMV does not protect online transactions: You still need to manually key in the account number when shopping online. Online transactions will be still vulnerable even after full EMV adoption, and for many retailers ecommerce is a constantly growing sector.
● Although EMV is more secure than magnetic stripe technology, there are a lot of vulnerabilities in EMV, and many of them are still undiscovered, or their exploits are not yet well developed. Today, when there are so many U.S. merchants accepting magnetic stripe cards, hackers aren’t bothering to research EMV security issues. But once the EMV transition is done in the U.S., the global focus of attacks will shift away from magnetic stripe cards to EMV and ecommerce.
This new breach is called "possible" because Dairy Queen company still has no idea whether in fact there is ongoing breach or not (at least, that's what they publicly state). Like in many other cases, including Target breach, DQ were notified by third party person or organization about fraudulent activities with the cards that were recently used for purchase in their stores.
We, like many other companies, were recently notified that customer data at a limited number of stores may be at risk
This card data breach at small local pizza restaurant chain demonstrates that SMB (Small and Medium Businesses) are also under attack -- not just big guys like Target or UPS. It makes sense because it is even more difficult for SMB to follow the PCI DSS' 399 requirements in reality - not just on paper to put "V" for the auditors. In fact, small businesses often don't even go through the full assessment process by QSA (third party security auditors) - they just literally put "V"s by doing the "self assessment questionnaire".
This is the key phrase in the original post about this and many other card data breaches:
Although our stores are fully compliant with the latest Payment Card Industry (PCI) security standards, computer hackers managed to infect some of our credit card terminals with so-called “malware” (malicious software) that allowed them to collect credit card numbers registered on our system.
I gave this interview to Graeme Burton at Computing magazine titled "Retail malware: PCI-DSS is part of the problem".
The time intervals between card data breaches are rapidly decreasing. The day is not far off when we start getting a news like this every day, or even several times a day, because there is nothing that realistically can stop hackers from breaking into the stores and point-of-sale machines. The payment card technology is insecure by design, and there is no easy and cheap solution for this problem.
The UPS Store discovered malware... at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States.