Cybercrooks are stealing info while it's in transit between systems. Can the PCI rules stop them?
Security managers often describe their efforts to protect corporate data from being compromised as a full-fledged battle of wits against cybercrooks who are continually arming themselves with innovative tools and methods of attack.
And the security breaches disclosed last month by Hannaford Bros. Co. and Okemo Mountain Resort — along with unconfirmed reports of dozens of similar network intrusions — suggest that a new front may have opened up in the battle.
Furthermore, the recent incidents have prompted some to question whether the payment card industry's highly publicized data security standards are fully equipping companies to fend off attackers.
What's noteworthy about the Hannaford and Okemo breaches is that they both involved the theft of data in transit — credit and debit card information that was being transmitted from point-of-sale systems to payment processors in order to authorize transactions.
In Hannaford's case, the Scarborough, Maine-based supermarket chain has said that malware planted on the servers at about 300 grocery stores in the Northeast and Florida intercepted up to 4.2 million credit and debit card numbers and periodically sent the data in batches to a system overseas.
Just two weeks after Hannaford disclosed its breach, Okemo reported that data from more than 46,000 payment card transactions may have been compromised during a 16-day system intrusion in February.
Some of the data that was stolen was from transactions that occurred two years ago. But data from purchases made by customers while the intrusion was taking place appears to have been stolen in real time during the authorization and card-verification process, according to a spokeswoman for the Ludlow, Vt., ski area.
"The information was being taken as the cards were being swiped," she said, adding that law enforcement officials have told Okemo's management that they are investigating about 50 such incidents in the Northeast alone.
If that is indeed the case, it indicates that malicious hackers are starting to focus on stealing card data while it's on the move, instead of trying to take information that's stored on systems.
Ironically, the push by attackers to get at data in transit is likely a direct response to retailers' efforts to implement the security controls mandated by the Payment Card Industry Data Security Standard, or PCI for short, said Gartner Inc. analyst Avivah Litan.
The PCI standard, which was created by the major credit card companies, prohibits retailers and other merchants from storing payment card data on their systems in most cases, and it requires them to encrypt the data that they are allowed to store. Litan said that as more companies comply with the standard, credit card thieves are being forced to turn their attention away from the databases that they previously had targeted.
And the apparent success of the intruders who broke into the systems at Hannaford and Okemo is bound to embolden other attackers to try the same kind of strategies, Litan warned.
PCI Weaknesses?
The Hannaford breach, at least, points to possible holes in the PCI defense wall. The grocer has said that it was breached even though it had been certified as being compliant with the security standard last year and then again on Feb. 27. That was the day Hannaford was first made aware of suspicious activity involving the credit cards of its customers.
Bob Russo, general manager of the PCI Security Standards Council, said last week that there isn't enough information available about the Hannaford and Okemo breaches to know for sure whether the PCI rules need to be tweaked. Russo vowed that if additional controls are necessary, changes will be made promptly by the council, an independent group that the credit card companies set up in 2006 to manage the standard.
Under existing rules, a company doesn't need to encrypt payment data while it's in transit within its own internal network. But Russo contended that if a company implemented all of the existing PCI controls, it wouldn't be possible for attackers to get at the information while it's being transmitted internally.
"Just because [Hannaford] raised their hand and said they were compliant doesn't necessarily mean they were compliant," Russo said. He added that all of the known data breaches involving companies covered by the PCI rules have happened because the merchants failed to fully comply with the security requirements.
Encrypting payment card data before it even reaches point-of-sale systems is one way to minimize the risk of data-in-transit thefts, Litan said. But tools that could enable companies to do that are just emerging from vendors such as VeriFone Inc., she added. And at this early stage, installing the tools may require a heavy investment of time and effort on the part of users.
A more straightforward approach would be to better monitor corporate networks for the telltale signs of system intrusions, said Ken Pappas, a security strategist at Top Layer Networks Inc., which sells intrusion-prevention systems. For example, looking at where data traffic is headed could give security managers a clear indication of whether transmissions are legitimate.
The techniques used to pull off data-in-transit heists really aren't all that new. Typically, perpetrators first gain access to a targeted network by taking advantage of a vulnerability that has yet to be detected or patched. Once the attackers get a foothold, they can deploy malware that can sniff the network for traffic they're interested in, such as credit card data.
The malware can also be programmed to queue the stolen data and send it in batches to an outside destination, as was the case with the Hannaford intrusion.
Eddie Schwartz, chief security officer at NetWitness Corp., a vendor of network monitoring tools, said that over the past two years, overseas "carder gangs" that buy and sell stolen payment card numbers have been using data-sniffing tools in an effort to intercept information while it's being transmitted across networks.
"People are finally waking up and focusing on it," Schwartz said. He attributed the newfound interest to the attention generated by the breach at Hannaford, which has replaced all of its store servers as part of an attempt to rid its network of the malware installed there.
The data thefts can be hard to detect because often the stolen information is spirited out of a company via open network ports — such as Port 80, which is used for online connections and serving up Web pages, or Port 443, which can be used to send secure communications over the Web.
Schwartz said that many companies don't even monitor those ports, assuming instead that all of the data traffic going out through them is legitimate.
Network managers should be watching the ports "for nonstandard traffic," he added. "If traffic is destined for Romania, and it's [using] Port 443, and it's not SSL traffic, that's a red flag — and you should see it in minutes, not months."
Based on what's known about the Hannaford and Okemo breaches, it isn't clear whether they really do point to a new method of attack, said Deven Bhatt, director of corporate security at Airline Reporting Corp. in Arlington, Va. But he added that ARC, which provides ticket distribution and financial settlement services to more than 150 airlines and rail carriers, is reviewing its networks to make sure they aren't vulnerable to data-in-transit thefts.
ARC's review was prompted by Okemo's disclosure that its systems had been breached in a Hannaford-like fashion and by the reports that other companies may have been similarly attacked. Bhatt noted that ARC is fully compliant with the PCI requirements.
But Hannaford has made the same claim and yet was the victim of a data breach.
Chris Andrew, vice president of security technology at software vendor Lumension Security Inc., said the grocer's network obviously wasn't locked down tight, as evidenced by the fact that the malware was able to send the stolen data overseas.
"Clearly," he added, "there was a pathway back out of the network that Hannaford should have closed."
Security managers often describe their efforts to protect corporate data from being compromised as a full-fledged battle of wits against cybercrooks who are continually arming themselves with innovative tools and methods of attack.
And the security breaches disclosed last month by Hannaford Bros. Co. and Okemo Mountain Resort — along with unconfirmed reports of dozens of similar network intrusions — suggest that a new front may have opened up in the battle.
Furthermore, the recent incidents have prompted some to question whether the payment card industry's highly publicized data security standards are fully equipping companies to fend off attackers.
What's noteworthy about the Hannaford and Okemo breaches is that they both involved the theft of data in transit — credit and debit card information that was being transmitted from point-of-sale systems to payment processors in order to authorize transactions.
In Hannaford's case, the Scarborough, Maine-based supermarket chain has said that malware planted on the servers at about 300 grocery stores in the Northeast and Florida intercepted up to 4.2 million credit and debit card numbers and periodically sent the data in batches to a system overseas.
Just two weeks after Hannaford disclosed its breach, Okemo reported that data from more than 46,000 payment card transactions may have been compromised during a 16-day system intrusion in February.
Some of the data that was stolen was from transactions that occurred two years ago. But data from purchases made by customers while the intrusion was taking place appears to have been stolen in real time during the authorization and card-verification process, according to a spokeswoman for the Ludlow, Vt., ski area.
"The information was being taken as the cards were being swiped," she said, adding that law enforcement officials have told Okemo's management that they are investigating about 50 such incidents in the Northeast alone.
If that is indeed the case, it indicates that malicious hackers are starting to focus on stealing card data while it's on the move, instead of trying to take information that's stored on systems.
Ironically, the push by attackers to get at data in transit is likely a direct response to retailers' efforts to implement the security controls mandated by the Payment Card Industry Data Security Standard, or PCI for short, said Gartner Inc. analyst Avivah Litan.
The PCI standard, which was created by the major credit card companies, prohibits retailers and other merchants from storing payment card data on their systems in most cases, and it requires them to encrypt the data that they are allowed to store. Litan said that as more companies comply with the standard, credit card thieves are being forced to turn their attention away from the databases that they previously had targeted.
And the apparent success of the intruders who broke into the systems at Hannaford and Okemo is bound to embolden other attackers to try the same kind of strategies, Litan warned.
PCI Weaknesses?
The Hannaford breach, at least, points to possible holes in the PCI defense wall. The grocer has said that it was breached even though it had been certified as being compliant with the security standard last year and then again on Feb. 27. That was the day Hannaford was first made aware of suspicious activity involving the credit cards of its customers.
Bob Russo, general manager of the PCI Security Standards Council, said last week that there isn't enough information available about the Hannaford and Okemo breaches to know for sure whether the PCI rules need to be tweaked. Russo vowed that if additional controls are necessary, changes will be made promptly by the council, an independent group that the credit card companies set up in 2006 to manage the standard.
Under existing rules, a company doesn't need to encrypt payment data while it's in transit within its own internal network. But Russo contended that if a company implemented all of the existing PCI controls, it wouldn't be possible for attackers to get at the information while it's being transmitted internally.
"Just because [Hannaford] raised their hand and said they were compliant doesn't necessarily mean they were compliant," Russo said. He added that all of the known data breaches involving companies covered by the PCI rules have happened because the merchants failed to fully comply with the security requirements.
Encrypting payment card data before it even reaches point-of-sale systems is one way to minimize the risk of data-in-transit thefts, Litan said. But tools that could enable companies to do that are just emerging from vendors such as VeriFone Inc., she added. And at this early stage, installing the tools may require a heavy investment of time and effort on the part of users.
A more straightforward approach would be to better monitor corporate networks for the telltale signs of system intrusions, said Ken Pappas, a security strategist at Top Layer Networks Inc., which sells intrusion-prevention systems. For example, looking at where data traffic is headed could give security managers a clear indication of whether transmissions are legitimate.
The techniques used to pull off data-in-transit heists really aren't all that new. Typically, perpetrators first gain access to a targeted network by taking advantage of a vulnerability that has yet to be detected or patched. Once the attackers get a foothold, they can deploy malware that can sniff the network for traffic they're interested in, such as credit card data.
The malware can also be programmed to queue the stolen data and send it in batches to an outside destination, as was the case with the Hannaford intrusion.
Eddie Schwartz, chief security officer at NetWitness Corp., a vendor of network monitoring tools, said that over the past two years, overseas "carder gangs" that buy and sell stolen payment card numbers have been using data-sniffing tools in an effort to intercept information while it's being transmitted across networks.
"People are finally waking up and focusing on it," Schwartz said. He attributed the newfound interest to the attention generated by the breach at Hannaford, which has replaced all of its store servers as part of an attempt to rid its network of the malware installed there.
The data thefts can be hard to detect because often the stolen information is spirited out of a company via open network ports — such as Port 80, which is used for online connections and serving up Web pages, or Port 443, which can be used to send secure communications over the Web.
Schwartz said that many companies don't even monitor those ports, assuming instead that all of the data traffic going out through them is legitimate.
Network managers should be watching the ports "for nonstandard traffic," he added. "If traffic is destined for Romania, and it's [using] Port 443, and it's not SSL traffic, that's a red flag — and you should see it in minutes, not months."
Based on what's known about the Hannaford and Okemo breaches, it isn't clear whether they really do point to a new method of attack, said Deven Bhatt, director of corporate security at Airline Reporting Corp. in Arlington, Va. But he added that ARC, which provides ticket distribution and financial settlement services to more than 150 airlines and rail carriers, is reviewing its networks to make sure they aren't vulnerable to data-in-transit thefts.
ARC's review was prompted by Okemo's disclosure that its systems had been breached in a Hannaford-like fashion and by the reports that other companies may have been similarly attacked. Bhatt noted that ARC is fully compliant with the PCI requirements.
But Hannaford has made the same claim and yet was the victim of a data breach.
Chris Andrew, vice president of security technology at software vendor Lumension Security Inc., said the grocer's network obviously wasn't locked down tight, as evidenced by the fact that the malware was able to send the stolen data overseas.
"Clearly," he added, "there was a pathway back out of the network that Hannaford should have closed."