The Heartland data loss is being called the largest loss of credit card information to date. To many it seemed surprising that this would happen to an experienced credit card processor. Their first thoughts are that Heartland must have been lax in their security. But to those of us who’ve written credit card authorization software, it was not surprising. In fact, we’ve been warning our merchant customers for over two years that this exact type of attack was coming.
First, just a recap of what apparently happened to Heartland. It was pretty simple, really. A malware application got installed on a computer on their network, and it started inspecting the data packets being sent for authorization. It is very easy for a piece of software to look at the data moving over a network. Take a look at the free Ethereal network analyzer (www.ethereal.com) as an example. This application has been around for a long time. Those of us who develop communications applications know and love it. It is free. You can see everything moving across the network in real time, in the clear. Authorization transactions are very simple and it would have been very easy for a malware application to pluck a credit card number off the line. All that is left is to transmit it off-site and you are done.
How did the malware get installed? I’m not sure anyone knows at this point. But I want to share with you an experience I had last summer. I was visiting a large company in the mid-west and had checked in at the front desk. I was a little early and had about a 10 minute wait for my meeting. This company was clearly making use of temporary workers as there was a parade of about 7 or 8 contractors signing in for the first time. Their identity was checked, they were given a badge, and someone came to meet them to escort them to the work area. All of the signs of a diligent vetting process for new employees, right? But get this – more than half of these new employees sported a thumb drive visible on their persons. Usually hanging from a key chain. I’ll bet all of them had a USB thumb drive somewhere on them. And I did, too. A malware infection can easily be introduced with a device like this perhaps without the knowledge of the person carrying the device. And don’t get me started about laptops, cell phones, iPhones, PDAs and so on.
So, if you are in the business of collecting and transmitting credit card data, what should you do? Here are some suggestions:
1) Realize that you may have an exposure in the “last mile” as transactions move to your payment processor. Make sure that you use an isolated LAN segment for this traffic.
2) Remove any PCs or servers from this private LAN segment that are not needed as a part of credit card processing.
3) Do regular scans of all systems that are on any network used for processing credit card information. Use professional software that can detect root kits and the more sophisticated malware and virus applications.
4) Please do not depend on data leak protection (DLP) applications alone to tell you if you have a problem. There are good solutions out there, but I can think of 10 ways to make a credit card number look like something else.
5) Use physical security for your data center and only allow your authorized employees in the area.
6) Ban USB thumb drives, CDs, and any other portable media from the data center, except for authorized technicians.
These steps alone will not guarantee you will be secure, but you should include them in your security practice.
Broken record mode(on);
We will continue to see losses of credit card and personal information until we fully implement encryption and key management from end to end. You have to encrypt at the source, and decrypt at the target. Even if you are using encrypted VPN or SSL communications, the data has to be encrypted to be protected. As I’ve said many times, encryption is not the complete solution to data security, but you don’t have data security without it.
Broken record mode(off);
I hope this helps you think about securing your private data. There is no point in demonizing Heartland, it just serves as a distraction from looking at the real problems. I’ve seen companies who are extremely diligent about security still experience data losses. Heartland could easily fall into this category.
Patrick
Tags: data loss, encryption, Heartland, key management, pci