The Heartland data loss is being called the largest loss of credit card information to date. To many it seemed surprising that this would happen to an experienced credit card processor. Their first thoughts are that Heartland must have been lax in their security. But to those of us who’ve written credit card authorization software, it was not surprising. In fact, we’ve been warning our merchant customers for over two years that this exact type of attack was coming.
First, just a recap of what apparently happened to Heartland. It was pretty simple, really. A malware application got installed on a computer on their network, and it started inspecting the data packets being sent for authorization. It is very easy for a piece of software to look at the data moving over a network. Take a look at the free Ethereal network analyzer (www.ethereal.com) as an example. This application has been around for a long time. Those of us who develop communications applications know and love it. It is free. You can see everything moving across the network in real time, in the clear. Authorization transactions are very simple and it would have been very easy for a malware application to pluck a credit card number off the line. All that is left is to transmit it off-site and you are done.
How did the malware get installed? I’m not sure anyone knows at this point. But I want to share with you an experience I had last summer. I was visiting a large company in the mid-west and had checked in at the front desk. I was a little early and had about a 10 minute wait for my meeting. This company was clearly making use of temporary workers as there was a parade of about 7 or 8 contractors signing in for the first time. Their identity was checked, they were given a badge, and someone came to meet them to escort them to the work area. All of the signs of a diligent vetting process for new employees, right? But get this – more than half of these new employees sported a thumb drive visible on their persons. Usually hanging from a key chain. I’ll bet all of them had a USB thumb drive somewhere on them. And I did, too. A malware infection can easily be introduced with a device like this perhaps without the knowledge of the person carrying the device. And don’t get me started about laptops, cell phones, iPhones, PDAs and so on.
So, if you are in the business of collecting and transmitting credit card data, what should you do? Here are some suggestions:
1) Realize that you may have an exposure in the “last mile” as transactions move to your payment processor. Make sure that you use an isolated LAN segment for this traffic.
2) Remove any PCs or servers from this private LAN segment that are not needed as a part of credit card processing.
3) Do regular scans of all systems that are on any network used for processing credit card information. Use professional software that can detect root kits and the more sophisticated malware and virus applications.
4) Please do not depend on data leak protection (DLP) applications alone to tell you if you have a problem. There are good solutions out there, but I can think of 10 ways to make a credit card number look like something else.
5) Use physical security for your data center and only allow your authorized employees in the area.
6) Ban USB thumb drives, CDs, and any other portable media from the data center, except for authorized technicians.
These steps alone will not guarantee you will be secure, but you should include them in your security practice.
Broken record mode(on);
We will continue to see losses of credit card and personal information until we fully implement encryption and key management from end to end. You have to encrypt at the source, and decrypt at the target. Even if you are using encrypted VPN or SSL communications, the data has to be encrypted to be protected. As I’ve said many times, encryption is not the complete solution to data security, but you don’t have data security without it.
Broken record mode(off);
I hope this helps you think about securing your private data. There is no point in demonizing Heartland, it just serves as a distraction from looking at the real problems. I’ve seen companies who are extremely diligent about security still experience data losses. Heartland could easily fall into this category.
Patrick
The new Massachusetts privacy law is a wake-up call to all businesses no matter their physical location. According to the law, companies doing business in that state MUST pro-actively protect the privacy of customers, vendors, and employees using encryption technologies. It is the most far-reaching privacy protection law yet and it will have significant and immediate impact, as well as a ripple effect that may eventually affect everyone. Already, more states are looking at passing similar laws including my home state of Washington.
Nevada recently implemented new privacy laws that require encryption of data transmitted over unprotected networks. This includes email transmissions as well as business-to-business transmission of data over the Internet. For the first time ever, the new regulations open companies who violate the law to legal liability.
In the past, state legislators passed privacy notification laws that required companies to notify people if their private data was lost or compromised. These laws required notification of the affected individuals, and provided an exemption for companies that could demonstrate that they used encryption to protect the data. The laws varied from state to state, and the more aggressive legislation opened the companies to legal action by banks and financial institutions. But overall, these regulations were pretty passive and only came into effect after a data loss had occurred.
Massachusetts and Nevada have changed the equation. The new regulations require that companies pro-actively protect sensitive data with encryption and provide more substantial penalties for failure to do so. They also open companies to general legal liability for data losses, something that should scare the pants off of risk managers and board members at any company.
I am guessing here, but I suspect that these new laws are the result of lawmakers’ frustration — at the failure of past legislation and corporate self-regulation — to stem the tide of data breaches. Some companies have taken a laissez-faire attitude and have considered the potential cost of a data breach as a cost of doing business, but the new regulations should help put an end to that attitude.
The days of privacy notification are dead. Privacy protection is the new law of the land.
Encryption by itself does not provide all of the security that’s needed, but it is the basis of any credible data protection strategy. Vulnerability scanning, firewalls, system logging and everything else is important, but the lack of encryption is the key reason why data losses continue to happen at a high rate. At my company we are fanatics about encryption, but we know that it is only one part of a data protection strategy. It is, however, a critical component of any strategy.
My advice to risk managers, CISOs, IT directors, and board members is to get aggressive on this issue right now. More states will adopt similar laws and it is unlikely that the federal government will intervene to weaken these statutes. You can bet that the lawyers are drooling over the next big data loss and that legal action will follow any significant loss. It takes time to implement the changes needed to meet these regulations, and you need to start now.
In my next blog I’ll write in more detail about what you should be doing to protect your companies, and include some pointers on how our solutions can help.
Patrick