It’s been all over the news, that Albert Gonzalez recently pled guilty to masterminding a large number of highly visible data breaches at 7-Eleven, Hannaford, and Heartland Payment Systems. Now that Gonzalez’ modus-operandi is public knowledge, I only wonder how quickly the other bad guys will copy and improve upon his methods. It’s clear that to stop the next Albert Gonzalez, it’s important to take a closer look at how he did what he did.
The attack on 7-Eleven was interesting in that it resulted in compromised debit card PIN security. Hmmm, you might say, “Everyone knows that debit card PIN codes are encrypted. How could they be compromised?” The truth is surprising to some, but was well known to Gonzalez, and provided the perfect weak point to exploit.
It’s understood that PIN codes ARE always protected by encryption. The encryption occurs right in the payment terminal. The transaction is then encrypted all the way to the bank, right? Well, not always. What many people don’t realize is that a retail merchant may use “zone encryption” to decrypt the PIN code on a central corporate server, and then re-encrypt the PIN before sending it to the bank or payment processor. This decrypt and then re-encrypt step is often used to gain a certain amount of independence from the processing bank (more on why this is done below).
To decrypt and re-encrypt the PIN transaction you need a Hardware Security Module (HSM) that is designed for this purpose. There are a few vendors of these systems in the market. They all work about the same way. You load your payment terminal encryption keys in the HSM, along with the bank’s encryption keys. Then, as the transaction passes through your central server, you hand the encrypted PIN code to the HSM and ask it to decrypt the PIN and re-encrypt it with the bank’s keys. Pretty simple, really.
So how did Gonzalez and his gang gain entry in the first place? All the break-ins appear to have started as SQL injection attacks on externally facing company web sites. Once a web server was compromised, Gonzalez gained entry to internal servers. SQL injection attacks are a well known form of attack and the usual goal is to gain access to a server with a high level of permission. Once a hacker has access to an internal server, further access to other internal servers usually follows.
As I’ve mentioned before, hackers are getting a lot smarter, more determined, and more focused on striking where the money is. I believe the industry should prepare for attacks on key storage and key server systems next. HSM’s are a type of key server. And that’s exactly what happened in this breach. The hackers exploited a weakness in how PIN encryption takes place on HSMs to discover the encryption keys. They were then able to get the PIN codes for debit cards. Once they had card numbers and PIN codes it was easy to manufacture debit cards using standard magnetic swipe cards and a relatively cheap mag-stripe writer.
It is not trivial to attack an HSM. You have to know a lot about PIN encryption formats, how HSM interfaces work, and how there may be weaknesses between PIN encryption schemes. But these attackers were really smart. They understood these things as only a security professional would. And they used this knowledge against the HSM.
What lessons can we take from this? Here are just a few that come to mind:
• Weak key management is no key management. If attackers are smart enough to exploit an obscure API weakness in a commercial HSM, they are smart enough to defeat your home grown key management system.
• Storing encryption keys on the same system with protected data is just plain wrong. Always use an external key server for key storage and retrieval.
• Key management systems should produce logs of invalid access attempts. You should collect and monitor these with your log management and alerting software.
• It’s time to review your encryption and key management strategy. Start migrating to NIST certified solutions, and get educated on encryption and key management best practices.
For those of you who want to know a bit more about “zone encryption,” it might be interesting to note that many large retailers and payment processors use this strategy to get some independence from their processing bank. If the PIN encryption keys are only stored on the payment terminal and at the bank, retailers and processors can’t change banks without changing out all of their payment terminals. If the retailer has lots of stores, this can be really expensive. Zone encryption allows them to de-link that connection to the bank, giving them some leverage to keep bank fees low, and making it easier to change banks if they want to. The use of zone encryption is fairly common and is not going away. However, since it’s now clear that data thieves are targeting this practice, it’s more important than ever to make sure you’re using strong and reliable encryption key management.
On that note, I’m proud of our technical team for having the foresight two years ago to anticipate attacks on key management systems. We went to work on a new appliance-based key management solution, which bore fruit in 2009. We released our new Alliance Key Manager product to the partner channel mid-year and will release it to the end customer channel this quarter. I’m sure I’ll be talking to more of you about this in the coming months.
I wish you a safe and secure New Year.
Patrick
We believe (and customers agree) that our people are a big part of what makes PTSS an exceptional company. This month, we shine our spotlight on Director of Support, Jeff Atwood. In his seven years with PTSS, Jeff has worn many hats, filling the role of graphic designer, webmaster, and marketing manager. Jeff has now been a valued member of the customer support team for six years. He says, “I’ve always enjoyed helping to solve people’s problems and love educating customers. But what’s really kept me interested over the years is the constant challenge of learning new technologies and helping people put that technology to use.”
Jeff has lived in and traveled to many foreign countries, mostly in Latin America, and has a working knowledge of the Spanish language. Besides his impressive technical knowledge, Jeff’s language skills have made him a valued part of the support team. As the PTSS customer base continues to grow around the world, Jeff looks forward to expanding customer support to increase our high-level of service across more time zones. He also hopes to get more feedback from customers so we can better understand and fulfill their support needs.
Away from work, Jeff enjoys spending time with his family. Several years ago, he and his wife adopted their son Jackson from China, then 5 months later became the proud parents of daughter Lilly Penelope. Jeff also enjoys camping, scuba diving, boating, and volunteering with his local schools.