Electronic payments: Hurricane Gonzalez

Despite the prosecution of hacker Albert Gonzalez, more needs to be done to secure credit card transactions, reports Deb Radcliff.

Something to be learned in the Albert Gonzalez hacking case is that cybercriminals don't strike in one place and they don't work alone. In September, Gonzalez pleaded guilty to 20 different charges involving the theft of more than 40 million credit and debit accounts from the networks of retailers TJX, BJ's, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. U.S. Department of Justice records show he worked with accomplices who communicated over carder forums and reached from San Diego to Estonia.

Outstanding is an indictment charging Gonzalez and co-conspirators with stealing more than 130 million credit and debit card numbers from card processor Heartland Payment Systems, 7-Eleven and other retailers. In the earlier case, Gonzalez and accomplices hacked into wireless point-of-sale (POS) and store networks by wardriving from parking lots. In the case involving Heartland, the suspects used SQL injection attacks.

“Cybercriminals operate like any other crime ring: They meet in person and virtual chatrooms, they buy and sell tools of the trade and devise schemes,” says Special Agent Jeff Troy, section chief of the cybercriminal program at the FBI. However, unlike traditional crime groups, cybercriminals change attack vectors.

Troy's section was responsible for taking over the hosting of the DarkMarket carder site in an undercover sting operation that culminated with 56 arrests worldwide in late 2008. The investigation is still ongoing.At its peak, DarkMarket had more than 2,500 members, proving that there's a lot of money to be made in the stealing, buying, selling and laundering of stolen financial identities. When apprehended, Gonzalez had more than $1 million cash buried in the backyard of his home in Miami, along with luxury cars, jewelry and other properties.

No Maginot Line
From an attack standpoint, the progression of charges against Gonzalez reiterates what members of the Jericho Forum, a security think tank, and others have been saying: Traditional network controls to keep the bad guys out aren't working.

“Detection is based on the known, and most of that detection is placed at the edge of the organization,” says Rob Lee, faculty fellow and forensics curriculum lead at SANS Institute. “We need internal mechanisms to pick up on odd behavior inside the network, in our applications, and on our devices, as well as at the network edge.”

According to the “2009 Verizon Business Data Breach Investigations Report,” POS systems, databases, desktop applications and web applications make up the top vectors of attack. Ultimately, the target goal is the database. Of the successful breaches Verizon investigated, 75 percent of records were taken from databases.

In December 2007, the Heartland breach originated with an SQL injection that broke through a non-financial web page for business customers.

“We closed the SQL injection very quickly, but unfortunately the malware had already been inserted, signatures for which were not contained in our anti-virus database,” says Heartland CIO Steve Elefant (left). “We hired forensics investigators who searched for nine weeks and were nearly out the door when they finally found a temp file that wasn't ours.”

The file led to a sniffer hidden by anti-forensic technologies that captured passwords and ran inbound and outbound card data traffic over HTTP, where it is undistinguishable from legitimate web traffic.

The fact that the malware was discovered a month after the company passed its sixth-annual Payment Card Industry Data Security Standard (PCI DSS) audit is one of the key things that bothers Elefant. It proves that ‘compliant' is not the same as ‘secure' – especially when it comes to the undetectable nature of zero day threats.

“No amount of monitoring or anti-virus would have caught this zero-day,” he says. “We wanted to make sure this wouldn't happen again to us or anyone else.”

Heartland quickly stood up a new organization called the Payment Processors Information Sharing Council (PPISC) as part of the Financial Services Information Sharing and Analysis Center (FS-ISAC), supported beneath the umbrella of the U.S. Department of Homeland Security.

“We've found that the bad guys are very good at information sharing over hacker and carder websites, while many of the good guys have worked in silos for competitive reasons,” he explains. “We need to share records of attacks and threats with each other and law enforcement. Malware detection should not be a competitive issue.”

About 25 people from card acquirers and processors attended the first PPISC meeting at St. Pete Beach, Fla. in May 2007 and shared nearly 100 examples of zero-day malware that were not detectable by anti-virus and monitoring. Now, 12 of the top 15 processors are members. Troy says the PPISC is already sharing information with the FS-ISAC, and cross-sharing sanitized threat information between the ISAC and law enforcement.  

Another improvement to arise since the breach is Heartland's E3 payment lifecycle end-to-end encryption, which was in development when the breach occurred. When paired with card authentication and back-office tokenization, Heartland believes it is a superior solution to chip and PIN security. It has become an important selling point to new accounts, according to Heartland releases.

Encryption and information sharing are important improvements, says the FBI's Troy. But a primary vulnerability he sees repeatedly in investigations is one of improper authentication.

 “On the internet, it's very difficult to establish the trust factor because the foundational systems are susceptible to being hijacked,” he says. “Organizations need to find a balance between user friendliness and strong authentication that goes far beyond username and password.”

Do away with magstripes?
The biggest vulnerability is the magnetic stripe on the back of the card that contains account and identity information of value to identity thieves, contends Avivah Litan (right), Gartner fraud analyst. Inversely, magstripes provide a way for identity thieves to transfer stolen credentials onto plastic and pass them off as real cards.

“Until we do away with the magstripes on the back of cards and replace them with unhackable chips, everything else we do security-wise is just patchwork,” she says. “Countries that moved to chip cards have been able to successfully eradicate these types of fraud.”

Binding identity to the chip and one-time passwords would handle both the authentication and the fraud problem, she continues. Unfortunately, she believes it will take an act of Congress to move organizations to overhaul their payment systems to accept chip cards. Either that, or processors and merchants will get fed up when too many Gonzalez-sized hurricanes rumble through their businesses and make changes voluntarily.

Elefant agrees that until there is new technology to significantly improve the payment industry, processors and merchants are unwilling to tear up what he calls a multi-billion dollar electronic system.

“We face very challenging problems in this ongoing game of cat and mouse with the bad guys,” he adds.

Deb Radcliff

Deb Radcliff was the first investigative reporter to make cyber crime a beat starting in 1996 after researching a best-selling book about Kevin Mitnick called the Fugitive Game. Since then, she has written hundreds of articles for business and trade magazines, won two Neal awards for investigative reporting, and was runner up for a third. She stood up an analyst program for SANS Institute and ran it for 15 years before joining the Cyber Risk Alliance as strategic analyst on the business intelligence unit. And she wrote her first book in a cyber thriller series, “Breaking Backbones: Information is Power,” which is selling well on Amazon and other outlets.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.