Eric Ogren, writing for SearchSecurity.com and Evan Schuman and Fred Aun, from StorefrontBacktalk.com, have some insightful commentary regarding the tactics used by hackers to breach Heartland and how they relate to the limitations of the current PCI Compliance standard.
I think the key take away here is that compliance does not necessarily equal security. Here are a few highlights from their articles:
Eric Ogren
1. The hackers ran their malware through 20 AV products to test detection avoidance. AV is very good at stopping known attacks of mass destruction, but is quite a bit less good about catching low profile designer attacks. Effective security should augment AV filters with technology that reflects control over the unique aspects of the organization's server and endpoint configurations. IT has choices here – application whitelisting on locked-down servers will prevent execution of unauthorized software, thin clients prevent attacks from persisting at endpoints, virtual desktops and servers give IT control over endpoint configurations and automated patching systems close windows of vulnerabilities. PCI should be more assertive in recognizing that signature-based schemes and reputation services will not catch low volume activity that is the trademark of malware designed to steal information.
2. It would be nice if PCI could have protected 7-Eleven and others from the same attack technique that befell TJX years earlier.
Evan Schuman and Fred Aun
1. One retail security expert, who has firsthand knowledge of defending against these defendants and who agreed to discuss the indictment if neither her name nor employer was identified, said much in the indictment points out inherent weaknesses in PCI. The back door approach used, a time-honored hacking technique for decades, is a red flag. “Being on the inside, these probably would have passed right through firewalls as the data would be travelling in the ’safe’ direction. Also note that any gains a company would have from a password rotation scheme would be negated by the installation of a back door. My main point there is that password rotation schemes are not an effective defense, and shouldn’t be elevated to such by PCI or corporate ’security policies.’ In any case, Hackers 2, PCI 0.”
2. The SQL injection tactic points out an especially significant PCI flaw, the expert said. “PCI doesn’t say boo about SQL injection attacks. It only says you must maintain secure systems and applications and review the applications annually. But reviews are ineffective on unknown bugs – they can only help recognize bugs the reviewer actually knows about.”
3. Another concern that she listed involved Heartland details. “The attackers installed sniffers to capture the traffic, they did not harvest data intentionally stored by Heartland on hard drives. PCI doesn’t say anything about encrypting data on private networks, only that you must protect stored cardholder data or encrypt data traveling over open, public networks. And the networks obviously have the business need-to-know, that’s what they do: carry data. That’s a three-point shot for the Hackers; Hackers 6, PCI 0.”
4. Yes, PCI compliance may have successfully defended Heartland against lesser attackers. But the bottom line is that Heartland could have been (and probably was) breached while being 100 percent PCI 1.1 compliant on all their points. The real observation here is that PCI DSS compliance was completely ineffective against these guys, no matter how the PCI guys spin it.
Comments: 2 | Post a CommentI've wondered how PayPal seemingly signs up any merchant without doing any underwriting or risk assessment. Well, now I think I have my answer. They do it after the fact.
There is a lot of risk associated with providing credit card processing services to a business. If a merchant sells something that they can't deliver, don't deliver, partially deliver, deliver poorly, or that is defective in some way, and the business can't remedy the situation with their own financial resources, the credit card processor is on the hook for all the chargebacks and losses.
Merchant account providers can do a number of things to address these risks including a reserve requirement. Reserve requirements come in different shapes, sizes and flavors. Some are 6 month rolling reserves, some are fixed amounts, some require upfront money and others are collected as part of the processing volume.
When cash flow management is one of the most important components of running a business, a reserve requirement is probably something better identified before, rather than after, the fact.
Comments: 0 | Post a Comment
Following in the footsteps of Amazon's efforts in the payments space, PayPal announced a new service they're calling Adaptive Payments (TechCrunch has the new API posted). It allows merchants/developers to become payment aggregators whereby they can accept and dynamically distribute payments among multiple parties. It's a great move by Paypal that leverages the network of users they've built over the past decade as well as their global payments capabilities, but there are some limitations. I think there are a few things to note.
Context
Paypal has overcome several limitations and or unappealing features of traditional payment methods (check and credit card - I'm excluding cash in this discussion) and payment channels (banks and wire transfer services). For example, for an individual to pay someone, instead of writing a check or sending a wire transfer, a Paypal user can easily send money to another Paypal user.
Credit cards, which are used for a substantial percentage of all commerce in the U.S. and around the world, were built around a 1:1 relationship between cardholder and merchant. However, not user to user (though MasterCard just recently announced a transfer service using Obopay's platform). This is one structural limitation that has provided Paypal the opportunity to grow like it has.
Target Opportunity
Adaptive Payments solves a few key problem for merchants and developers: 1) global B2B, B2C and C2C money transfers. A U.S. business can accomplish the same payment flexibility as Paypal's new service by using electronic funds transfers (EFT) domestically, and not require that the recipient have a Paypal account. However, things get complex and there are several limitations when expanding outside of the U.S. 2) Paypal service eliminates the need for recipients to have a bank account and 3) dynamic, global and multi-party payment distribution.
Limitations of Adaptive Payments
According to Paypal's API's, all payment participants are required to have a Paypal account: “The payment sender, receiver(s), and application owner must each have a PayPal account. Senders and receivers may have personal accounts; however, application owners must have business accounts.” The solution works for prearranged payment distribution relationships as the barrier to participate is setting up a new Paypal account beforehand.
For realtime, non-prearranged payment situations, this solution has a serious drawback which could hinder it's adoption. Paypal has no choice but to maintain this requirement because payments have to stay on it's network. In other words, in some situations, its greatest strategic asset may also turn out to be its Achilles heel.
Network Effect
I think the big story in all of this is the following: the major card brands such as Visa, MasterCard, American Express and Discover have done an exceptional job over the years building a global network of cardholders and accepting merchants to facilitate commerce. It's now a global standard. They have built substantial barriers to entry for others (look at Revolution Money who has raised around a $100 million to try and penetrate the U.S. market).
Collectively, the internet, globalization, social networks, and mobile phones have been shifting the payments landscape and reducing these barriers. It's the wave that Paypal and other innovators have been riding and has turned what was a potential threat and minor scratch for the card brands into an open wound.