April 6, 2012

Global Ramifications

The Internet is abuzz with speculation on the source and scope of the Global Payments breach. In the past few days, reports on the number of affected cards have ranged from as many as 10 million to a little more than 50,000 with Global setting the “official” number at 1.5 million. Likewise, the source of the breach has been widely disputed. Several industry pundits claimed the transactions came from a single industry (parking garages or taxi companies, depending on who you believe – or, in the most recent iteration, a taxi company that runs parking garages – all based in New York City).

A “security expert” on Fox News theorized that the breach occurred when an organized crime group used personal information to gain access to the data and that – possibly – malware was then installed to capture the card information (including swipes). From this theory, it sounds like Global was likely using a knowledge-based authentication (KBA) system to validate users. While KBA is not two-factor in the sense that an RSA key is, Global might have believed that this approach was “close enough” to meet applicable standards and best practices.

Unfortunately for them, through the simplest of social engineering schemes an organized criminal enterprise could easily gain access to information like addresses, mortgage payment amount, mother’s maiden name, etc. (In light of this breach, Evan Schuman at StorefrontBacktalk published an article over the weekend on the weaknesses of knowledge-based systems that I would recommend checking out.)

Since we really don’t know what happened (because the PCI and the card associations won’t tell us), maybe it went something like this: A New-York-based independent sales organization (ISO) of Global, which specializes in parking service (or taxi) companies was a little lax in security, was infiltrated by a member of an organized crime organization, and through social engineering, he or she fraudulently got access to Global’s entire cardholder data environment (CDE).

If the losses truly are limited to just the parking or taxi industries, then it is possible that the hacker using these ISO credentials didn’t get unfettered access to the CDE but merely to that ISO’s data. Or, is it likewise entirely possible that the ISO has a gateway and the thief merely intercepted the “private” but unencrypted leased line authorization traffic to Global. In either of the latter two cases, the fact that 1.5 million cards were compromised means that it must have been a super-ISO that was compromised (as a run-of-the-mill Independent Sales Organization would not have access to that type of traffic during the time of the breach).

All three scenarios are feasible, even plausible, and would lead to the same result – a loss of cardholder data. So, why should we have to guess which it was?

My point is this: Once again, we have a major breach and are told almost nothing about it. As someone whose company is responsible for protecting the cardholder data of millions of consumers (and the reputation of both Shift4 and the industry at large), I think the secrecy about breaches has got to end. We know that those “in power” believe that if they make it public it will give criminals a road map. (Mary Ann Davidson certainly made clear Oracle’s feelings on the matter in her blog post last week.) But holding all of the data out of reach, likewise gives the advantage to criminals.

Now, we are not suggesting posting vulnerability information in a public forum, but there ought to be a secure portal (with legitimate two-factor authentication) where industry principals with a vested interest in the security of cardholder information (primarily third-party agents or processors who have existing NDAs on file with the card brands) can – under the bounds of a non-disclosure agreement – go to read a candid synopsis of what happened. Such a forum would improve the security of the entire industry.

Let’s be honest, the hacker community is verbal and active. They share information and build on one another’s exploits. If we are not similarly transparent, how can we be expected to thwart their efforts? And, honestly, if Visa, or PCI, or any other organization knowingly withholds information that could prevent a future breach, how can they hold companies liable for falling victim to a similar attack? Wouldn’t the culpability then fall to those who withheld the information?

If we knew the issues behind the breach or the vulnerabilities that were exploited, we could spend our time making things better – rather than debating hypothetical scenarios. Although, so long as we’re speculating … did anyone else notice Visa went offline for about 45 minutes this weekend – that’s just about the amount of time they’d need to rekey Global’s debit setup, isn’t it? This breach may have gone a whole lot deeper than we’re hearing … Just a thought.