Network News

X My Profile
View More Activity

Hannaford Breach May Presage '08 Trend

The Hannaford Bros. supermarket chain said Monday that a breach of its computer systems may have given criminals access to more than four million credit and debit cards issued by nearly 70 banks nationwide. While the banks appear all but ready to blame Hannaford for failing to follow payment card industry standards on security, there are signs that this may be the first of many cases to surface this year wherein the affected retailer was hacked even though it appeared to be following all of the security rules laid out by the credit card associations.

The Boston Globe's Ross Kerber today writes that Hannaford is still investigating the specifics of how the data was taken, but that the company's chief executive said the data "was illegally accessed from our computer systems during transmission of card authorization." Translation: The hackers snatched the credit/debit card data sometime between when the customer swiped their card in the reader at the register and when that transaction was approved.

The Globe story continues: "What could make the Hannaford case unusual is that since last spring its stores have met industry standards regarding how customer data is stored and maintained, Eleazer said. Many other retailers victimized by breaches, including TJX, had been faulted for lax security. It's too soon to know whether Hannaford's case will warrant the consideration of further security reforms, said Ted Julian, vice president of strategy at Application Security Inc., a New York database services company."

These details remind to me of a conversation I had a few days ago with Bryan Sartin, vice president of investigative response for Cybertrust, a division of Verizon Business. Sartin said a great many retailers have taken extra precautions to ensure that any credit or debit card data they store is properly encrypted and secured. Sartin said his team is currently responding to a number of data breaches in which hackers have targeted financial data as it is being transferred from the retailer to the credit card processor and back. While the payment card industry standards require retailers to encrypt payment data when it traverses public networks, that requirement does not necessarily apply to a company's own internal, non-public networks, Sartin said.

"I would say a trend we're seeing hitting a lot of retailers right now is that these organizations can be [compliant with the credit card industry security standards] and still have customer data stolen," Sartin said. "The data in transit is allowed to traverse private links and internal infrastructure without being encrypted, and the attackers are taking advantage of that."

Sartin declined to say whether this dynamic was at work in the Hannaford case (his company had been retained by a party involved in the breach). But he noted that Cybertrust has found with a number of very recent compromises that attackers have seized control over the very terminals that control cash registers or point-of-sale systems within a retail store, or the server through which all registers connect to pass transaction data out across the Internet to the store's payment processor.

Once these systems have been compromised, Sartin said, the attackers typically eavesdrop on the network using "sniffer" programs that can extract credit and debit card data as it moves across the wire, before it even leaves the store's network.

Indeed, attackers appear to be exploiting the letter - if not the spirit - of the payment card industry standards, said Tom Kellerman, vice president of security awareness at Core Security. Kellerman said many retailers not only fail to encrypt financial data while it is being moved around inside the stores, but they also fail to understand that encrypting data is meaningless if the merchant doesn't also harden the security of the computers that power the point of sale systems.

"Even the stores that are trying very hard to be [payment card industry security standards] complaint don't seem comprehend that if I as an attacker own the computers inside of your store, then encryption means nothing," Kellerman said. "Unfortunately, our consultants are seeing this weakness left and right at groceries and other retailers."

Already, there are signs that 2008 may turn out to be a record-breaking year for retailer and card processor data breach disclosures. Kevin Mandia, president of Mandiant Corp., an Alexandria, Va.-based company that specializes in investigating data breaches, said his firm responded to more credit card losses in the past year than in any prior 12-month period.

"It's early in the year, but the tempo [of data breaches] has been very heightened since the summer of 2007 and maintained the same barrage," Mandia said. "We're seeing at least two new companies a week discovering that they've lost credit card numbers, and at the rate we're going [the criminals] are going to exhaust U.S. retailers as targets.."

By Brian Krebs  |  March 18, 2008; 11:08 AM ET
Categories:  Fraud , From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: The Anatomy of a Vishing Scam
Next: Apple Patches 93 Security Holes

Comments

I just found out today and that too from friends. We all shop at Hannafords and are getting our credit cards replaced. But what about id theft with the data compromised?

Posted by: Andrew | March 18, 2008 4:15 PM | Report abuse

This perfectly illustrates how the ambiguities of the PCI can get you into big trouble. The legal implications of giving a stamp of PCI approval based on a loose interpretation of PCI are enormous (you can read more here at my blog, I am an infosec attroney: http://infoseccompliance.blogspot.com/2008/02/legal-implications-risks-and-problems.html)

Anyway, in this case if the ambiguity is in section 4.1 of the PCI Standard, which requires "Encrypt transmission of cardholder data across open, public networks" and also states "Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit"

Examples are provided, the Internet, WiFI, global systems for mobile communications and GPRS.

So the question is, does this include open "internal" networks of a merchant that may be "easy and common" for a hacker to intercept.

If all of the supposition is true, it appears that Hannaford (or its Qualified Security Assessor) interpreted this to mean only "public" networks like the Internet....

Posted by: Palooza | March 18, 2008 4:21 PM | Report abuse

This perfectly illustrates how the ambiguities of the PCI can get you into big trouble. The legal implications of giving a stamp of PCI approval based on a loose interpretation of PCI are enormous (you can read more here at my blog, I am an infosec attroney: http://infoseccompliance.blogspot.com/2008/02/legal-implications-risks-and-problems.html)

Anyway, in this case if the ambiguity is in section 4.1 of the PCI Standard, which requires "Encrypt transmission of cardholder data across open, public networks" and also states "Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit"

Examples are provided, the Internet, WiFI, global systems for mobile communications and GPRS.

So the question is, does this include open "internal" networks of a merchant that may be "easy and common" for a hacker to intercept.

If all of the supposition is true, it appears that Hannaford (or its Qualified Security Assessor) interpreted this to mean only "public" networks like the Internet....

Posted by: David Navetta | March 18, 2008 4:21 PM | Report abuse

I believe I am the victim of this breach of security. On February 18th I became aware that my checking account had been overdrawn. Someone had attempted to charge over $2000 of merchandise via telephone and internet from what I was told by one company. Some items had already been shipped, others were authorized and a hold was on my account. I shop at Hannaford all the time. My card was used to buy items that were shipped to Florida. (I live in NY) When I read this news today I realized that this is probably where my card info was taken. I found it odd that Hannaford has stores in both NY and Florida (SweetBay) I am very secure about how and where I use my card and that is what I told my bank (the branch I use is in Hannaford) but no one had any idea how it had happened. Although the bank did get all of my money and fees back to me, it was 2 weeks I had to go without the money that I had put in the bank, which was everything I had, since I had bills to pay. If I had been a single person and had no where to get any money, this would have been a dire situation. My account was basically cleaned out and I was told that I had to wait for the bank to investigate. The assurance that you will get your money back doesn't buy groceries or pay bills. I am thankful to get it back, but something more has to be done with the system.

Posted by: Debbie | March 18, 2008 8:17 PM | Report abuse

Note to self:
Stop using credit card at Giant and Safeway.

Posted by: wiredog | March 19, 2008 9:23 AM | Report abuse

Who here doesn't reconcile their account every month and monitor their money anyway? It's a dangerous world and it's always a risk. Anyone who thinks otherwise is a fool. TJX and Hannaford are merely the first, but if they're the last then I'm the Queen of England.
Fining these companies when they are compliant is unfair to them, especially if they're doing everything that the laws say. Creating more laws seems fair enough, but more government oversight (and more government in general is simply a waste of more of our own money).
It's called PERSONAL RESPONSIBILITY. Look it up and use some people. You shouldn't have signed that Adjustable Rate Mortgage, you should be looking at your bank statement, and you should be monitoring your finances. Smarten up or face the consequences!

Posted by: Anonymous in New England | March 19, 2008 10:02 AM | Report abuse

(Oh, and it's not MY JOB to bail you out with my hard-earned tax dollars.)

Posted by: Anonymous in New England | March 19, 2008 10:03 AM | Report abuse

Second look at using cash??? ;)

Posted by: TJ | March 19, 2008 10:41 AM | Report abuse

"Who here doesn't reconcile their account every month and monitor their money anyway?"

Personally, I check my account(s) every few days (online), so by the time I receive the monthly statement it's just a rehash of what I already know. That way there are no surprises at the end of the month. (note: it is imperative to secure your accounts during online access by ensuring the computer used is free from malware such as keyloggers, or else game over man!)

Otherwise, from my experience with family and friends, many don't check their accounts often or at all despite my advice to the contrary! Their main excuse is a combination that it's too much work or it's the banks responsibility to protect them. Even more shocking is one relative who believes they do not need to worry about their bank balance because they make gobs of money and the account balance is always high. Talk about a dangerous assumption! If they don't check their account, how do they know they're not being slowly bled to death or worse the account drained on any given day? In my mind, this person has the most to lose and should be monitoring their accounts the most! Not to mention (for everyone too) exercising caution where and when they use their credit/debit card(s).

Posted by: TJ | March 19, 2008 11:19 AM | Report abuse

It seems to me that the payment card system in this country is fundamentally and fatally flawed. A customer gives all the information necessary to procure payment to a merchant. The merchant submits the information to a bank and receives payment. This is absurd in today's world. Anyone who steals the payment card information can submit requests for payment and receive payments without the customer, the merchant, or the bank knowing until it is too late.

Consider the following alternative. The customer gives his payment card number to the merchant. The merchant submits a digitally signed electronic document requesting payment to the bank. The document contains the payment card number, the merchant's account number, and the amount of the requested payment. The bank can verify the authenticity of the document using the merchant's public key for the digital signature. The customer authorizes payment by submiting a digitally signed electronic document to the bank, The document specifies the customer's payment card number, the merchant's account number, the amount of the payment, and the current date and time. The customer's payment card is a smart card containing an electronic chip that digitally signs the document using a private key that is generated by and only known to the chip. The customer must enter a PIN number when authorizing payment to help ensure that the person using the card is authorized to do so. The bank can verify the authenticity of the customer's document using the public key published by the chip. The bank then pays the merchant if and only if it has received authorization to do so from the customer. None of the information given to the merchant or transmitted to the bank needs to be secure to prevent fraudulent use of the payment card. The ubiquitous presence of payment card terminals, computers, cell phones, and Internet access in conjunction with a secure hardware device that allows a customer to generate a payment authorization document using his smart card would make a workable system.

There is no question that time and money will be required to deploy such a system and transistion from today's antiquated payment card system. However, the benefits are enormous. The payment card industry needs to do the right thing. It must acknowledge the fundamental and fatal flaws of the current system and replace the system as soon as possible. If they don't do it on their own, then the government must mandate it. The current Payment Card Industry Data Security Standard is little more than a band-aid on a fatally flawed system.

Posted by: Rodney Jacobs, Bangor, Maine | March 19, 2008 11:56 AM | Report abuse

Security is the bottom line. One way to prevent theft of card information is to not require the merchant to collect the card information at all. In an eCommerce environment, this can be handled by a third party payment method like PayPal, where the user can decide what instruments they use to fund their payments (e.g. bank account, credit card). This can also be achieved through hosted payment solutions offered by multiple gateways.

For card present situations such as a grocery store, we will not see a reduction in card theft until the marketplace moves to widescale adoption of EMV cards where the card information is encrypted at the card. This has shown dramatic improvements in the reduction of fraud in countries that have mandated its adoption (UK).

Lastly, if a business is employing a security consultant and they explain being compromised as a result of limiting themselves to a literal interpretation of PCI, they are overpaid. Any good security person will constantly be considering the ways in which they might be exploited.

Posted by: Charlie | March 19, 2008 2:02 PM | Report abuse

Second look at using cash??? ;)

Posted by: TJ | March 19, 2008 10:41 AM

That's one option although not always practical.

One other thing I haven't seen mentioned yet is when using a check card (ex. bank issued Visa check/debit card) to choose the "credit" option instead of debit or better yet use an actual credit card that is not tied directly to your checking account (then pay that off every month to avoid finance charges). Both of which provide more options to dispute fraudulent charges, as well as, those charges not being taken out of your checking account directly.

Also, as others have stated, the ultimate solution is to mandate changes to the current payment card system. I say mandate as the industry itself likely will not voluntarily do it as the benefit to cost ratio and/or the demand from the public is too low. Yet for government to mandate changes there usually has to be enough demand from the public (to their government representative).

So how can we get that ball rolling?

Posted by: Tim | March 19, 2008 3:13 PM | Report abuse

A drug store in CA had the same thing happen last summer

Posted by: Carol | March 19, 2008 4:24 PM | Report abuse

If you must use a card, use a real credit card. Consider switching to cash as much as possible. Learn where all of your banks ATMs are located so that you can hit them often and without charge instead of carrying around huge gobs of cash.

Posted by: Ivan Groznii | March 19, 2008 5:31 PM | Report abuse

The heck with credit cards, or even cash.

Go back to using gold, or barter.

Posted by: Michael Houst | March 20, 2008 7:56 AM | Report abuse

I work in the field of info sec, and I see the desire of company execs to meet the letter of the law. At the same time, they have little desire to really secure their systems.

I can understand their dilemma. Most regulations hold them responsible for failures to act upon information they have. So, by blindly following the letter of the law with no interest in the spirit, they stay out of trouble. It's no wonder their systems are full of holes.

Securing large-scale systems (which are meant to be publicly accessible) is a daunting task. The addage is that there are millions of "them" and only one of us, and "they" only have to exploit one hole while we have to defend them all.

But that is all too often a cop-out for doing nothing.

To be sure, it's not about the costs of security. Aside from the apparent costs of failure versus the costs of success, most companies are spending a tremendous amount on "security." Unfortunately it is generally on the form, not the substance.

Today, we rely upon audits to protect us. From what I see, there are not enough competent auditors. As a result, they either miss the obvious or they proclaim the sky is falling. Certainly, it's a new field. Double entry accounting is centuries old. So expecting the auditors to catch up overnight is a bit much. But if the quality of audits do not improve, the subjects of their auditing will neither.

And, sadly that leaves us only with the "after-the-fact" audits of our own records, as TJ and Anon in NE suggest. These are important activities to be sure. But if fraud is discovered at that late date, the individual becomes the canary in the coal mine. It's not just about individual responsibility. We operate in a web of interactions. We all have responsibilities to ourselves and each other, and we must insist that everyone be responsible, individuals *and* large companies alike.

Posted by: Sam Nicholson | March 20, 2008 9:03 AM | Report abuse

Was this data in motion on an internal network therefore not covered by PCI? Who was their assessor? You're telling me that PCI lists compliant companies, but doesn't list the assessor? They're being awful trusting.

My questions are for me as an individual and do not represent my company at all.

Posted by: Dave B | March 20, 2008 12:28 PM | Report abuse

Security vendors will come out of the woodwork now commenting as "experts" to shill their widget or service as solving this problem. As with every other poster boy; TJX, BJ's, Choicepoint blah blah blah Nobody gets sued (or suits are dropped), nobody goes to jail and stock prices of those affected firms do not suffer, nor should they. If we invested in training employees, consumers, friends, families, relatives etc... just like we teach people to protect their "physical" wallets, keys and property we wouldn't need to buy any more single purpose, magic bullet security solutions. If you want security in technology, build it into IT where it belongs.

Posted by: Security Guy | March 20, 2008 5:18 PM | Report abuse

If you can't secure your own network infrastructure, you can't provide trusted services to your customers.

In case you have no (or lack) of experienced personnel, consider outsourcing network security. You can't ignore security issues anymore. Mere PCI compliance will not monitor your network for security breaches.

Posted by: Pavel Feofilov | March 30, 2008 5:58 AM | Report abuse

Brian: Legally speaking, we can't expect the PCI to keep pace with the criminals. Therefore the legal system (Federal Trade Commission) is wrong to punish merchants like Hannaford and TJX for credit card break-ins. http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html --Ben

Posted by: Benjamin Wright | March 31, 2008 2:30 PM | Report abuse

Following up Sam Nicholson, the security professional:

"Today, we rely upon audits to protect us. From what I see, there are not enough competent auditors. As a result, they either miss the obvious or they proclaim the sky is falling".

Those points are only starting to become, in my opinion, THE salient issues. What has been seriously lacking, and under-advocated, to a large degree is that information security is to an appreciable degree, an application of common sense. Not all, but a significant portion (I know, the "devil is always in the details"). Like transmitting customer credit information un-encrypted? Don't do that! Ever!. PCI compliance calls for encrypting ALL network traffic that might escape "internal networks". So, a well-executed audit would have picked that up.

The point he makes about "the sky is falling" though is something I intend to advocate more fervently. How to train, educate the public in weeding through the press reports, regarding breaches, and extract correct and accurate information. THIS, is no small task. Why is garnering accurate information regarding breaches difficult? Several reasons: the PR thing. Any company that just been breached has to be extremely careful about WHAT they disclose to the world about the "event"; how they are "containing" it, how it happened. These pieces reveal a LOT about a company's internal infrastructure, so it has to be diligently screened and packaged very carefully. Another issue, which might be true of certain information professionals is: let's face it, the more breaches, the more jobs for security professionals. So, it might not seem like a bad tactical move to embellish, or exaggerate an "event", especially if it contains statistics that are difficult, if not impossible to prove or disprove. So, a quick note, about the 3 "kinds" of lies: (lies, damn lies and ..?).

Andre Brassard.

Posted by: Andre Brassard | April 2, 2008 10:54 AM | Report abuse

DOES ANYONE KNOW WHERE TO FIND THE ARTICLE ABOUT THE ONLINE DATA HACKING IN US TO 20,000.00 COMPANIES? I HAVE SEEN IT ABOUT 2 DAYS AGO AND I CANNOT FIND IT ANYMORE.

Posted by: YOLI | April 23, 2008 6:36 PM | Report abuse

PCI DSS is by no means a silver bullet, but just a set of best practices. Though the cost of compliance can be high (very few vendors offer a complete PCI solution), the cost of a breach far outweighs it. Vendors have started working towards more coverage and we expect some amount of consolidation here. Solidcore is one of the top vendors in this space with a very inexpensive product covering upto 30 individual PCI controls

Posted by: jjohnson@gartner.com | May 6, 2008 10:22 PM | Report abuse

PCI DSS is by no means a silver bullet, but just a set of best practices. Though the cost of compliance can be high (very few vendors offer a complete PCI solution), the cost of a breach far outweighs it. Vendors have started working towards more coverage and we expect some amount of consolidation here. Solidcore is one of the top vendors in this space with a very inexpensive product covering upto 30 individual PCI controls

Posted by: Analyst PCI | May 6, 2008 10:23 PM | Report abuse

there is the professional world of warcraft power leveling here. welcome.

Posted by: jimelyyes | May 8, 2008 4:52 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company