Slashdot Mirror

← Back to Stories (view on slashdot.org)

Three Indicted In Huge Identity/Data Breach

Posted by kdawson on from the hoping-you-didn't-charge-that-slurpee dept.

ScentCone and other readers let us know about an indictment just unsealed in federal court for stealing 130 million credit cards and other data useful in identity theft, or just plain money theft. The breaches were at payment processor Heartland (accounting for the bulk of the 130M), Hannaford, 7-11, and two unnamed "national retailers." Interestingly, the focus of the indictment, Albert "Segvec" Gonzalez, is currently awaiting trial for masterminding the TJX break-in, which until Heartland counted as the largest credit-card theft ever. The indictment cites SQL injection attacks as the entry vector. Two unnamed Russia-based conspirators were also indicted. Securosis has analysis of the security implications of the breach ("These appear to be preventable attacks using common security controls. It's possible some advanced techniques were used, but I doubt it") and the attackers' methodology.

6 of 101 comments (clear)

  1. Losing faith in the system by AB3A · · Score: 4, Insightful

    These credit card processing companies had better get their acts together fast, or they'll be sunk by so many lawsuits that they won't be able to stay in business.

    Insurance companies will see this sort of business as a radioactive risk. They'll let existing contracts expire and quietly back out --UNLESS these companies get serious about their data security.

    There is a huge opportunity for someone to make some real coin doing this sort of thing, but it will take a mindset that these people have been loath to accept: People really are out to get them.

    --
    Nearly fifty percent of all graduates come from the bottom half of the class!
  2. Hate to say it... by loteck · · Score: 4, Insightful

    but by the looks of one of the linked articles, any standardized internal controls audit should have seriously mitigated the risks of these types of attacks being possible. These guys are dealing with credit cards, right? Where was PCI compliance?

    1. Re:Hate to say it... by Anonymous Coward · · Score: 5, Interesting

      PCI compliance is the definition of security theater. I used to work for a credit card processing company, and every month we'd get some new "PCI" rule we had to follow, which did virtually nothing to make us more secure.

      Month 1: Can't store credit card numbers in problem tickets. Must use e-mail. (Internal e-mail, obviously.)
      Month 2: Can't e-mail credit card numbers internally. Must put them into problem tickets.
      Month 3: Can't do either one. Now you must provide the credit card numbers verbally (over the phone), or write them down and carry them to the person resolving the ticket.

      Which made resolving card-specific software issues absolutely delightful to deal with - I couldn't even begin to guess how many miles I trudged through the IT floor, distributing sticky notes with credit card numbers written on them, which if you ask me was more of a security risk than having them stored digitally.

      Meanwhile, the things that really mattered were left virtually untouched. I don't even know how many times something was completely and utterly screwed up by someone, somewhere in the company... and we couldn't even figure out who did it because there were no logs of what had happened, or because the logs pointed to a shared account that anybody could have used. My account on the actual card processing front-end system was watched like a hawk, however, nobody would ever have noticed if I'd downloaded a database dump from the FTP server and made off with it.

      PCI has absolutely nothing to do with actually tightening security, and everything to do with making businesses able to say "It's OK! We're PCI COMPLIANT!"

      (Post anonymously? Hmm, I wonder.)

  3. PCI stands for... by brianc · · Score: 4, Funny

    ... Pay Cash Instead!

    --


    SIGLOST && SIGUNUSED && SIGQUIT
  4. Faith is gone. We need a better way! by mcrbids · · Score: 5, Interesting

    These credit card processing companies had better get their acts together fast, or they'll be sunk by so many lawsuits that they won't be able to stay in business.

    Yes, but there is still an underlying problem: The credit card payment system is inherently insecure. I'm not talking about the computers, I'm talking about the system at large. Credit card numbers are basically a password that you share with anybody who you buy stuff from. Any of these vendors by definition have all the information necessary to use your credit card.

    What you can't do with the current system:

    1) You can't "lend" your card to a subcontractor so that they can buy supplies, without opening yourself up to a world of hurt.

    2) You can't trust that your identity isn't stolen at every possible transaction.

    3) In the case of a leak, you can't be automatically alerted to attempts to use your credit card.

    It could be some otherwise bored l337 h@x0r in Montana at his mom's house who cracks an online shopping cart, or the Russian Mafia, or the pimply guy who pumped your gas. All of them get the ability to "be you" simply by transacting as you, and so long as this fundamental insecurity remains unchanged, credit cards are and will continue to be problematic.

    Me? I'm imagining something with my cell phone, a PIN like an ATM card, but one that's different for each transaction. In this manner:

    1) I swipe my card.
    2) The credit card gives me a challenge code, asks me for my PIN.
    3) I get a text message on my cell, which has the challenge code on one line, and a one-time-PIN on the next line, and a third line with the amount charged.
    4) I enter the one-time PIN, proving that I have the registered phone in my hand.
    5) Then, I enter in my permanent PIN, just like I do now.

    This protects me:

    1) Anybody at the cell phone company can see the challenge and the response PIN, but it doesn't do them any good since these change with every card swipe.

    2) Anybody at the store can see the whole transaction, but it doesn't matter since they don't have my phone.

    3) Even the credit card processing center can't fudge the transaction because the amount of the charge was submitted prior to generating the one-time PIN, and I've already been made aware of the charge.

    4) If somebody did get your card #, and tried to use it, you would know immediately that it was happening, and the amounts involved because you'd be getting notices of the transactions sent to your phone!

    This would DRAMATICALLY reduce the security footprint of the credit card transactional system, and would easily allow for causual "lend him the credit card" scenarios, since you could give the card to someone, and even let them know your permenant PIN, but keep the phone in your hand. The only person who can effectively compromise this credit card system effectively would be the credit card company itself.

    The only downside that I can see is that you couldn't use this system in areas without cell service. But even in that case, you could "pre-register" a transaction or two with no amount set, keep the one-time PINs handy, and use them when you don't have service.

    The current system is terribly insecure - I've had 3-4 different compromises of my credit card numbers in the last couple years despite my being VERY careful with my data. Then I talk to the fraud department, sign the affidavit, get my credit back, blah blah blah...

    The current system sucks. We need a better system.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  5. How it works in Sweden by MartinSchou · · Score: 5, Interesting

    I just recently moved to Sweden from Denmark. The changes in online payment processing wasn't that big - just introduced an extra bit of security. It's not a matter of being from Sweden or Denmark, it's a matter of how the shops are set up.

    In Denmark, it's the same way as in the US:
    1) Punch in your card number
    2) Punch in the card's security code
    3) There is no step 3

    The Swedish stores I've bought from adds extra steps when I'm using the card from my bank though; it uses authentication that you need to have with you:
    A smart card reader using the chip and pin for my card.

    When I want to pay using that system, the steps are as follows:
    1) Payment processor is my bank, not some random company, and is in a separate SSL session to my bank
    2) Enter SSN on payment page
    3) Enter the one-time control code in my reader
    4) Enter the pin number for my card in the reader
    5) Punch in the return code from the card reader on the payment page

    It's the same system I use for my online banking as well; it has steps for login, signing and buying, each presumably using a separate private key.

    A system like this put in to place everywhere would make gleaning my credit card number useless. I don't have any physical identification that has my SSN on it, nor am I required to have such by Swedish Law (unless I'm driving). And even with my SSN, they still need to know my pin code. Can't say for sure if the card and reader are tied to each other though - I haven't tried using someone else's reader.

    Additionally when this system is used on the websites, all processing is done through the bank's own systems, meaning the bank itself is the one that needs to be compromised, and they're probably a bit more worried about a breach than the other guys. I mean - if their systems are broken into, it's not like they can just pass the blame onto some random third party and tell the customers "don't worry, we won't be doing business with them again" - they screw up and it's us telling the banks we won't do business with them again.