The Green Sheet Online Edition
February 10, 2014 • Issue 14:02:01
Is hardware, not software, the true security solution?
The investigation into the Target Corp. breach that occurred over the 2013 holiday season continues to evolve. Target has raised the number of compromised card accounts from 40 million to 70 million, while other reports have put the number at well over 100 million.
Details about the attack itself have also emerged. The "memory scraping" malware used in the hack originated in Russia and was called BlackPOS. The same type of malware was reportedly used in attacks on at least six U.S. retailers recently, including upscale department store retailer Neiman Marcus, where 1.1 million cards were reportedly breached.
But what is not getting as much media attention is that the problem of data security goes beyond the well-documented deficiencies of mag stripe payment card technology. According to smart-card firm Tyfone Inc., the fatal flaw of the global security infrastructure is that it is software-based. Tyfone said cardholder data, not to mention all other kinds of enterprise data, is stored in the cloud, and that data is accessed via public networks fraudsters can easily penetrate.
"We have put all of our assets in the cloud," said Dr. Siva Narendra, co-founder and Chief Executive Officer at Tyfone. "All of our eggs are in one basket - trillions and trillions of dollars in the basket. What do we do to protect it?" The answer too often is that protection is an easily hackable login and password.
Don Bloodworth, Chief Financial Officer at Tyfone, believes that even if software security is strengthened, that will not take care of the problem. "Software is easier to deploy and scale," he said. "But this is one area where it is very difficult to support the fact that software can solve this problem. It really can't."
Tyfone said the solution is to transfer security from software in the cloud to hardware controlled by each individual cardholder. Tyfone supports the migration of the mag stripe-based U.S. payments ecosystem to the Europay/MasterCard/Visa (EMV) smart card solution. When EMV is employed, cardholder data is stored in a secure chip embedded in plastic cards.
Thus, instead of hackers remotely hacking into a database stored in the cloud to steal information from millions of accounts, they would have to hack into millions of individual EMV cards physically held by the cardholders to steal that same amount of data.
Threat landscape in the crosshairs
Target confirmed that its recent hack was the result of malware loaded onto Target's POS terminals. But Bloodworth said the only way that malware was installed was by hackers first gaining access to Target's back-end network.
A webinar held Jan. 15, 2013, and hosted by the law firm of Baker & Hostetler LLP detailed the types of malware attacks prevalent today. In Managing Cardholder Data Security Risks in an Evolving Payments Landscape, Marshall Heilman, Principal Consultant at Mandiant Corp., outlined several variants of "ram scraper" attacks - memory scraping malware that can be injected directly into the software of POS terminals or, more popularly, into retailers' back-office servers connected to those terminals.
"It's smarter for the attacker to install the malware on the point-of-sale server," Heilman said. "That way he can harvest all cards processed at that single store rather than having to do each register individually."
Another popular attack vector is called backdoor variant #2. Heilman said it is malware disguised as a common server application, such as the Apache Benchmark utility, that runs surreptitiously in the background and steals data.
But a simpler attack, called backdoor variant #3, involves a fraudster who gains access to a so-called secure environment where sensitive data is stored – for example, a retailer's virtual private network that conveys transaction data. Hackers obtain system administrator credentials, such as login name and password, to pose as legitimate users logging into systems remotely, Heilman said.
Undermining your own defenses
The goal of the Payment Card Industry (PCI) Data Security Standard (DSS) is to create secure environments by segmenting sensitive data from the rest of the corporate network. But Heilman said segmented environments are too often compromised by system administrators who disable security controls to make it easier to do work across the entire network.
"Ultimately all they've done is take the highly segmented environment and open it up in the exact way the hacker needed to get access to the PCI environment," Heilman stated.
Another problem is that administrators fail to change passwords frequently or restrict the access of local administrators to the entire domain by using different passwords for granting access to different areas of the network.
Heilman said if passwords were better differentiated, "at best the attacker would get access to one system at a time and force him to have to exploit something in every system he wanted to get into rather than just giving him access to every single system because he compromised one account."
But many administrators are apparently too complacent to put these barriers in place. Heilman made a direct correlation between carelessly implemented security controls and data breaches. "In every single case that I've ever investigated, when an attacker got access to the PCI environment, they exploited some type of hole that was allowed without mitigating security controls," he said.
Problems with PCI?
Heilman believes the best way to ensure network integrity is through proper segmentation. However, Narendra feels that security experts are still too focused on software. "Unfortunately, what has happened in the security industry is, not all companies but some set of companies, if you look at the predominance, they all migrated from hardware expertise in the last decade," he said. "Often when you have conversations with the so-called security expert, most of them don't even understand what a smart card is."
Narendra is also critical of the entire PCI DSS framework because it fails to address hardware as ultimately the best security solution. "PCI is grossly insufficient," he said. "It was valuable in the past, and now it is nothing but a patchwork. It does not mandate hardware. It is high time it did. Without that, it will become irrelevant."
Narendra's opinion is seconded by Gary Olson, President and CEO of ESSA Bank & Trust in Stroudsburg, Pa. In a Jan. 14, 2014, American Banker article, Olson remarked on the weakness of the card payment system and was quoted as saying that the PCI standard is "not effective at all."
As the U.S. payments ecosystem migrates to EMV, with the card brands having given retailers until October 2015 to upgrade their systems to accept EMV cards, Bloodworth expects Target-like breaches to continue to plague the U.S. economy.
"[EMV's] not something you can implement over six months," Bloodworth said. "It takes time. It's a very, very large infrastructure that's already in place that needs to transition. And it takes time to transition. We will be living with these risks for quite some time."
Target is living the nightmare right now. The January security webinar also outlined the costs and penalties Target might face due to the breach.
Craig Hoffman, Partner at BakerHostetler, said the card brands assess sizable fees if merchants are found not to be in compliance with the PCI DSS; a case management fee assessed by one card company based on the number of cards compromised; fees for noncooperation with forensic investigators; and expenses to reimburse issuing banks for breach management costs, such as for reissuing cards to consumers.
Several class-action lawsuits have been filed against Target, with one suit alleging that security investigator Brian Krebs reported on the compromise before Target notified its customers of the breach.
The way the Target breach story has unfolded is an example of how a complex situation can seemingly take on a life of its own.
"[N]o matter how hard you try to anticipate what could have occurred, it's simply a function of how much time you have to investigate what occurred against the outside pressures pushing on you to talk publicly about what happened, especially if you have security researchers calling you and telling you they are prepared to publish a blog story about what they've learned about an attack on you," Hoffman said.
In effect, media pressures for information on the breach can take a retailer's attention off of actually finding out what happened. "It puts you in the position of wanting to be out front and making a statement and oftentimes you're not done with the forensic investigation," Hoffman stated.
Judging by what Target is going through, a retailer's network administrator might want to think twice before clicking on the "I accept the risk" button on the admin screen and opening up the locked gate to the sensitive and valuable data stored inside.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.