We have blogged before about attacks on PIN terminals, but here’s another blog post and interesting video on that theft in action.  It seems The Real Hustle has a number of YouTube videos on a variety of scams ranging from technical to strictly social engineering.

Popularity: 6% [?]

These days I have been thinking and researching the great question of “Where does all the data go?”  We read about data compromises in the news and hear about large fines and penalties geared towards corporate America (or “end users” as @cmlh likes to call them.)  But what happens to that data after it’s stolen, lost, or ‘exposed’?  What happens in the hacker underground and how is it frighteningly similar to the US housing market crash?  Why do hackers wait before selling off their stolen data?  Why does this give us time to prepare?  And what is the ROI of reporting data compromises.  I’ll be creating several blog posts and podcasts on this very topic.

The carder underground is not to dissimilar to the e-commerce marketplaces we use such as eBay.  You see once a hacker can compromise credit card data (we’ll get to how very shortly), they want to monetize this data.  But who would trust someone who is selling illegal information in a digital format.  If they are a thief then what keeps them from selling the same data to multiple people and making even more money?  Well, how do you know who to buy from on eBay?  Reputation!  That’s right carders would give each other feedback online to build their reputation.  The enabled people to know who the reputable hackers were and which were not (if that’s even possible to say.)

Historically carders would sell their wares brazenly via online websites such as Boa Factory, CardersMarket, and ShadowCrew. These A-list credit card trading centers gave rise to hundreds of smaller sites such as TheftServices, CCPowerForums, ScandinavianCarding, DarkMarket, DarkPay, and The Grifters.

Boa Factory was run by Roman Vega, a Urkanian national, presently in jail in California.  He was king of the underground making large amounts of money selling passports, travelers checks, plastic cards, and “dumps” (what hackers call Track or Magnetic Stripe Data).  Roman operated unique to all others in that he subcontracted work to lawyers, botnet owners, hackers, traffickers, and carders.

Shadowcrew was a similar operation but operated as a message board for hackers to trade and exchange illegal credit card information such as “dumps”, CVV2 numbers, social security numbers (SSN), and much more.  A hacker with the handle of Iceman ran the bulletin board and policed the illegal activities.  Another member of that board David Thomas (aka. ElMariachi) disliked the operation and broke off forming another site called The Grifters.  Iceman and ElMariachi disliked each other in ways never imagined.  (You can read their banter back and forth in the comments section here.  You can read even more about this via a compilation of news articles from CanWest News Service.)

Once law enforcement took down one message board another would pop up, and the carders and buyers would migrate their operations.  CardersMarket was the largest of the last online carder forums.  It was run by, you guessed it, Iceman.  When the police took down CardersMarket they arrested Iceman (aka Max Ray Butler, Max Vision, Digits, Aphex.)

Law Enforcement (LE) quickly caught on and started shutting down each of these online sites.  They defaced sites such as ShadowCrew telling the hackers they had taken over the website and would not permit this fraud.  Sadly, not all hackers are very smart and some thought it was just a joke.  They kept emailing the Secret Service asking for the stolen cards they ordered.  Instead of credit cards they received jail time.

These days the online message boards have all but disappeared with the carders moving to older technology as their last resistance against law enforcement.  Carders exists in a low-tech world without borders.  They exchange credit card data on IRC (Internet Relay Channel) bulletin boards that have a tiered structure based on your level of access.

Now that we have identified the ‘carders’ of the underground, the next article in this series will focus on the actual flow of credit card data - from the POS to the point of monetization.  We will also explore how this channel is similar to the current housing market and why prices are so low.  Stay tuned.

Popularity: 6% [?]

Bryan Sartin invited me to a Webinar last week that summarized the Verizon/Cybertrust data breach analysis. Kokie Tjan informed me there is a PDF summary available online of the Verizon Business Data Breach Investigations Report.

This is the 10,000 foot view of a horizontal industry (payment systems).  Don’t forget to focus on how data breaches and risk applies to your specific vertical industry (i.e. higher ed, hospitality, travel and entertainment).

Sometimes those risks that affect the wider industry apply directly to you and sometimes you have very specific vertical industry threats.  As you may recall, one of my manrtas is “attack vector based risk management”.  In order to understand your risk you must understand the threats and ways an attacker values your data and systems.

It’s not always just the type and volume of data you store.  It’s also understanding how attackers view your exposed systems and what they think is easiest to attack and monetize.  Just like sailing a boat is not only about your skills as a mariner, you are also affected by the wind and water around you.

Popularity: 16% [?]

David Gamey pointed me to the Register article on yet another scam fraudsters are using to defeat credit card fraud checks.  We have discussed this topic before with pay-at-the-pump, but this new attack really goes to the heart of a fraud check that is called the Address Verification System or AVS.

Because AVS does not check all values in the address (i.e. just the house number or postal code) it is possible that an attacker could use an alternate address that has the same numbers (i.e. same house number but different street).

However fraudsters have begun exploiting the fact that many addresses can have the same AVS code. By making sure billing addresses and delivery addresses used in scams have the same code they make it more likely that purchases will go through.

This is, at best, a weak attack because it cannot be monetized quickly over a large number of card numbers.  In order to perpetrate the attack the attacker would need to have your name, address, and credit card number.  This information is usually obtained from e-commerce compromises, though could originate from other sources.  The attacker would then need to find a drop site that has the same information that is checked for in your address (i.e. same house number but different street).  This could work for one account number.  If they want to replicate it they need to find a new drop site, which is rather difficult and time consuming.

Also, let’s not forget that AVS is not used globally.   For example it is used in the UK, USA and some other regions, but not in continental-Europe and most of the Asia-Pacific region.  This diminishes the potential for attack.  Also, different Issuers may check different information via AVS which means you would need to know what information each Issuer checks, happen upon a card number from that Issuer, that is associated with an address similar to a fraudulent drop site you already have.  These stars do not align so nicely quite as often as one might think.

Popularity: 16% [?]

It seems the FTC ruled on the TJX breach similarly to how it did for ChoicePoint.  The full press release and WSJ article.  From the WSJ article:

TJX Cos. (TJX) was one of three firms that agreed to settle charges that each “failed to provide reasonable and appropriate security for sensitive consumer information,” federal regulators said Thursday in two unrelated data-breach decisions.

Popularity: 23% [?]

There’s a blog post online about some computer security researchers who have found a way to compromise Chip-and-PIN terminal devices.  You can check out the BBC NightNews show here.

Ok, yes this is an attack against the system, but do you realize how it requires physical access to the systems?  I’d be very happy if this was the only way to compromise payment systems because it means all the other security holes in the software, remote administration, encryption, etc. have been addressed.

I think we will see more and more hackers driven to the physical side of data compromise as the current low hanging fruit dries up.

Here’s another example of how a hacker put a video camera outside a Chip-and-PIN machine.  Low tech sometimes still works.

Update: Cory Doctorow of BoingBoing also covered this topic.

Popularity: 37% [?]

Many of you have already heard about the TJX settlement with the Issuing Banks (not-Visa).  Although the case may involve Visa, it is only as an intermediary.  It is the Issuing banks that had to cover fraudulent charges that are being reimbursed.

The discount clothing retailer will pay up to $40.9 million in pre-tax recovery payments to eligible U.S. Visa issuers who issued payment card accounts identified to Visa by Fifth Third or TJX. At least 80 percent of the issuers must accept by Dec. 19 for the settlement to finalize.

I like what Walt says here, “This settlement sort of puts the $880K fine in perspective.“  It does put the card brand fines in perspective.  I have been saying for a while not that for large companies it is not the card brand fines that are the largest cost, instead it is the following:

• Issuer reimbursement (see above)
• Cost of obtaining compliance fast
• Forensic, remediation, etc.

Popularity: 43% [?]

So you might have read the recent Visa (USA) timeline for migrating to more secure point-of-sale (POS) technology. Or maybe you are looking at your aging systems and wanting to take the plunge and upgrade to a sexier, and more secure, system.

Here are a few things to consider before taking out the check book and laying new infrastructure.

1. Ask your acquiring bank if your prospective POS is a known vulnerable payment application. As the deadlines loom for payment application security some vendors may be looking to exploit a loophole in the system. You may notice that in 2008 companies cannot board new merchants using known vulnerable payment applications, so some of them may try to offload that technology before the end of 2007. The kicker being that in 2009 those companies may have to upgrade again to remove those known vulnerable systems. (More importantly, you may be installing a system known to make your environment non-PCI compliant.)
2. Confirm that your prospective POS vendor and version number is listed as a validated payment application. Visa publicizes a list of validated payment applications. If the integrated POS (IPOS) is not on that list — caveat emptor — regardless of what the vendor may tell you to the contrary. (This process is to be taken over by the PCI SSC in the coming years [PDF].)
3. Ask your payment application vendor or reseller for the Implementation Guide (or Implementation Documentation).  So you purchased and installed a validated payment application — you may be safe and you may not.  Each validated payment application comes with an instruction manual for configuring that app in a secure manner.  Without this Rosetta stone you may be living in a false sense of security.  It is a requirement that vendors and resellers provide this to you and educate you about it, but sometimes these things are overlooked.  Make sure you read and understand this document.
4. Encrypt data from the POS to the back-end systems.  Even though the payment application may be securing the data on the system itself, many are still transmitting the track data across the network to the back-end systems for authorization.  It is not a PCI requirement to encrypt this data, but recent compromises have shown that hackers are using technologies such as MPACK to sniff track data from the POS to the back-end systems.  Choosing a POS that has the ability to encrypt this data puts you one step ahead of the hacker.
5. Keep your POS network (and retail systems) segmented from the rest of the network (and from the Internet).  Network segmentation sounds like a monolithic task for some companies, but I’m only going to discuss two types here: segmenting one store from another, and within each store the cardholder data from all other systems.  It is well known that if you have stores directly connected to the Internet instead of a totally private network then you are a higher risk for compromise.  Also, if an attacker can compromise the wireless in-store network you want to make sure they cannot use that vulnerability to compromise cardholder data or any other retail store.

Knowing how the attacker thinks will help in defending against their most common attacks.  There is no way to have zero risk but we can limit it enough to have the hacker go elsewhere.

Know their weak points in the same way they know yours.

Popularity: 52% [?]

The Associated Press covered the AirDefense study showing that many retailers are susceptible to data compromise.  I have been saying this for many years now that the greatest risks to retail merchants are: insecure POS systems, remote management, and insecure wireless networks.

It seems that there is also a new threat in town, MPack (wiki).  This is custom commercial malware with anti-virus like updates.  Read an interview with the developer, coverage by The Register.

Popularity: 37% [?]

I received several calls yesterday from media outlets looking for more information on the story, but I am unable to discuss this point directly. The Boston Globe is running with a story about the updated TJX timeline and the events running up to the latest court filing.

Oct 23: Court filings in a case brought by banks against TJX say the number of accounts affected by the thefts topped 94 million.

Earlier this month TJX settled a consumer lawsuit and now this.  This underscores the continuous and long term potential consequences of not adhering to the PCI DSS standard.

Popularity: 29% [?]