Hackers open new front in payment card data thefts

Computerworld - Security managers often describe their efforts to protect corporate data from being compromised as a full-fledged battle of wits against cybercrooks who are continually arming themselves with innovative tools and methods of attack.

And the security breaches disclosed last month by Hannaford Bros. Co. and Okemo Mountain Resort — along with unconfirmed reports of dozens of similar network intrusions — suggest that a new front may have opened up in the battle.

Furthermore, the recent incidents have prompted some to question whether the payment card industry's highly publicized data security standards are fully equipping companies to fend off attackers.

What's noteworthy about the Hannaford and Okemo breaches is that they both involved the theft of data in transit — credit and debit card information that was being transmitted from point-of-sale systems to payment processors in order to authorize transactions.

In Hannaford's case, the Scarborough, Maine-based supermarket chain has said that malware planted on the servers at about 300 grocery stores in the Northeast and Florida intercepted up to 4.2 million credit and debit card numbers and periodically sent the data in batches to a system overseas.

Just two weeks after Hannaford disclosed its breach, Okemo reported that data from more than 46,000 payment card transactions may have been compromised during a 16-day system intrusion in February.

Some of the data that was stolen was from transactions that occurred two years ago. But data from purchases made by customers while the intrusion was taking place appears to have been stolen in real time during the authorization and card-verification process, according to a spokeswoman for the Ludlow, Vt., ski area.

"The information was being taken as the cards were being swiped," she said, adding that law enforcement officials have told Okemo's management that they are investigating about 50 such incidents in the Northeast alone.

If that is indeed the case, it indicates that malicious hackers are starting to focus on stealing card data while it's on the move, instead of trying to take information that's stored on systems.

Ironically, the push by attackers to get at data in transit is likely a direct response to retailers' efforts to implement the security controls mandated by the Payment Card Industry Data Security Standard, or PCI for short, said Gartner Inc. analyst Avivah Litan.

The PCI standard, which was created by the major credit card companies, prohibits retailers and other merchants from storing payment card data on their systems in most cases, and it requires them to encrypt the data that they are allowed to store. Litan said that as more companies comply with the standard, credit card thieves are being forced to turn their attention away from the databases that they previously had targeted.

And the apparent success of the intruders who broke into the systems at Hannaford and Okemo is bound to embolden other attackers to try the same kind of strategies, Litan warned.

PCI Weaknesses?

The Hannaford breach, at least, points to possible holes in the PCI defense wall. The grocer has said that it was breached even though it had been certified as being compliant with the security standard last year and then again on Feb. 27. That was the day Hannaford was first made aware of suspicious activity involving the credit cards of its customers.

Bob Russo, general manager of the PCI Security Standards Council, said last week that there isn't enough information available about the Hannaford and Okemo breaches to know for sure whether the PCI rules need to be tweaked. Russo vowed that if additional controls are necessary, changes will be made promptly by the council, an independent group that the credit card companies set up in 2006 to manage the standard.

Under existing rules, a company doesn't need to encrypt payment data while it's in transit within its own internal network. But Russo contended that if a company implemented all of the existing PCI controls, it wouldn't be possible for attackers to get at the information while it's being transmitted internally.

"Just because [Hannaford] raised their hand and said they were compliant doesn't necessarily mean they were compliant," Russo said. He added that all of the known data breaches involving companies covered by the PCI rules have happened because the merchants failed to fully comply with the security requirements.