As a piece of coursework, I had to write a summation and review of the aforementioned data breach, and the response taken to it. Below is my article.
In the case of the Heartland’s data breach, it was found that an SQL injection was the method of attack used. A web form containing code written eight years ago was attacked, and facilitated access to Heartland’s corporate network. Despite this vulnerability having existed for several years, it was not discovered during internal or external audits of Heartland’s systems. The initial compromise happened in late 2007 and the attacker spent nearly six months manoeuvring the system, making considerable effort to hide their actions and bypassing a variety of anti-virus solutions in place on Heartland’s systems. Once the attacker gained access to the corporate network, they installed sniffer software able to capture various pieces of payment information (card numbers, expiry dates, and names) as they were in transit around the network. Heartland stated after the event that no merchant data, social security numbers, personal identification numbers (PINs), addresses or phone numbers were lost in the breach. It was also stressed that various other aspects of Heartland’s services (such as their payroll system) were not affected.
Another breach that involved targeting data in transit was experienced by Hannaford Brothers in early 2008. In Heartland CEO Carr’s opinion, details of this breach should have been shared in the weeks following the attack, allowing other companies to protect themselves from similar attacks. He also states that the technique of targeting data in transit, while uncommon, is thought to have occurred elsewhere prior to the attacks on Heartland and Hannaford Brothers. A disincentive to share security information is that it can be seen as non-competitive; if your competitors are suffering breaches while your company remains safe, perhaps customers will be more likely to favour you. Carr argues that security should not be seen as a competitive advantage, instead being seen as an important contribution to securing customer data, increasing the network value for all participants. It seems that the entire trade could be distrusted after a breach, and so it could be beneficial to all organisations to share security best practice techniques.
To help to facilitate better security across the industry, a Payment Cards Industry (PCI) Security Standards Council (SSC) was created in 2006 by five leading card networks. This council developed a set of PCI Data Security Standards (DSS) that were required of any company wishing to participate in card payment systems. To help to ensure compliance, 100 companies were appointed as qualified security assessors (QSAs) to audit companies for compliance. Interestingly, Carr notes that Heartland was certified as being PCI DSS compliant at the time of the breach (prior audits had not turned up the SQL vulnerability). Carr highlights the fact that the security measures put in place by PCI act as a baseline level of security and that many companies (including Heartland) go beyond what is required of them under PCI. Heartland already had several members of IT staff in place that were dedicated to information security, as well as a senior executive dedicated to information security strategy. Carr states that this highlights the need for better security measures for data in transit for all participants in the payments system, including merchants. In his own attempt to address these issues, Carr initiated two new strategic objectives in to Heartland: to lead the way in the creation of an information collaboration and sharing capability for across the domain, and to provide leadership in advancing technical solutions to secure data (especially for data in transit).
Senior payments advisor for Heartland, Burns, led a discussion on these efforts. Burns highlighted that the merchant side of the payment network faces much greater coordination issues than the issuing side. In the US there are over 7 million card accepting merchants, and only about 6,000 credit-card issuing institutions. Burns suggests that an already existing infrastructure (managed by the Financial Services Information Sharing and Analysis Center (FS-ISAC)) could be leveraged for better data-sharing. The FS-ISAC infrastructure is designed to share information about security threats to a wide membership base, consisting not only of banks but various financial services providers. Public-private partnerships are relied on to gather such data, and results are shared with other domains such as law enforcement or government agencies. In collaboration with the FS-ISAC system, Heartland assisted in the creation of the Payments Processing Information Sharing Council (PPISC). At this early stage in PPISC’s existence, Burns notes that currently membership is limited to bank-owned and third-party payment processors serving the merchant community. Members also have to sign a non-disclosure agreement. The response from industry has been generally quite supportive, with 85% of companies processing merchant transactions have joined. A steering committee for the PPISC was also formed, chaired by Carr. Ultimately, Burns has emphasised that the key objective of PPISC is to enable member firms to quickly identify and respond to threats.
Carr raised another issue with the current methodologies for information sharing. When a qualified incident response assessor (QIRA) was contracted after the breach, it took six weeks to identify the cause of the breach. Potentially this issue could have been helped via better information sharing amongst companies performing DSS auditing. Carr expresses a worry that clients may not want to share information with QSAs and QIRAs due to privacy concerns, and so emphasises the need for information sources to be kept anonymous and for sharing to focus narrowly on the method of attack. Carr highlights a need for auditors to be able to take a holistic view of a system despite privacy fears. In the Heartland breach, the attacker was able to gain access on a particular system via another, which it should be possible for QSAs to identify the risk of. The risk of insider threat also needs to be considered, be it via employees acting maliciously or by simply not following security procedures correctly.
As previously stated, Carr wanted to try and pave the way for improved technical solutions for security. Three of the technologies investigated were end-to-end (e2e) encryption (encrypting data in transit), tokenization (replacing card numbers with randomly generated tokens), and chip technology (embedding microchips in cards). It was identified by Heartland’s security team that e2e encryption was the most promising of these technologies, in part because it does not require the entire industry to make a simultaneous change. This will help to secure data in transit, while giving the merchant processor a lot of direct influence. In the system designed by Heartland, encryption begins as the card is swiped at the point of sale (PoS) and the card’s digits are read. Others believe that encryption should begin on the card itself. It is however concurred that all three of these suggested methods are constantly changing (and should likely be used in collaboration rather than individually), making it harder to estimate the cost of implementation. By making use of third party suppliers of e2e encryption, Carr believes that Heartland has created better links between itself and the security industry, which could be beneficial in the long term.
Carr describes five steps in the payment processing chain, taking data from the merchant to the card network. Traditionally, data would need to be decrypted and re-encrypted for each step. However, using e2e encryption, data will only need to be decrypted/re-encrypted for the final transfer from the payment processor to the card network. Carr has received positive feedback from card providers on these efforts. In Carr’s mind, there are three main barriers to the uptake of such a system: cost & design of terminal hardware, operational burden (such as key injection), and compatibility with legacy systems. Heartland attempted to address these concerns. Firstly, they partnered with a PoS terminal design company to create tamper-proof terminals which incorporate extra security measures. However, these terminals would be expensive for merchants. Carr noted that merchants tend to weigh the cost of PCI DSS compliance against the cost of relaxation of their compliance altogether. Heartland found that the cost of PCI DSS compliance for merchants can stretch in to the $millions. Carr states that by implementing the e2e encryption system as suggested money can be saved in other compliance areas, making the terminals money-savers. It is also beneficial for merchants to implement such systems, as suffering a breach can cause a loss of confidence from customers, leading to lessened profits. An alternative method to key-injection for encryption has also been found, to remove the need for merchants to swap out terminals as security keys expire. This system has also been designed in such a way as to be compatible with legacy systems.
I believe that the work set out in the paper is an excellent starting point. The experience of Heartland has highlighted the need for proper information security within organisations (to date they have spent more than $32million on legal fees as a result of the breach), and how information sharing can help to save others from such fates. It is good that Carr’s measures seem to have been generally well received by industry, but it would be ideal if a new system could be designed and employed by the field as a whole. It seems that this may well be impossible however due to the level of coordination required to do so. Carr and Burns do not address this issue directly within the report, but this may be because it would be largely impossible for them to induce such a change. Even though the work contained in this paper is not enough to bring about a massive culture change in the finance industry, it is sufficient to act as a wake-up call. Companies are now more aware of the need to go beyond minimal security requirements, and hopefully will be more likely to protect themselves from threats, if not for the sake of customer security then for the sake of not being sued. The reasoning for making this change does not matter, only that it happens.