Over the past week there has been much discussion of the recent Heartland Payment Systems security breach that exposed millions of credit cards to theft as noted here: USA Today Heartland Breech. As the story has developed the brokenness of the current PCI/DSS standards becomes more and more apparent. What concerned me most about this incident is the industry’s response to the situation. They seem to either miss the point, or simply don’t care. The article I found most disturbing is from StorefrontBacktalk. I will quote from a few pieces that perhaps someone more familiar with payment card processing can explain to me:
StorefrontBacktalk: ‘Heartland officials said it won’t be known for certain who was behind this attack until all the investigations are complete. However, preliminary indications are pushing them to suspect a fully external attack, with no indications at this time of any help from any Heartland employee or contractor. “The existence of a key logger, that could certainly have been by an outsider,” Baldwin said.’
Why are payment card systems externally accessible at all? This seems to be a fundamental flaw of the whole system. Being that Visa, Mastercard and others require private networks for the transmission of transactions and approvals, why on earth would these have even the most tenuous connections to the Internet? I work for an anti-virus vendor and we take extreme measures to guarantee the air gaps between our research networks and anything else that could remotely come into contact with a customer or the Internet. This is even more difficult as it requires the level of complexity of emulating the entire Internet in order to research the behaviour of these worms, trojans, bots, etc. It just seems natural that payment card processing would be air-gapped in every possible way from the Internet, especially at a point where transactions are in a decrypted state.
StorefrontBacktalk: ‘End-to-end encryption is far from a new approach. But the flaw in today’s payment networks is that the card brands insist on dealing with card data in an unencrypted state, forcing transmission to be done over secure connections rather than the lower-cost Internet. This approach avoids forcing the card brands to have to decrypt the data when it arrives.’
What exactly is a secure connection? One in which a server on either end can be compromised and invalidate any supposed security this connection may possess? I don’t really understand how you can consider a connection secure when the endpoints themselves aren’t secured. This idea of security provides about the same level of protection as a warm fleece blanket… It feels nice, but swords can pierce it with the same agility as if it were not there. When people use SSL they get this warm fuzzy as well… The connection is secure! It’s safe to type all my personal details, PINs, account numbers, etc. All of that is for naught if your endpoint isn’t protected, or if you are silly enough to perform these transactions at your local library.
StorefrontBacktalk: ‘CFO Baldwin was asked whether a more airtight resolution would be preferable. “The more players you have to get to change their behavior, you grow the challenge to get any change implemented exponentially,” he said, adding that “the actual amount of losses due to fraud is at a very, very low level,” which forces “an appropriate cost-benefit analysis. For the system as a whole, it just may not be worth it (to try and do a complete overhaul). We’re reducing that window rather dramatically, working with a limited number of players.”’
So what he is really saying is that this is about the cost to the industry, and that our time, emotional distress and fear don’t play into their calculations. Fraud is very, very low….? According to combat-identity-theft.com more than 10 million Americans experience this side effect of data leakage, and it costs 10’s of billions of dollars. One estimate puts US credit card fraud as affecting 1 in 20 cardholders… Or 15 million people. Just a small problem, no worries. I hope the average 350 days you spend trying to fix your credit record from identity theft/fraud is well spent, but it didn’t cost us a dime.
Shame on you. It’s time to start carrying a secure money clip with the currency of choice contained within and tell the industry how we feel.