We are very early on in this breach from a publicity sense as this is breaking news. A big thank you to Brian Krebs for bringing this breach out into the sunlight. However, there are a couple of things that are known that are troubling.
The first troubling statement is Visa and MasterCard stating that,
“the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012.”
There are two ways you can interpret this statement; (1) they do not know when the breach actually occurred other than this data range, or (2) for 36 days the attackers were in Global Payments and Global Payments had no idea they had been breached.
Regardless of interpretation, the bottom line is that no one really knows the timeframe of the breach. That implies that Global Payments’ logging, monitoring and review processes were not performing to PCI DSS requirements. Had they been working per PCI DSS requirements, I could understand a couple of days of not being able to know if you were breached as Global Payments would have been researching the information.
However, if it is option (2), it really is sad when statistics get confirmed. This means that for 36 days, Global Payments was unaware that it had been breached. If you look at my post regarding the latest Verizon Data Breach Report, Verizon states that most breaches are not detected quickly, if at all.
My favorite quote thus far though is from Visa.
“Visa also supports advanced security layers such as encryption, tokenization and dynamic authentication through EMV chip technology to further protect sensitive account information and minimize the impact of data compromises.”
Hello! This was a processor that was breached Visa. All of that security mumbo-jumbo you just pushed out there is meaningless once a transaction is at a processor. The processor has to be able to read the information otherwise they would not be a processor. This quote is nothing but a whole lot of spin. It would have been better to have shut up than tried to put spin on this incident.
But the bigger issue that I think the card brands are just figuring out is that when you start shrinking the scope of where cardholder data (CHD) is stored in the systems, you just make those entities that do store CHD a bigger target. I wrote about this phenomenon twice when I discussed point-to-point encryption (P2PE) and what would happen once merchants stopped storing CHD. Where we are ultimately headed is with large merchants, service providers, processors, issuers, financial institutions and the card brands left with CHD. The bottom line is that these organizations that are left storing CHD will have to be on their security “A Game” 24/7/365 in order to avoid being breached. In addition, the PCI DSS will not be enough; they will have to be practicing security well above what the PCI DSS requires.
And finally, one piece of speculation. Avivah Litan of Gartner is reporting:
“One interesting twist again sheds light on the fact that knowledge based authentication should not be relied upon. I heard (and this may not be factual) that the crime was perpetrated by a Central American gang that broke into the company’s system by answering the application’s knowledge based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently.”
I would love to meet the security “rocket scientist” that thought knowledge-based authentication (KVA) was a good idea, particularly for people with the keys to the kingdom. Want to bet they are a former employee of a KVA solution provider?
All of the recent high profile hacks of public figure email accounts and smartphones were done through KVA using information from LinkedIn, Facebook and the like and you thought it was robust enough for your administrator accounts? If this proves to be true, I guess we know the answer to that question and we will likely know one update to the PCI DSS.
It will be interesting to see how this breach unfolds in the coming weeks.
UPDATE: Monday, April 2, 2012
News outlets are reporting the fact that Visa has removed Global Payments from Visa’s Global Registry of Service Providers. This is standard operating procedure for Visa, however, some of the news outlets are writing their stories to appear that Visa has severed their relationship with Global Payments and nothing could be further from the truth. Unless the forensic examination points to some glaring error such as what was found at Heartland years ago, Visa will only remove Global Payments from the registry.
Now that Global Payments is removed from the registry, they will have to go through the PCI DSS assessment process and re-file their compliance with Visa to be added back to the registry. It is likely that this will take a bit of time as it is my understanding that the forensic examination is not yet complete. Until that examination is complete, it will be difficult for Global Payments to address any shortcomings in their operations that they need to correct to be PCI compliant.
The forensic examination could come back with findings that Global Payments was PCI compliant at the time of the breach. I know a lot of you are questioning how that could be. Remember, the PCI DSS is only a baseline for security practices, not a “be all to end all” list of security practices. As a result, Global Payments could have been PCI compliant only to find that certain security measures needed to be at a level higher than what the PCI DSS requires. This is how changes to the PCI DSS occur. Attackers up their game and the PCI SSC institutes changes to the PCI DSS to address those changes of the attackers.
UPDATE: Friday, May 4, 2012
News outlets this week are reporting that the Global Payments breach may have started as early as June 2011. Originally the breach was reported to only be 30 days in duration. Since the breach was announced, the date the breach began has been slipping further and further back from January 2012, to December 2011 and now to June 2011. Given the history of this breach, it is likely to slip again. The only consistent news in all of this is that the number of breached accounts continues to be reported at under 1.5 million. However, I am concerned that if the date of the initial breach slips again, we may find that the number of accounts may also start to rise.
The other troubling thing, as the date of the breach continues to slide backwards, is the fact that this starts to imply that Global Payments was not as diligent in their monitoring as we thought. When the breach was initially announced, I took some flack over my implying that fact as there was only a 30 day window of breached data. However, now that we are hearing that the breach could have been going on for more than six months, I think it is safe to say that monitoring was likely not as good as it should have been. This would also seem to imply that they likelihood that Global Systems was PCI compliant is probably low.
UPDATE: Friday, May 18, 2012
Talk about a train wreck. Krebs On Security is reporting that the Global Payments breach started back in January 2011. Yes, you read that right, 2011, a full year earlier than thought. It gets better. Brian Krebs is stating that he has spoken to one of the persons involved in the breach and has some very interesting information about the breach posted as well. The tally now is around 7M cards have been compromised. I have been at a client all week and they have a minimum of 100 pre-paid cards that have been affected and they suspect there will be more.