We are very early on in this breach from a publicity sense as this is breaking news. A big thank you to Brian Krebs for bringing this breach out into the sunlight. However, there are a couple of things that are known that are troubling.
The first troubling statement is Visa and MasterCard stating that,
“the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012.”
There are two ways you can interpret this statement; (1) they do not know when the breach actually occurred other than this data range, or (2) for 36 days the attackers were in Global Payments and Global Payments had no idea they had been breached.
Regardless of interpretation, the bottom line is that no one really knows the timeframe of the breach. That implies that Global Payments’ logging, monitoring and review processes were not performing to PCI DSS requirements. Had they been working per PCI DSS requirements, I could understand a couple of days of not being able to know if you were breached as Global Payments would have been researching the information.
However, if it is option (2), it really is sad when statistics get confirmed. This means that for 36 days, Global Payments was unaware that it had been breached. If you look at my post regarding the latest Verizon Data Breach Report, Verizon states that most breaches are not detected quickly, if at all.
My favorite quote thus far though is from Visa.
“Visa also supports advanced security layers such as encryption, tokenization and dynamic authentication through EMV chip technology to further protect sensitive account information and minimize the impact of data compromises.”
Hello! This was a processor that was breached Visa. All of that security mumbo-jumbo you just pushed out there is meaningless once a transaction is at a processor. The processor has to be able to read the information otherwise they would not be a processor. This quote is nothing but a whole lot of spin. It would have been better to have shut up than tried to put spin on this incident.
But the bigger issue that I think the card brands are just figuring out is that when you start shrinking the scope of where cardholder data (CHD) is stored in the systems, you just make those entities that do store CHD a bigger target. I wrote about this phenomenon twice when I discussed point-to-point encryption (P2PE) and what would happen once merchants stopped storing CHD. Where we are ultimately headed is with large merchants, service providers, processors, issuers, financial institutions and the card brands left with CHD. The bottom line is that these organizations that are left storing CHD will have to be on their security “A Game” 24/7/365 in order to avoid being breached. In addition, the PCI DSS will not be enough; they will have to be practicing security well above what the PCI DSS requires.
And finally, one piece of speculation. Avivah Litan of Gartner is reporting:
“One interesting twist again sheds light on the fact that knowledge based authentication should not be relied upon. I heard (and this may not be factual) that the crime was perpetrated by a Central American gang that broke into the company’s system by answering the application’s knowledge based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently.”
I would love to meet the security “rocket scientist” that thought knowledge-based authentication (KVA) was a good idea, particularly for people with the keys to the kingdom. Want to bet they are a former employee of a KVA solution provider?
All of the recent high profile hacks of public figure email accounts and smartphones were done through KVA using information from LinkedIn, Facebook and the like and you thought it was robust enough for your administrator accounts? If this proves to be true, I guess we know the answer to that question and we will likely know one update to the PCI DSS.
It will be interesting to see how this breach unfolds in the coming weeks.
UPDATE: Monday, April 2, 2012
News outlets are reporting the fact that Visa has removed Global Payments from Visa’s Global Registry of Service Providers. This is standard operating procedure for Visa, however, some of the news outlets are writing their stories to appear that Visa has severed their relationship with Global Payments and nothing could be further from the truth. Unless the forensic examination points to some glaring error such as what was found at Heartland years ago, Visa will only remove Global Payments from the registry.
Now that Global Payments is removed from the registry, they will have to go through the PCI DSS assessment process and re-file their compliance with Visa to be added back to the registry. It is likely that this will take a bit of time as it is my understanding that the forensic examination is not yet complete. Until that examination is complete, it will be difficult for Global Payments to address any shortcomings in their operations that they need to correct to be PCI compliant.
The forensic examination could come back with findings that Global Payments was PCI compliant at the time of the breach. I know a lot of you are questioning how that could be. Remember, the PCI DSS is only a baseline for security practices, not a “be all to end all” list of security practices. As a result, Global Payments could have been PCI compliant only to find that certain security measures needed to be at a level higher than what the PCI DSS requires. This is how changes to the PCI DSS occur. Attackers up their game and the PCI SSC institutes changes to the PCI DSS to address those changes of the attackers.
UPDATE: Friday, May 4, 2012
News outlets this week are reporting that the Global Payments breach may have started as early as June 2011. Originally the breach was reported to only be 30 days in duration. Since the breach was announced, the date the breach began has been slipping further and further back from January 2012, to December 2011 and now to June 2011. Given the history of this breach, it is likely to slip again. The only consistent news in all of this is that the number of breached accounts continues to be reported at under 1.5 million. However, I am concerned that if the date of the initial breach slips again, we may find that the number of accounts may also start to rise.
The other troubling thing, as the date of the breach continues to slide backwards, is the fact that this starts to imply that Global Payments was not as diligent in their monitoring as we thought. When the breach was initially announced, I took some flack over my implying that fact as there was only a 30 day window of breached data. However, now that we are hearing that the breach could have been going on for more than six months, I think it is safe to say that monitoring was likely not as good as it should have been. This would also seem to imply that they likelihood that Global Systems was PCI compliant is probably low.
UPDATE: Friday, May 18, 2012
Talk about a train wreck. Krebs On Security is reporting that the Global Payments breach started back in January 2011. Yes, you read that right, 2011, a full year earlier than thought. It gets better. Brian Krebs is stating that he has spoken to one of the persons involved in the breach and has some very interesting information about the breach posted as well. The tally now is around 7M cards have been compromised. I have been at a client all week and they have a minimum of 100 pre-paid cards that have been affected and they suspect there will be more.
This is almost the same comment I made on a related post in storefrontbacktalk.com as it applies here as well…
In the past, Visa has stated, “No compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. In all cases, forensic investigations have concluded that compliance deficiencies have been a major contributor to the breach.” This quote can be taken two ways. Either PCI is perfect and all-encompassing and compliance guarantees you won’t be breached; or there are so many “gotchas” in PCI that no one can escape non-compliance. I personally believe that PCI is written in such a way — and interpretations among QSAs vary so much — as to make it impossible for anyone to be 100% compliant 100% of the time. From the simple fact that Global was breached, PCI non-compliance was already a fait accompli. My hope is that someday the card brands, law enforcement, and the media will prosecute the hackers and thieves that are stealing the data as harshly as they prosecute the merchants, banks, and processors that are victims of a breach for non-compliance.
According to my friends in the forensic world, Visa’s statement that “No compromised entity to date has been found to be in compliance …” is rapidly coming to an end. While the majority of breaches are the result of PCI non-comliance, in the past year, I know of a few investigations that found that the entity in question was PCI compliant yet was still breached. Granted, the card brands are not happy with these results, but it does show that being PCI compliant is not the be all to end all. An organization really does have to go above and beyond the PCI DSS requirements to be secure and I am sure we will see that reflected in the PCI DSS v3.0.
You may be reading too much into the “… compromised between Jan. 21, 2012 and Feb. 25, 2012″ statement. This is still very early in the public notification phase of the incident. It seems that there is no proper time to notify the public on breaches (or any other type of crime). If they wait until they have more information and evidence they are criticized of not making notification earlier. If they notify too soon, there is too much speculation and rumors. No matter what, our industry will no doubt throw Global under the PCI bus.
Some things for all of use to remember:
- Compliance with the PCI DSS mitigates the threat of a data breach, it does not eliminate it.
- Breaches will continue as long as the track data is so valuable, we should learn from these
events more then blame.
- The card brands continue to offer a very weak and susceptible payment product and continue
to rely on the acceptors of the product to invest to make the weak product more secure.
I am the first to tell anyone that security is not perfect.
This was the breach of a processor, so we need to know more about where in the transaction process any track data was obtained. If it was during the authorization phase, then there was no violation of the PCI DSS as it was still pre-authorization data. I know a lot of people do not like that, but those are the current rules. If it was post-authorization, then processor or not, there should not have been track data anywhere available.
While the card is part of the problem, the card processing issue did not become a problem until things were converted over to IP as the communication protocol. Prior to that, everything ran on communication protocols that were not as susceptible to attacks. IP is a wonderful, open communication protocol stack, but it is its openess that trips up security. Security issues have been found with everything as they convert from Bisync, DECnet or SNA/SDLC to IP. Data streams that were never worried about under their ‘proprietary’ protocols were now susceptible to all sorts of issues because IP is open and everyone can gain access unless controls are put in place.
At the end of the day, it is the card brands who push the infallibility of the PCI standards that cause companies to be tossed under the bus. The card brands refuse to admit that security is not perfect.
It is interesting that you mention the post authorization aspect of the PCI DSS. A few weeks ago as I was preparing for a training presentation I had researched this by review of version 1.2 and version 2 of the PCI DSS. There is clearly a requirement about the prohibition of storage of track and other security data after authorization. However, it is not clear how the DSS applies to the authorization process. There is a statement that CDE does include the authorization process and the PA-DSS applies to the authorization and settlement process, but there are no clear statements on the security of cardholder data during the authorization. Could it be that this is purposely vague? Obviously there have been data breaches where the authorization transactions were sniffed and recorded, going all the way back to the Card Systems breach.
Pre- and post-authorization are very clearly defined, unfortunately, people forget to review all of the documents related to the PCI DSS such as the Glossary and the like.
However, in QSA and I would assume ISA training, until a transaction has been approved or declined, then we are in the pre-authorization phase and all cardholder data is allowed to be processed, stored and transmitted. Once the transaction has been approved or declined, then we are in the post-authorization phase and cardholder data that can be processed, stored or transmitted is restricted to only the cardholder name, PAN and expiration date.