Shostack + Friends Blog Archive


The wall starts to crack

Merchants and credit card processors are not allowed to store a host of sensitive data, according to Visa and MasterCard.
That includes personal identification numbers, or PINs, used to withdraw cash, the three-digit code on the signature panel, and data on the magnetic stripe on the back of credit cards.
A Visa spokeswoman would not comment on recent data breaches because of continuing investigations, but she pointed to inappropriate data storage as a cause of criminal activity.
“I can tell you generally that one of the biggest causes of criminal activity is from the inappropriate storage of this card information,” said Rosetta Jones, a Visa spokeswoman.

In other words, she wouldn’t say it happened this time, but generally when this kind of problem is observed, it’s happened.

I wonder how much of a public relations hit Citibank needs to take before they say whether OfficeMax was involved in this, or pressure Visa to be more forthcoming?
A few weeks ago, I was chastised for asking:

How would a retailer lose so much info, especially since reports in December were that the detected frauds likely were from customers who bought gasoline at Sam’s Club?
Sam’s Club said this in a press release on 12/2/2005:
SAM’S CLUB stressed that the electronic systems and databases used inside its stores and for are not involved.
So, databases “inside its stores” and the web site didn’t get penetrated. That leaves, uh, POS devices, and….dare I say it…wireless?

A couple of things to note. First, Wal-Mart has decided to be more specific, and says that the fraud activity linked to Sam’s Club months ago didn’t involve PINs, and was limited to their gas stations.

If any compromise occurred, it appears to be limited to the Sam’s Club fuel station point of sale system.
I wonder if those gas station systems use RFID? You know, the kind that Avi Rubin and asssociates at successfully attacked?
I have no idea, but if they did, it would be possible to clone the RFID modules, as Rubin, et. al. proved. Another theory, advanced by Avivah Levitan, is that more conventional physical skimmers were used.
If this is the extent of Sam’s Club’s problem, though, I don’t think the current rash of fraud can be attributed to the breach they suffered. So, I’m going to back off on Wal-Mart, but stand by the POS theory I advanced.
If Sam’s Club cards were skimmed, or RFID fobs cloned, this could account for the 600 known frauds, while not requiring an enormous number of breached identities (according to the ID Analytics theory).
Meanwhile OfficeMax is under increasing scrutiny as having stored PIN information at its POS terminals. It’s probably about time for OfficeMax, like Sam’s Club, to say something other than “”We have no knowledge of a security breach here”.
Suggestion for Visa, MasterCard, and their ilk: please increase enforcement of the PCI security standard. A 70-90% non-compliance rate is embarrassing.
Update: Here is another wrinkle I just found via Computerworld.

According to Gartner’s Litan, OfficeMax officials’ outright denial suggests that the source of the compromise may well be a third-party processor used by the company to process card transaction.

That makes sense, but the thing I can’t fathom is why a processor would keep all the information that seems to have been revealed, especially in a post-CardSystems world.
After all, the FTC complaint [pdf] against CardSystems said:

In early 2005, issuing banks began discovering several million dollars in fraudulent credit and debit card purchases that had been made with counterfeit cards. The counterfeit cards contained complete and accurate magnetic stripe data, including the security code used to verify that a card is genuine, and thus appeared genuine in the authorization process. The magnetic stripe data matched the information respondent had stored on its computer network. In response, issuing banks cancelled and re-issued thousands of credit and debit cards. Consumers holding these cards were unable to use them to access their credit and bank accounts until they received replacement cards.

Surely, other processors would avoid this kind of a practice, wouldn’t they? Hopefully, someone will say something definitive soon. Legislators and Attorneys-General, I would imagine, are aware of this situation. Is it unreasonable to assume that they are sharpening their pencils and crafting laws and regulations to require disclosure under circumstances like these?

[Edited 29/4/2017 to unlink because Google claims its distributing malware.]

2 comments on "The wall starts to crack"

  • sama says:

    So Chris,how often do you recommend one change his pin number, in loght of all of this? Or will that help protect you at all?

  • Chris Walsh says:

    Good question.
    The answer depends on unknown details.
    If this fraud eruption was due to stored PINs being revealed, and if the revelation was a one-time thing (rather than continuous access), then the question becomes “How long did the bad guys have the PINs before they used them?”. Even if we knew these things, whether they generalize to other breaches we don’t know about (because they were smaller, or because they have yet to occur) is unknown.
    I know nothing about how time-consuming it would be to create fake cards, and I suspect that the criminal element is smart enough to sit on stolen info a while. So, if you change your PIN frequently enough, by the time the crooks are done waiting/cloning, you will have moved from the PIN you had.

Comments are closed.