ID Theft Case Put Focus on Credit Card Security
August 19, 2008 Alex Woodie
Is your credit card data safe? That’s the question millions of people are asking themselves following the recently exposed international identity theft ring that allegedly stole more than 41 million credit card numbers. While security is a relative term, experts in the field of electronic payment systems, including Ira Chandler of i5/OS payment card software developer Curbstone, say the Payment Card Industry (PCI) Data Security Standard (DSS) provides good protection of sensitive data. Unfortunately, not everybody is following PCI DSS to the letter.
Earlier this month, the Department of Justice announced indictments on 11 people from the U.S., Estonia, Ukraine, Belarus, and China on charges of hacking into retailers’ computers and stealing more than 41 million credit card numbers between 2003 and 2005 from TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, and other major retailers. Only three of the suspects are in custody; the others remain at large.
According to the DoJ, the perpetrators drove around in their vehicles with laptops, looking for unsecured 802.11 “Wi-Fi” network connections, a technique called “wardriving.” Once inside the networks, they installed programs to capture credit card and debit card numbers and other sensitive data as it flowed across their electronic payment processing networks, the DoJ says. Once in hand, the numbers were used to create counterfeit debit cards, which were used to withdraw tens of millions of dollars from ATMs.
The story has catapulted wardriving into the public lexicon, and turned innocent consumers into sentries on the perimeter of public protection. Instead of skipping light-heartedly into a local store to help drive the world economy, consumers now get a bit jumpy every time they see a bald dude in the parking lot, typing on a laptop from his rusty Chevy Citation.
If only it were that simple. But Chandler, who was an expert witness in an identity theft case involving one of the retailers mentioned above, knows it’s not. “I know the reason some of these happen is not necessarily these guys wardriving, trying to find open Wi-Fi,” he says. “It’s not that simple. There’s really a lot more to it.”
There are many ways hackers can penetrate computer systems. Wired systems can be compromised through unsecured USB ports, or by guessing a username and a password. Modems can be eavesdropped on, revealing credit card information in plain text. For these reasons and others, Visa and the other credit card companies came up with the PCI DSS, a series of 12 tenants for retailers.
While the PCI process can be a giant headache for software vendors and integrators, merchants would be wise to follow the PCI DSS as closely as they can, Chandler says. “If they actually follow the 12 tenants, if they do the self-assessment questionnaire, then they will cover their exposures,” he says. “If they would do it, they wouldn’t have these problems. They’re not doing it.”
Hopefully, the retailers involved have turned off the Wi-Fi, and come into compliance with PCI. After all, it’s been nearly two years since TJ Max first admitted to the wardriving problem. The fact that other retailers were targeted by the same group from 2003 to 2005 is just now becoming known.
But that doesn’t mean there aren’t other problems. In all likelihood, in two or three years from now, we’ll be talking about the security weaknesses and instances of identity theft that are happening right now. Such is the case when companies are hesitant to talk about their security problems, even with the new state laws requiring them to inform customers whose identities have been put at risk.
So which vendors are more apt to handle your data in a careless manner and put you at risk of identity theft? According to Chandler, a lot of it has to do with the size of the company, which in large part determines what kind of computers they use, and how the system is architected.
Larger retailers that use larger servers like the AS/400, to perform credit authorizations for dedicated point of sale (POS) devices with hardened Windows- or Linux-based operating systems, such as those from IBM or Micros, are more secure, according to Chandler. “With the bigger merchants, everything’s centralized. It all goes through the data center in each store,” he says. Hacking into that central server is a lot tougher than hitting an individual POS.
Smaller retailers that run POS applications on top of a regular PC operating system, such as Windows, and use a card-swipe reader device with a network connection to perform credit authorizations, are less secure. In such circumstances, any underlying vulnerabilities of the non-hardened Windows OS could provide a crack for hackers to exploit.
It’s also not a good idea to use your debit card at a service station, Chandler says. “Pumps are generally much less secure than anything else. Point of sale is generally pretty insecure as well, but gas pumps are the worst,” he says. “Never use a debit card at a pump. The exposures are just too great.”
As a developer of AS/400-based credit card authorization software, Chandler holds a certain bias against the PC and Windows platform. It’s not that a Windows POS can’t be made to be secure, he says. It’s just harder. “Merchants take for granted that the integrators who sell and install and configure those things have their PCI interest at heart,” he says. “They may be following the 12 tenants, but the merchants themselves may be defeating some of those things.”
Even if the integrator installs a perfectly secure POS system, things like an unsecured Wi-Fi connection can spell doom for the retailer. “Now all of a sudden the most secure POS system goes to crap because no matter how you cover those 12 points within that island, if that island is connected and the rest of the mainland is not secure, you’ve got a bridge and you’re in there and you’re dead meat.”