Comments on: Heartland Breach Hit At Its Unencrypted Point http://storefrontbacktalk.com/securityfraud/heartland-breach-hit-at-its-unencrypted-point/ Techniques, Tools and Tirades about Retail Technology and E-Commerce Wed, 08 Feb 2012 16:02:40 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Jestep http://storefrontbacktalk.com/securityfraud/heartland-breach-hit-at-its-unencrypted-point/comment-page-1/#comment-53432 Jestep Wed, 28 Jan 2009 02:28:56 +0000 http://www.storefrontbacktalk.com/?p=1768#comment-53432 Looking at this from a network security standpoint, I can't see how there wasn't someone on the inside helping. Heartland is a large company, with extremely well protected and complex networks. The precision required to find the only spot on the network where this data is not encrypted and put a piece of software that can extract it without tripping any sort of intrusion detection or other alarm is just too unrealistic for me to buy into. Unless their security was grossly less than what should be required, putting any encryption aside, it's just not very likely that someone who hacked a random computer on the inside could access this point in one of their networks. This really leads me to two possible conclusions. First, someone on the inside, most likely in IT or someone with a high level of network access, and a very high knowledge of exactly how their system works, helped plant the software so it couldn't be found either inherently or by the massive amount of data being extracted. Or second, Heartland had extremely weak security, unacceptably weak, and someone was actually allowed enough time to hack across multiple systems, and had enough time to find a very unique pathway of data, and had enough time to plant some software that was undetected, and extract this huge amount of data without ever being noticed for months. Looking at this from a network security standpoint, I can’t see how there wasn’t someone on the inside helping. Heartland is a large company, with extremely well protected and complex networks. The precision required to find the only spot on the network where this data is not encrypted and put a piece of software that can extract it without tripping any sort of intrusion detection or other alarm is just too unrealistic for me to buy into. Unless their security was grossly less than what should be required, putting any encryption aside, it’s just not very likely that someone who hacked a random computer on the inside could access this point in one of their networks.

This really leads me to two possible conclusions. First, someone on the inside, most likely in IT or someone with a high level of network access, and a very high knowledge of exactly how their system works, helped plant the software so it couldn’t be found either inherently or by the massive amount of data being extracted. Or second, Heartland had extremely weak security, unacceptably weak, and someone was actually allowed enough time to hack across multiple systems, and had enough time to find a very unique pathway of data, and had enough time to plant some software that was undetected, and extract this huge amount of data without ever being noticed for months.

]]> By: A reader http://storefrontbacktalk.com/securityfraud/heartland-breach-hit-at-its-unencrypted-point/comment-page-1/#comment-53110 A reader Thu, 22 Jan 2009 19:35:34 +0000 http://www.storefrontbacktalk.com/?p=1768#comment-53110 You wrote: The most interesting part of his comments about the point of weakness in Heartland’s system, comments that should sound very familiar to most retail security folk: “We have industry-leading encryption, but the data has to be unencrypted to request the information” from the card brands, Baldwin was quoted as saying. “The sniffer was able to grab that authorization data at that point.” This statement, coupled with the almost countless retailer breaches, demonstrates the need for an industrywide rearchitecture of the fundamentals of credit/debit authorization. Just as retailers are trying different schemes to avoid having unencrypted data, the fact that it still has to be cleartext to cross the interfaces between retailer and processor, and processor and bank, demonstrates the flaws in the system. Data should be protected in the cardholder's hands and in the issuing bank's systems. Nobody in between should ever be trusted with anything other than presenting or carrying encrypted data. This technology has existed for over a decade now. The days of routing paper charge slips are over. We don't need the credit industry continuing to expose the rest of us to horrendous risks because they can't modernize beyond carbonless paper. You wrote: The most interesting part of his comments about the point of weakness in Heartland’s system, comments that should sound very familiar to most retail security folk: “We have industry-leading encryption, but the data has to be unencrypted to request the information” from the card brands, Baldwin was quoted as saying. “The sniffer was able to grab that authorization data at that point.”

This statement, coupled with the almost countless retailer breaches, demonstrates the need for an industrywide rearchitecture of the fundamentals of credit/debit authorization. Just as retailers are trying different schemes to avoid having unencrypted data, the fact that it still has to be cleartext to cross the interfaces between retailer and processor, and processor and bank, demonstrates the flaws in the system.

Data should be protected in the cardholder’s hands and in the issuing bank’s systems. Nobody in between should ever be trusted with anything other than presenting or carrying encrypted data.

This technology has existed for over a decade now. The days of routing paper charge slips are over. We don’t need the credit industry continuing to expose the rest of us to horrendous risks because they can’t modernize beyond carbonless paper.

]]> By: Cy Fenton http://storefrontbacktalk.com/securityfraud/heartland-breach-hit-at-its-unencrypted-point/comment-page-1/#comment-53093 Cy Fenton Thu, 22 Jan 2009 16:48:22 +0000 http://www.storefrontbacktalk.com/?p=1768#comment-53093 David - Is there any info on the customers of Heartland? It would be interesting to hear from the retailers and restaurants that use Heartland for processing. David – Is there any info on the customers of Heartland? It would be interesting to hear from the retailers and restaurants that use Heartland for processing.

]]>