When it comes to data breaches, the words 'payment processor' set off an extra-special alarm

By | April 02, 2012

Posted in: Network Security Trends

The Global Payments credit card breach is high profile not so much for how many card numbers were stolen — a mere 1.5 million at most according to GPN  — but because the company is a payment processor, sitting in the middle of the transaction chain and on top of millions of records. Three years after the gigantic (130 million records) Heartland breach, we expect processors to run the tightest of ships. Both companies were PCI compliant. Both got burned. We are always told, “compliance doesn’t equal security.” The proof is in the pudding.

For this, perhaps more than most cases, we are just dying to know what went wrong. Were one or more of the PCI requirements enforced in the instant, when the QSA was doing his audit, but not on a continuous basis? We hear lots of stories of companies that perform fire drills to comply, then loosen their belts a notch and relax their guard. Was the letter of PCI observed but not the purpose, so that the attackers were able to penetrate a fully compliant network?

The message that’s drummed home time and again is develop the corporate security program around risk. So a reasonable progression is: business risk assessment -> security policy -> security controls. Map the controls against your sundry compliance requirements and do a gap analysis to see if any regulation-specific controls are missing and not covered by some sort of acceptable compensating controls.

This not a Global Payments bashing. Bad things happen to good companies. Having been breached, they discovered the problem on their own, in a very short time as these things go. Data breaches typically go undiscovered for months, sometimes years, usually by an external third party. Nor are they particularly at fault because they had not yet made the breach public when the story broke late last week. Companies that disclose and notify victims too quickly, before they have made a full assessment, typically suffer financially, according to the Ponemon Institute Cost of Data Breach Study, paying $33 more per record than companies that wait and don’t waste money notifying people whose records were not actually exposed. More time also allows investigators to operate under the radar before the intrusion becomes public. Meanwhile, of course, people are being victimized by credit card fraud, so the scales tip the balance in favor of prompt, albeit not precipitous disclosure.

That all being said, the fact remains that a lot of restricted data that should be encrypted, with access restricted to those humans and applications need it in the clear to conduct business operations, was stolen. Outside agents penetrated Global Payments’ network and accessed data that was either in plain text when it was supposed to be encrypted, or gained the privilege level that allowed them to decrypt.

Rather than speculate, let’s review some critical areas that can leave credit card data at unnecessary risk:

Privileged users and applications. Excess privilege is a common problem. Organizations often allow shared administrative credentials and/or give admins far wider access to applications and data than they need. For example, a database administrator does not need and should not be able to read, copy or modify the data itself. Default passwords are commonly embedded in legacy applications that have access to sensitive data. The more general the access to data, the easier for criminals to compromise an account that lets them in.

Unauthorized data copies. Data is sometimes duplicated in file shares, spreadsheets etc., when it should be restricted to authorized databases and secure backups. My personal favorite case was years back when bundles of the Boston Globe went out wrapped in printouts of subscriber credit card numbers.

Authentication. Gartner analyst Avivah Litan reported that the attackers may have gained access to a privileged account by cracking knowledge-based authentication — challenge question type of thing (mother’s maiden name, favorite team, pet’s name etc.). That’s pretty lightweight authentication even for end users, much less high-privilege admins. Authentication strength should be commensurate with the level of privilege and the type of data accessed.

Global Payments and other companies can use this as an opportunity to review and strengthen their security programs. And while it’s unlikely we’ll know the details of what happened, but there are surely lessons to be learned from which other organizations can profit, so we would hope at some point Global will be in a position to share what they can, holding back only what is necessary for security and not simply to save face.

You May Also Be Interested In: