Schneier on Security
A blog covering security and security technology.
« CIA Invests in Social-Network Datamining |
| Psychology and Security Resource Page »
October 27, 2009
2006 Wal-Mart Hack
Interesting story of a 2006 Wal-Mart hack from, probably, Minsk.
Posted on October 27, 2009 at 7:42 AM
• 26 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'd read the article, except its from Wired, whose verbosity is unparalleled.
Those old-schoolers who still can read past the top 120 characters of an article will find this one interesting and alarming --- particularly so because in view of the secretive instincts of corporate officers whose company IT has been compromised, the cases described here are probably just the tip of an iceberg.
A couple of things stand out.
The first being Wal-marts lack of PCI compliance, and that they had been given time extensions. I know of several small companies that where not given time extensions. Makes me wonder about the size of Wal-mart and the level of business it does being a factor in the extensions...
"Albert Gonzalez, a 28-year-old Miami man, pleaded guilty... ...and is facing unresolved charges for the remainders.
Hmm if he pleaded guilty why are there unresolved charges on other cases...
Not sure about the US but in the UK it's usualy wise if you put your hand up to one to put your hand up to any others that you have actually done...
It is interesting to note that Walmart became fully "PCI compliant in August 2006". They stumbled upon the breach a month later.
@Clive: "Makes me wonder about the size of Wal-mart and the level of business it does being a factor in the extensions..."
I would suspect it did. Wal-Mart is perhaps the biggest payment card retailer in the world, and full PCI compliance would be no simple or quick task.
Honestly, I'm surprised Wal-Mart hasn't had more breaches given their size.
>Not sure about the US but in the UK >it's usualy wise if you put your hand up
>to one to put your hand up to any
>others that you have actually done...
Just speculating, but it could be a state / federal issue.
He may be at risk of state charges for different aspects of the same act as he's facing federal charges.
He may have reached agreement with federal and certain state prosecutors for cases he plead guilty to, but not in others.
In such a case, you wouldn't want to plead guilty to the federal charges unless a state which had concurrent jurisdiction agreed they would not prosecute as well.
Should this matter to the average end user? Who cares if your CC# is stolen; you're not liable. Maybe some slight irritation...
Like Bruce says, until there is an incentive for these companies to secure their data they won't do anything.
Of course you are liable. Unless you dispute the charge, which requires you to go through your monthly statement with a fine tooth comb matching up every receipt.
It's easy to detect fraud when you have $5000 of extra charges on your CC. But when they're smart and buy $30 of gas and $50 of groceries, are you really going to remember a month later that it wasn't you who did the shopping?
Actually, you may be more liable than you think. Identity theft poses many risks. They are essentially committing crimes in your name. Simple purchases might be written off by the bank. If they commit a murder in a hotel and use your number and name to buy the room, you could be in more trouble. There are many scenarios like that which have actually happened to people. I would be more than slightly irritated if I was investigated by the FBI because my card was stolen. That's why it matters to me. Not to mention there are technologies like Barclay's PIN entry devices that could prevent (or reduce) many fraudulent transactions, but most banks don't use them pervasively, if at all.
@TS: "But when they're smart and buy $30 of gas and $50 of groceries, are you really going to remember a month later that it wasn't you who did the shopping?"
I think this is where I differ from Bruce a bit. I am in full agreement with him that 1) personal information is too difficult to use, 2) financial institutions should have liability for frauduent transactions, and 3) we need to exert efforts to authenticate transactions.
Where I differ with him is that I do think retailers and individuals should have some liability. While authenticating transactions is important, it is difficult. Even a good array of tests make it tough to distinguish legimate purchases from suspicious ones. My wife fell victim to fraud once, and had a retailer asked for ID at checkout, it would have been more difficult--but they didn't care because it wasn't their problem.
The solutions are complex, but I think there needs to be more accountability from top to bottom. The weak link (whoever isn't accountable) is usually the exploited party. If you use a credit card, you should be accountable for checking your account. If you accept a credit card, you should be accountable for ensuring the user is legitimate. If you issue a credit card, you should be accountable for ensuring it has been legitimately issued and authenticating transactions. (The layers a at the acceptance and issue level are necessary in case the individuals who the card is assigned to isn't aware of the card). We need layers of prevention and detection, and whichever party involved isn't accountable will be the party most impersonated and/or exploited.
Retailers don't accept checks without verfication because they have culpability--and there is less check fraud because of it.
Banks require a PIN at ATM machines (for debit and credit cards alike), they don't assume just because someone possesses a card that they are authorized to use it. Why should anyone else?
Then again, though I differ with Bruce somewhat (while supporting much of his advice wholeheartedly), I concede his expertise far exceeds mine.
@HJohn: Retailers do suffer from credit card fraud, as I understand the system, since they're the ones out the money. IIRC, they're also forbidden to ask for ID on face-to-face transactions. It's not a good position to be in, but so many people prefer to pay by plastic, and the retailers seem to like checks less (I gave up carrying my checkbook around because it was an increasing hassle to use it.)
And, personally, I am responsible for checking my credit card statement. If I don't object to a charge within a reasonable period of time, I'm completely liable. Retailers are very limited in what they can do to screen people presenting cards. The issuing companies are in a great position, since they don't pay for fraud; about the only thing that can hurt them is a cardholder defaulting.
You do have a point. Part of the marking of credit cards was the ease of use. I remember the old Bob Dole, Yao Ming, and Deion Sanders commercials. Everyone celebrating their identity until they ask to write a check, then everyone wants ID. Then they swipe their check card and viola, easy payment.
They may be forbidden to ID people face to face, but I think that is a bad policy. Signatures on the back of cards are useless since the fraudster may have been the one to sign it and even if they aren't, cashier's may not be forensics experts.
I just think there needs to be a shift in our thinking and practices on each layer of the process. Otherwise, we'll keep wasting too many resources on protecting information which is difficult since it by definition will be disclosed (after all, what use is the information if you never use it to indentify yourself to another entity). It just needs to be tougher to use throughout the process.
Several comments have noted that retailers are forbidden from asking for ID. I thought that was the case until a few weeks ago, when I checked with Visa. Retailers are free to ask for ID any time they like on Visa purchases, or so the service drone on the line told me. She also repeatedly claimed that there was value in carrying an "emergency" Visa card (for use if you lose everything else) even though any retailer could refuse to honor it.
So, perhaps the system is slowly changing to reflect current threats?
The data on the card - the embossed/printed data and EVERYTHING on the magnetic stripe is in the clear. It is a magnetic barcode, zeros and ones, that can be decoded by a 10 year old. Encryption cannot protect data that is visible. The card issuer must authenticate the payment instrument and the account data it carries. The payment terminal and the host must mutually authenticate to each other. The payment details and the cardholder must also be authenticated. Only when this happens can the payment system be trusted.
One time when I was in the US I watched a law enforcement officer pay by credit card in Pennsylvania. Instead of signing his card he had written "please ask for photo ID".
In PA a few years ago this was legal and enforceable - although it is a good way to start arguments with checkout staff. I'm not sure of the situation in other states of the US or other countries. PA law might have changed recently too.
"Banks require a PIN at ATM machines (for debit and credit cards alike), they don't assume just because someone possesses a card that they are authorized to use it."
In the UK we have somthing called "Chip and Pin" but is also known justifiably by the dismissive term as Chip-n-Spin by people who have investigated it's functioning and security.
On the face of it it appears to work like an ATM on the check out to the ordinary user. That is you put your card in the slot check the amounts shown on the LCD and type in your pin to authenticate the transaction.
So it should have reduced card fraud...
Actualy no card fraud went up and apparently (according to some) it is still rising.
The system was ill thought out from a security perspective in that "card cloning" still works but even better than before.
Now the retailer does not actually get to see the card the customer just puts it in the slot (so no check on the embossing etc). However the system is designed to "fail to mag stripe" and on many customer side EPOS terminals there is handy card swipe slot...
So you take any Chip-n-Pin card use a battery to destroy the chip or put clear nail varnish on the chip contacts. Then put some other account details on the mag stripe.
It defaults back to mag stripe and the store clerk is supposed to do it the old way with signitures...
However most "till jockies" are to young to remember the old way, and they so seldom see faulty cards that they only check the signiture at best...
And to be realy helpfull it appears that the card issuers do not record in their DB what the authentication method used was.
So the Card Issuer argues the customer has breached the T&Cs of the card by revealing their PIN and alowing a third party to use the card therefore the customer is liable...
@mat "I'd read the article, except its from Wired, whose verbosity is unparalleled."
Never use a large word when a diminutive one will do. ;)
"One time when I was in the US I watched a law enforcement officer pay by credit card in Pennsylvania. Instead of signing his card he had written 'please ask for photo ID'". - Russell Coker
Having worked in retail, I have had numerous customers hand me an unsigned card (I always checked) to pay for their purchases. In the stores where I worked, we were instructed to ask for ID if a card was unsigned, and remind the customer to sign their card. On more than one occasion, I had a customer tell me that they deliberately left their card blank so that we would check their ID. I also had a customer tell me that he left his card blank so that a thief couldn't forge his signature. It never occurred to him that if his blank card were stolen, a thief could just sign it in his handwriting. I advised people like that to either write "See ID" on the back of the card, or just color in the signature space with a permanent marker. It probably wouldn't make a big difference either way, since I doubt most of my co-workers were even checking signatures.
I have an old debit card where the signature has rubbed off from years in my wallet. I actually can't sign the thing... I don't know why, but the ink just doesn't stick to it.
It's kind of nice, though, because virtually everywhere I use it, I'm asked for photo ID. But I guess a thief could find some way to sign it (a sharpie might work?) and avoid the ID check.
@Clive Robinson at October 27, 2009 11:01 PM
It is no doubt a cat and mouse game.
My point about PINs was that banks don't assume possession means validity, but that was not to say that fraudsters wouldn't find another way.
I think Bruce's suggestion that we validate transactions goes a long way, but it alone isn't enough.
One obvious problem with PINs is that if a fraudster set up a card using someone else's PII, they no doubt will be able to set up the PIN. This is the same problem with signatures. If the card is not stolen, it is fraudulent, the PIN and signature checks are irrellevant.
The only in person check that works in this case is photo ID. This also can be compromised, but it requires another layer to do it.
No perfect answers.
Good post, btw.
Chip and pin (or similar) has been introduced here in Australia too (I remember ads talking about pen-or-pin recently)
The ordinary magstripe card and the data encoded thereon can be authenticated by the stripe's magnetic noise signature. A simple swipe produces a unique dynamic authentication value, which can prove that that the card has not been cloned or altered. That combined with a PIN or Password goes along way towards transaction validation.
"The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis."
That is simply inexcusable. They were not closing the accounts of ex-employees, *and* they didn't know when those accounts were used.
And it seems that they only noticed when they closed down one account, saw another being used, closed that down, and saw yet another.
In a word: pwn3d
"The documents show no evidence that files containing customer information were breached in the attack."
But then: "CyberTrust found sensitive customer information stored unencrypted on pharmacy computers at four of the stores, including customer names, home addresses, Social Security numbers, genders, credit card numbers and expiration dates. “A long-term, undetected compromise of Wal-Mart RXP system could allow a virtually endless supply of customers’ names, addresses, and Social Security numbers – the basic ingredients for identity theft,” CyberTrust wrote in its report. “Wal-Mart runs the risk of … losing not only the sensitive information, but also their customers’ hard earned trust,” the auditors added."
- It sounds like there was not a lot of logging done, so this "lack-of-evidence" claim does not offer much comfort.
I always write "See ID" on all of my credit/debit cards, and I'm always careful to thank anyone who checks, to encourage future good behavior. It really cracks me up on some occasions when I see a clerk flip the card over, glance at the line, and then run the card anyway. Not sure if they're just assuming "See ID" is my signature, or if it's reflex to glance at the line but not pay attention to it.
The only time I've had some hassle with this system is when I took a certification test at a Prometric classroom. The woman at the desk insisted on two forms of *signed* ID, and wouldn't accept the card unless I signed it. Of course she let me sign the card right then and there, and then accepted it. I don't know what she thought it proved for me to sign the card (she didn't compare signatures with my other ID) and she didn't seem to care when I told her it was ruining the protection of the card by giving any thief a handy copy of my signature.
Oh, and on all future visits (4 and counting) to that classroom, none of the other clerks has insisted on a signed credit card, so I don't know why the one woman was so adamant about it.
Several of you suggest asking for photo ID. I don't have photo ID, except for my passport and I don't plan on carrying my passport around with me. I don't have a driver's licence or a health card with photo (I'm a Canadian). What am I supposed to do for photo ID?
And, yes, we are getting chip and PIN cards here and my new card is that type. So, something else to forget under pressure!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.