Friday, January 30, 2009

On Heartland III

OMG, so much more fun stuff have been posted on the Heartland credit card theft. Read Part 1, then read Part II,  then read this. Also read this and don’t get ‘comp0wn3d’ :-)

  • Heartland data breach proves PCI compliance is not enough” (no shit!) starts with sensible “The data breach at Heartland Payment Systems that exposed millions of credit card holders in the US to fraud, proves regulatory compliance alone is not enough” as well as a deeper version of “Achieving PCI compliance does not imply that a business has achieved real security” which then turns idiotic propaganda “The only solution to eliminate this threat is end-to-end encryption” (
  • Branden thinks the same here in “End to End Encryption is NOT the PCI Silver Bullet!”, he also gives more good thoughts there such as “I stand by my original premise which is that the standard [PCI DSS] (properly implemented) would prevent this.” He also has another awesome post “What CEOs (and CISOs!) Can Learn from Heartland” where he goes for the jugular: “Going through the motions of something like PCI without actually committing to it will land you in the "PCI Validated, but Compromised" bucket like so many before you. The Anti-PCI crowd comes in two flavors, the "It's Too Damn Hard" flavor, and the "It's Doesn't Address X Issue" flavor. Both of those flavors have valid points, but they are sooo 2006. 2009 is the time to OWN your security, and PCI is a great place to start.”
  • Just how big was the Heartland security breach” says ”it is known that as many as 600 Million card numbers were exposed to malicious software” and “the number of cards potentially stolen is about 50% more than every single active card of every cardholder in the entire country.” Note this also: “I cannot imagine a scenario where Heartland comes out of this in one piece.”
  • Kevin opines here that “Arguing that PCI DSS is a failure because two organization that were compliant experienced breaches is like saying door locks are a failure because somebody broke into your house.” Amen to that!
  • Mike Rothman thinks he is no more insane than the rest of us here:  “Maybe it'll take 3-4 years (HIPAA was still an area of focus for 3-4 years after it started it's long downward slope towards irrelevance), but unless something changes – it'll  [PCI’s irrelevance] happen.”  OK, Mike, I still politely disagree..
  • Heartland Sniffer Hid In Unallocated Portion Of Disk” adds some details about the malware in question and contains deep forensic insight: “There is virtually no way to tell in a case like that what really happened.” :-) (the sad part is that they are probably right) Another piece concerns the insider angle: “preliminary indications are pushing them to suspect a fully external attack, with no indications at this time of any help from any Heartland employee or contractor.” The same piece also tells that litigation has started: “And Heartland’s civil legal troubles are just starting, with one of the least surprising lawsuits ever filed. The litigation is the start of a class-action lawsuit that accuses Heartland of having “failed to take appropriate measures to adequately protect” its data.” (this also comments on the above)
  • Pete adds two very interesting points: “How many people thought passing a PCI audit meant that an organization was risk-free? If you did, then PCI failed from your perspective. Of course, you might want to go into another line of work.” (here in “How to think about PCI”) and “One way to evaluate the success of PCI is to compare the number of incidents from PCI-certified companies to another set of similar non-PCI-certified companies.” Also, while on his blog, read the comments here.
  • On a more analytic side, “Heartland and PCI” reminds that prescriptive regulations like PCI are not the only option: “There is a way to solve that by building risk management based standards, like ISO27001, but they are usually more expensive to implement (and to validate). Also, those standards work very well to deal with risks to the organization, not to third parties (like cardholders), though considering audit issues and fines a risk themselves can help on fixing this “glitch”.” (additionally, as I pointed out in-depth here, they face the issue of people not knowing/not caring about their risks)
  • In his “On the Heartland Breach: No It Does NOT Mean the End of PCI” Walt reminds us: “PCI is by its nature backward-looking. Deal with it. Because you are compliant today does not mean you are still compliant tomorrow or even 15 minutes from now.”
  • Robert Carr, CEO of Heartland, says here: “PCI is a good and effective standard, but the bad guys have become more sophisticated to the point where encryption of data in motion appears to be one of the next required steps. There is no single silver bullet that will secure payment systems, and constant vigilance and monitoring of the infrastructure will always be required.”  You know what? It sure seems like monitoring is THE NEXT step for them, not the one they took in the past…
  • In “PCI = FOI?” Andy writes: “I think PCI is the best regulation because it lacks much of the vagueness that others have” AND “Unfortunately, it does often lull companies into being complacent and/or apathetic.” (both true, sadly) He also brings up more good point in his post: “We have to quit pushing things such as being "complaint" with any regulation as equating to being secure. When I say we I don’t me most of us reading this but the PCI Council and other governing bodies.”
  • Finally, the most fun post of the batch (!) here; I am not going to quote it extensively, just go read it! One quote though: “I had a chat with a QSA from a large well know “security” company. He told me he never touched anyone’s systems during a PCI DSS onsite audit. When I asked him how he could possibly then know whether those systems were secure (not using the term compliant), he responded that he based his assessment upon documentation and what the relevant IT staff told him.”


Possibly Related Posts:

Dr Anton Chuvakin