Tuesday, February 10, 2009

On Heartland IV

I swear I never wanted to do this part IV of the Heartland credit card data breach saga, but there is so much more fun stuff on this, it is not even funny :-) In other words, they made me do it :-)

  • Stock angle – NOT sure whether true OR false (or somebody is doing psyops on the side, as my old ROTC teacher would say): “CEO Carr dumps $15 million of his Heartland Payment Systems stock” and “Did Heartland CEO Make Insider Stock Trades?” seems to think so. The latter post also has some fun additional details and it actually a very good read. BTW, the original source for this (here) seems dead (“Error establishing a database connection”), which kinda confirms the whole psyops angle…
  • One of the commenters to my previous post asks: “I'm really interested in the method used to ship the card data out of the processors datacenter. Did they allow outbound connections to random addresses on the Internet?” Good question  indeed! BTW, direct connectivity from payment server to any address on the Internet will be a violation of PCI DSS Req  1.2.1
  • Mike Rothman returns to normalcy (here too!) and quotes this from here: “Of course, anyone that has been in the security business for a while knows the folly of thinking that any set of requirements and controls will truly create security”, then “Merchants have been relying on PCI as a crutch. Comply with the 12 requirements and credit card data is secure” and then even “To be clear, there is value in the 12 requirements set forth by the PCI Security Standards Council. The PCI-DSS does a good job of laying the foundation for security, but just like you don’t live just on a foundation and expect to stay warm and dry in the winter, you can’t just rely on your security foundation for protection.” Amen to that!! PCI DSS is useful again – and the world is saved :-)
  • This is very, very interesting (“Visa issues security alert”) and can be used to piece together what we know about the breach mechanics. But BAD IP addresses? Gimme a break… What’s next? An evil bit?
  • Another commenter leads an interesting discussion about the underlying technology: “I contend that the largest *real* security issue is the 1960's technology of a plastic card with an integrated magnetic stripe which contains easily readable data encoded in an open format.” (a fun discuss follows)
  • On DarkReading, “PCI DSS Is A Process, Not A Checklist“ also has a lot of good points: “The elements that go into complying with PCI DSS need to be followed day in and day out -- not just every quarter when your scan is scheduled or your annual pentest comes up.” Yes, Virginia, in reality you are never DONE with this one…
  • Heartland and Protecting PII” bizarre angle here: “Just out of curiosity – is anyone else concerned about how the victim is getting vilified when there is a significant loss of credit card data or PII?” and “Heartland may have been very dumb in the way they are handling the PR side of things but remember that they were robbed by criminals.” and “This makes the security and risk management equation a binary, results oriented art – either we are “secure” or we are not. How do we know we are? No incidents. How do we know we are not? Incident!”
  • Mildly Heartland breach inspired, Jeremiah brings up “Some unanswered questions” – fave quote from comments: “Look at who does the most PCI assessments [and the Heartland one] and you'll realize that they're the ones that do the least invasive testing, don't bother verifying much of the information provided by the client, and do the minimum amount necessary to fulfill the external scan and web assessment requirements.” :-(
  • Grok Security in “Heartland Breach” says “In summary, Heartland failed to properly implement and enforce defense-in-depth, network segmentation and separation of duties. Remember, Heartland is a level 1 PCI processor and was required by regulation to get this right. This means Heartland's auditors failed.”
  • Mildly, Heartland-inspired, Pete’s “PCI and Social Proof” has a few good thoughts on what “security vs compliance” conundrum. Key thought: “One of the themes that comes out of compliance vs. security discussions is that compliance is about meeting a minimum standard and people who "really care" about security (whatever that means) would actually do more. I think the principle of social norms is hard at work here, which makes the "goal" of being PCI-compliant the social norm and acts as a deterrent (or creates a 'boomerang effect' according to Cialdini) to folks that want to be more secure.” BTW, while you are there, read his “Are Compliance and Security Related?” where he reminds that “Maybe I am getting too broad in my interpretation of what people say. I certainly believe that many things you do for compliance can reduce your risk.” [however, I think "checklist!-just-make-it-go-away” compliance will likely NOT reduce risk]
  • Michael here (“pci, shifting blame, and perfection assumptions”) questions a point from Branden that “PCI Compliant Companies Don't Suffer Breaches.” He says “QSAs can only be as good as the standards, visibility, power, talent, and cooperation of the host customer.” (notice the part in italic: QSAs are people too – and they are getting lied to too!)
  • Tyler argues in his “Where PCI Fails” that PCI IS considered a FAIL (unlike what I say here) if a particular QSA is an easygrader or if a company can beg its way to getting an exception. He also has a good point that “If you are barely hitting your mark as an ASV or QSA, you should be gone.”  Upon reading his post, I’d still prefer to fall these “growing pains” and not FAILs, however. Please read the related comments here  too, very fun.
  • OMG, another new angle – this case is a treasure trove: In “US Citizen? Your credit is in doubt...” Rainer says: “Remember, card processor Heartland has screwed up and, as some sources say, 100 million credit card numbers were stolen from them via a Trojan. That fact spread big news and, among others, started a discussion if PCI has been proven to be useless. But there seem to be additional effects: US customers seem to have lost a lot of credibility in international shopping.” Obviously, not a huge deal, but interesting to note nonetheless… He also adds this gem: “If you loose your credit card, you are legally required to call your card issuer and report that loss. As long as you do not notify them, you are liable. If, on the other hand, someone in the card industry looses your card (number), nobody seems to be liable: Customers must check their statements and vendors must do in-depth checks (sigh) on their customers.”

Enjoy! I double-dare-promise this is the last one with media coverage…

Possibly Related Posts:


Anonymous said...

The latest Visa Data Security Alert was posted last week and can be found here:


The lead recommendations are responses to currently active threats and do not focus on "bad IP addresses". Their advice is accurate and is a prudent recommendation based on post-facto forensic analysis from real events.

Practitioners should not casually dismiss these recommendations.

Our field experience indicates these would have made a big difference at multiple high-profile breaches.

Anonymous said...

..."if PCI has been proven to be useless..."

Not yet, not yet, just wait IPv6:

-Ok so now we have to NAT those hardware

-But Sir the new infrastructure is IPv6

- I don't care PCI say to NAT

- But Sir NAT doesn't exist in IPv6, maybe PCI is irrelevant finally now.

- You mean I don't have to endure those outrageous bills ? Very nice you are promoted !

Anonymous said...

There'll be a V, VI, VII etc etc. You're tied in now Anton. Like TJX, the story will go on for a long time. Stallone didn't want to do a Rocky IV and it continued on....as you will now have too.

Follow Hollywood and do a prequel. They seem to work also. :)

Anton Chuvakin said...

Well, a prequels will happen as soon as somebody leaks the state of their security before the breach (like it happened with TJX...)

Plastic Cards said...


Its true that,before reading of this nice article i don,t know about to the On Heartland and IPv6 but now i know very well.Thanks for sharing your useful feed back.

Dr Anton Chuvakin