Evan Schuman of StorefrontBacktalk has a pretty shocking article today. Apparently, the Heartland malware hid in the unallocated file space.
Right on the heels of my last blog post too. Nuts.
Our forensic examiners at VeriSign look for this type of malware during every investigation because it is not a new trick. It surprises me that it was almost missed. Even still, I stand by my original premise which is that the standard (properly implemented) would prevent this. In order to get the malware on there, a software flaw or credential had to be exploited. Both of those vulnerabilities are addressed by PCI-DSS.
What is more troubling is the same noise that came out after the Hannaford breach last year. Bill Homa, their CIO at the time, first said that PCI was not hard enough (seriously?!? If it was harder, do you think there would be more adoption?), and that end to end encryption would have saved the day. On the surface, I disagree.
At this time, banks cannot process encrypted credit card data (PIN Debit may be the only exception). At some point during the many processes that occur in order for money to actually change hands as a result of a credit card transaction, the data must be decrypted. I’m not saying there are not opportunities to increase the security of payment data, or even take large areas of your network out of scope, but just saying that end-to-end encryption is the solution is irresponsible.
Let’s take this example that is fictitious, but not so much so that I have not seen this in the field somewhere. Merchant A encrypts everything from the POS Controller to the back office processing. That leaves the POS Terminal to POS Controller link vulnerable, as well as the machine that does the processing to send transactions to the bank. You could not solely rely on encryption to protect you here, you would need to make sure the rest of the standard is properly enforced on those key machines.
Another example, where the POS Terminal to Controller link is encrypted, but nothing past that. It leaves the controller open to attack, especially if it has access to the internet (don’t laugh… I have seen that on many occasions).
I understand minimizing the exposure of unencrypted card data, but even with malware combing through memory, that is not something that we should rely on (or that a developer should argue when you are conducting a PCI Assessment).
We should continue to pursue end-to-end encryption solutions because it will make life for Merchants a TON easier, and will boost the overall security inside the payment process. Remember though, if you take away one vulnerability, the bad guys will find another. I predict you will see an increase in the threats against the devices themselves. More skimming devices, and more fake ATMs/PEDs are coming. That’s a management and training problem to fix (NOT a technology problem).
I stand by my original point. The standard, properly implemented, could have prevented a breach like this.
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Equifax is only half the problem, your SSN needs a redesign!
- Orfei Steps Down