The State of Credit Card Security [ML B-Side]

In 2005, when Albert Gonzalez was hacking his way into the networks of many retail chains in the US, credit cards were still very insecure: magnetic stripes and signed receipts did little to stop smart hackers such as Gonzalez and his crew. Sherri Davidoff talks to Nate Nelson about the past and present state of credit card security.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Sherri Davidoff

CEO of LMG Security , author of “Data Breaches".

Sherri is the CEO of LMG Security and the author of the recently released book “Data Breaches.” As a recognized expert in cybersecurity and data breach response, Sherri has been called a “security badass” by The New York Times. She has conducted cybersecurity training for many distinguished organizations, including the Department of Defense, the American Bar Association, FFIEC/FDIC, and many more. She is a faculty member at the Pacific Coast Banking School, and an instructor for Black Hat, where she teaches her “Data Breaches” course.

Episode Transcript:

Transcription edited by Sundus Ahmed Yousuf

[Ran] Hi, and welcome back to Cyberisen’s Malicious Life, I’m Ran Levy. A few weeks ago, after we released the second part of the Albert Gonzalez series, I came across this interesting tweet from one of our listeners, Omer Michaili. Omer wrote quote, greatest hacker in the world? Soup Nazi was a lot of things, calling him that is ignorant. He wasn’t even the brightest hacker in his own circle of friends.
In reply, Sherri Davidoff, our guest in the series, wrote quote, agreed that he wasn’t super technical, but as prosecutors said, he was quote, unparalleled in that he didn’t just get a hack done, he got a hack done, he got the exfiltration of the data done, he got the laundering of the funds done. He was a five tool player, end quote. Omer later replied with a rebuttal of his own, but the reason why I mention this short conversation has nothing to do with how good of a hacker Gonzalez was.
I mean, there’s no hacker rating system that we can use to figure out who was the best hacker ever. Heck, in basketball we have real bona fide statistics, shots, misses, whatever, and my daughter and her friends still can’t agree on who was the best NBA player ever, Michael Jordan or LeBron James. But Omer’s tweet got me thinking about the relationship between a hacker and the technological environment he or she operates in. Take, for example, Kevin Mitnick, who did most of his hacking in the early 90s. The technological landscape back then was very different from our current one.
The internet, for example, was still pretty young. If we could magically transport young Mitnick to our current time, would he still be as successful as he was back then? By the way, Kevin, if you’re listening to this, I’d love to hear your thoughts about this question. In any case, in the Albert Gonzalez episodes, we focused mostly on his character, how obsessive he was and so on, but we didn’t pay much attention to the technological landscape Gonzalez was operating in, in our case, how secure or insecure were credit card transactions back in 2005 to 2007.
That will be the main focus of this B-side episode, as well as a rather important story we didn’t cover in the series itself, the attack on Heartland, which was an even bigger attack than the TGX hack. Nate Nelson and Sherri Davidoff, take it away. Enjoy!

[AD] Malicious Life is sponsored by Cybereason. There is nothing better than a live simulation, especially when you’re fighting cyber attacks that are becoming more and more complex. Defenders are always looking for the critical edge to reverse the attacker’s advantage, and it’s only through live attack simulations that you can truly see what might provide you that winning edge. Join Cyber Reason’s global attack simulations to watch firsthand how attackers use the latest infiltration methods and execute on sophisticated malicious operations, and more importantly, how to end these operations before they happen. Reserve your spot today at cyberreason.com slash attack sim.

[Nate] Sherri, could you provide us with some context? While Albert and his crew are operating, what is going on around them?

[Sherri] At the time, there was a lot of credit and debit card fraud going on. This was becoming rampant. And there’s a reason for that that you should keep in mind throughout this entire story. The reason is that our payment card system is inherently insecure, right? So imagine you have a long number that you have to keep very, very secret because it’s the keys to the kingdom, but in order to use it, you have to give it away to lots and lots of people. Doesn’t that seem a little funny to you? So it doesn’t have to, it doesn’t take a security expert to understand that that is not a secure model for a payment system. So that is the fundamental problem throughout this entire criminal spree that we’re about to learn about. It’s not the fault of the merchants. It’s not really even Albert’s fault, although he certainly chose to take advantage of it.
There is a fundamental security weakness in this system that we are really only just starting to address fully today. So with that in mind, at the time, there’s been this huge surge of credit and debit card fraud because criminals are getting better and better at breaking into e-commerce sites, stealing that credit and debit card information. They’re getting better at breaking into networks and stealing them, and they’re figuring out how to monetize it, and sites like ShadowCrew are really creating these forums that are helping more and more criminals learn how to engage in fraud and how to monetize, how to monetize their wares when they do steal payment card numbers.

[Nate] Okay. So stealing credit card information is becoming very popular, presumably retailers, the business world knows about this. But of course, Albert and his crew in our story were still able pretty easily to break into TJX companies. So could you tell me about TJX specifically? What was their defense posture like? How much blame do we assign to them versus giving credit to Albert and his crew?

[Sherri] Such good questions. So TJX was actually pretty normal for a retailer at the time. Again, retailers were not investing a ton in cybersecurity, and cybersecurity is new. Around then, a lot of organizations were just installing their first firewall. So this is a very new thing. Now PCIDSS had also come out recently, the Payment Card Industry Data Security Standard. And this emerged because, again, there was a huge spike in payment card fraud. It was clear that this was becoming a global issue, and there were threats of legislation. There were just rumblings that maybe the government should do something about this. So the card brands at the time said, no, no, no, no, no, you don’t need to do anything about this. We can regulate ourselves, everybody. And they founded the Payment Card Industry Security Standards Council, which now manages PCIDSS. Actually, PCIDSS came out first, but that’s neither here nor there. So the Payment Card Industry Data Security Standard comes out, and it establishes standard best practices and rules for merchants in order to keep payment card information secure on their networks.
But remember, let’s back up a second. Why do we have payment card fraud to begin with? Because the system is insecure. Because you have this very long secret number, and you have to keep it really, really secret, but you also have to give it away to people. And there are better ways to do payment authentication even then, but that would require a big investment and a big system overhaul, much larger than what any merchant could invest in. And instead, the major card brands decided to push that responsibility down to the merchant. Here you go. You now have hazardous material. It’s your job to secure it. And merchants are not in the position to do that. Merchants are not security companies. A lot of them are very small businesses. They don’t have a ton of resources.
And what happens is they end up having this very valuable, sensitive information on their networks really with not enough resources to properly secure it. So you can see how this all played out at the time. Remember, it could have been any party in the system that ended up being responsible. It could have been the banks, and in fact, it was in some cases. It could have been the merchants that took responsibility for payment card security. It could have been the card brands that took responsibility for payment card security.
But ultimately, the brunt of that responsibility fell to the merchants to secure these payment card numbers. I think of payment card numbers and any sensitive information as hazardous material, kind of like nuclear waste, things like that. So you have this hazardous material on the networks of all these retailers around the country. And again, they don’t really have a whole lot of experience or resources for properly controlling it. Nowadays, we see things like Apple Pay and other mobile payment systems that include tokenization.
And when you pay using Apple Pay, again, as an example, you never give your number to the merchant at all. The merchant never has to have your credit card number. And so we can’t get stolen from their network. And that is the way this whole system could have been architected, which would have made it impossible for criminals to steal these sensitive card numbers from the merchant’s networks. But it took a long time for us to get that technology rolled out. Can I tell you a little bit more about TJX?

[Nate] Yeah, yeah, go ahead.

[Sherri] Okay, so TJX, on the other hand, was not the most responsible organization at the time. Reportedly, they had violated nine of the 12 PCI controls, which is not great. They were storing pins, track two data, which was a violation of PCI policies. And obviously, they had big problems in their network. They were using weak wireless security. They didn’t notice that hackers were undetected in their network for 18 months. They didn’t notice when 80 gigabytes of data was stolen, 94 million card numbers. But perhaps the thing that put them most at risk was that they were storing huge volumes of unnecessary personal information, something that was specifically called out as a problem by the Canadian government. So let this be a lesson to all of us that we can reduce our risk by storing less sensitive information, store less of that hazardous material.

[Nate] So there is a major, major part of this story that we’re not even going to be able to get to cover in the miniseries. Sheri, could you tell us about what happened after TJX when Albert and his crew were able to get more advanced and achieve an even greater data breach?

[Sherri] Yeah, let me tell you the next piece, because remember, it all flows together. So now it’s around 2007, and he’s bored at the Secret Service. He’s not showing up on time. They’re talking about HR issues. They’re thinking of letting him go. At the same time, SQL injection is the big rage. So SQL injection attacks are flaws in websites that allow hackers to gain access through the web application and send commands into a backend database and manipulate that backend database so that it returns things that the programmers did not intend. So Albert encourages his cohorts to experiment with SQL injection. And remember, he himself is not super technically advanced, but he’s putting all the pieces together. So he encourages his gang to try out SQL injections, see where they can make it work.
And in that process, they end up hacking the store Forever 21. Albert’s friend Patrick Toohey was the one in particular that broke into Forever 21. They also were really interested in point of sale systems. And this is where Albert’s brilliance came in. Again, he wanted fresh card numbers, and he thought, where do I get this from? I want to get them from the point of sale systems themselves. So he took Toohey to stores around Miami. They would look at point of sale systems, figure out the brands that different retailers were using. In one case, one of his colleagues actually disconnected a point of sale system from a retailer and brought it back for them to examine. He would get logins and passwords from other criminals online who had stolen them from point of sale manufacturers. So taking all this information together, he was able ultimately to go straight to the point of sale servers when he broke into a retailer. So he’d get into a retailer, he had usernames and passwords for point of sale systems like the default passwords, and he would go straight into those servers so he could pull those fresh numbers off the systems.

[Ran] In the next part of the interview, Nate and Sherri dive deeper into the more technical aspects of credit card security mechanisms, so I figured this would be a good time to pause the discussion and provide you with some background and context. Back in the early 1990s, credit cards were processed in one of two ways. The first, using a mechanical device to imprint the actual numbers and text of the card on an actual piece of paper.
This method is mostly obsolete nowadays. The second method is an electronic device that reads the information stored on a magnetic strip on the back of the card, and this method is still being used today, but it is very insecure because there is no easy way to confirm the identity of the card holder. That is, to verify that the person holding the card is indeed the person who owns the card.
Technically, the shopper is required to sign a receipt and the seller is required to store that signed receipt as proof that the client was physically present at the store at the time of the transaction. But this is and was a big hassle for everyone and ultimately didn’t prevent fraud. As Albert Gonzalez and his crew proved, it was very easy to copy the credit card information to a blank card and use the cloned credit card to steal tons of money. Modern credit cards use a standard called EMV, named after Europei MasterCard and Visa, who developed it. An EMV card, or smart card, has an embedded chip that can be read by a terminal equipped with a special connector, or even wirelessly, using NFC technology. The information on the chip is encrypted and cannot be so easily cloned as the magnetic strip was. The chip also performs some crucial offline security checks, such as comparing a four-digit PIN, personal identification number, entered by the user to a number stored on the chip.
This way, cloning a card, or using a stolen one, becomes much more difficult. And indeed, card-present frauds, frauds where the attacker is physically present at the store during the transaction, have declined by up to 80% in the past 10 years or so. Still, the EMV standard does have its shortcomings, as we shall hear shortly.

[Sherri] So that’s where we get into Heartland. Now in the case of Heartland, Albert and his colleagues are initially broke in with a sequel injection attack, and this was actually done in conjunction with two friends of his that were Eastern European criminals. So they broke in, they gained persistence, they installed a back door, and then he used techniques that were similar to what he’d been using for years. They installed that sniffer software on the network. What made Heartland different was that they were a payment processor. They were not a retailer.
And again, here’s where Albert’s brilliance comes in. He says, I’m tired of just going to the end points. I want to get to the arteries of the payment processing system and steal card numbers from there. So he breaks into to Heartland, which is the fifth largest merchant acquirer in the United States at the time. They received credit card numbers from 200,000 merchants. In 2008, they did 66.9 billion transactions.

[Nate] And even with all that, they didn’t have good security?

[Sherri] They were pretty security advanced for the time. They were PCI compliant. They were doing what they could to keep a secure network. But once Albert was in, he was in. He was sniffing credit card numbers off that network. They weren’t even in there that long and got 130 million credit card numbers.

[Nate] OK. So how did Heartland’s response once they figured out what Albert and his crew had done differ from TJX’s?

[Sherri] I mean, honestly, Nate, they’re very different organizations. So TJX is a retailer. And what made the TJX breach a landmark case was that it really sorted out the liability issues involved in credit card fraud. So there were a lot of lawsuits coming out of TJX. You saw their lack of PCI compliance being used in court for what I believe was the first time that was being used to demonstrate their negligence. Ultimately, in TJX, there was a settlement. And the retailer, TJX, paid the issuing banks some millions of dollars to compensate for some of their losses. So it certainly didn’t cover by any stretch of the imagination all of the fraud.
But here you have an important precedent where the merchant is held liable. In the case of Heartland, we have a very different scenario. Heartland was actually PCI compliant at the time that the break-in occurred. And they had invested very heavily in security. Visa came out after the fact and said, oh, Heartland, you were retroactively not compliant because if you were compliant, you wouldn’t have been hacked. And so that really caused a big backlash in the security community. People were like, well, what’s the point of PCI compliance if you can be retroactively noncompliant?
But I really respect Heartland’s response to their breach. The CEO at the time, Bob Carr, really took it to heart. They wanted something like this. They wanted to make the entire system more secure. So they analyzed the hack and how it occurred and realized a big part of what made it possible for Albert’s game to steal those card numbers was the fact that card numbers were not encrypted as they went across the network.
And in fact, at the time, the card brands were not really supporting encryption from end to end, all the way from the point of sale network to transmission to the card brands. Heartland really pioneered this process. So they created the Heartland E3 encrypting payment device. And this encrypted your card data using a hardware TPM chip. So that meant that the card numbers couldn’t be sniffed out of the memory of the point of sale system. They couldn’t be sniffed as they were transmitted across the network, either the merchant’s network or Heartland’s network. And then they rolled out the Heartland secure point of sale systems, which included their encryption process, also EMV, known as the chip, and tokenization where your card number is replaced.
So this is a super, super secure point of sale device. They believed in it so much that they also offered a merchant breach warranty, which meant that if a merchant was hacked and card numbers were stolen and they were using the Heartland E3 encrypting payment device, that Heartland would actually reimburse them for any fees or fines that were assessed. They believed in their product so much. But unfortunately, it was a little ahead of its time. There was no requirement for merchants to upgrade to these point of sale systems. A lot of merchants just didn’t see the ROI on security. And so there was not widespread adoption of encryption or tokenization.

[Nate] You know that honestly kind of sounds more advanced than the stuff we’ve got going on today.

[Sherri] The Heartland E3 encrypting payment device is better and more advanced than what we see today in a lot of cases. And that’s because eventually after the target breach happened, we saw card brands requiring the use of chip and pin, EMV. That is, you put a smart chip in a point-of-sale system, and it helps to prevent your card number from being copied because instead of using that magnetic stripe that’s easy to copy, you’re using a chip. The problem is that chip and pin does not require encryption across the network. It does not require tokenization, but it does make money for the card brands because the card brands have a patent on that on EMV. They are owners in a company called EMV Co LLC, which patented the chip around 1999, the late nineties. And so when they required the chip, what most people didn’t realize was that they were also creating a whole new avenue for card brands to profit off of insecurity.

[Nate] So what’s the bottom line then? What can we take away from Albert’s story about the inherent security or rather insecurity of the credit card system?

[Sherri] It’s important to understand that the payment card system is inherently insecure. If it hadn’t been Albert stealing these card numbers, it absolutely would have been someone else. You have a long secret number that you have to give away to lots and lots of people in order to use it. So we can do better. We can build systems that are fundamentally secure, but we need to be aware of the insecurities and question why these hacks are happening and stop putting band-aids on to address the symptoms. We need to address the underlying, the fundamental security flaws.