Saturday, February 28, 2009

Hacked! Is Visa Next?



In an article scheduled for  next months Bank Technology News, Rebecca Sausner talks about the call and the need for systematic reform in the payments industry.  The main theme of the article is to adopt an End (Beginning) to End Encryption standard. 

One of the more eye-opening quotes comes from Avivah Litan, distinguished analyst from Gartner, who asks "How much worse can it get than a top 10 processor being breached? Visa's next."

Let me remind you Avivah Litan predicted that hackers would target the payment acquirers/processors months ago.  I believe it was shortly after the Hannaford breach. 

Now, with 3 processor/acquirer breaches in 3 months, it appears she's the Nostradamus of the financial transaction world.  So when one of her "quatrains" predict that "Visa's next"...I, for one, wouldn't write that off as being overly cautious (or pessimistic).  HomeATM CEO, Ken Mages, (who's also a "see-er) saw the same writing on the wall years ago.  Difference is, he's was in a position to, (and has already done) something about it.  Ms. Litan states that Visa needs to start seeing the same thing...or they're next. 

One of the reason's HomeATM employed End to End Encryption back in January 2007, is because Ken Mages understood that without beginning to end encryption, data is ripe for the picking. 

That's why HomeATM is the "only" (to our knowledge) processor who instantaneously encrypts the data at the point of sale (during the swipe) while it's inside our personal swiping device.  Amusingly, ironically and paradoxically, it's was his "outside the box" thinking that made him realize that encryption needs to be done "inside the box."

One of the biggest challenges HomeATM faces is overcoming the "hurdles" involved with trying to convince industry "insiders" that in order to truly secure a transaction, a hardware device is not optional,  it's necessary.  These latest breaches should make "overcoming those hurdles" a lot easier.  New Information always = New Decision(s).

One of the things we do have going for us in this "perfect storm," is that as unfortunate as these 3 processing/acquirer breaches in 3 months were, they are helping us in driving our message home. Articles like the one below don't hurt either.
These breaches should actually assist HomeATM in overcoming these hurdles... in fact, our technique(s) to securing transactions can hurdle HomeATM towards becoming an "Edwin Moses" like talent  

Speaking of Moses...they (the breaches) may even help part the read/see and get HomeATM to the promised land sooner. (Editor's Note: Edwin Moses overcame hurdles {for 122 straight wins} during a 9 year, 9 month and 9 day "run." 

I find it heartening that HomeATM's approach to securing/encrypting data for transaction's (since 1/2007) also involved a 9/9/9...99.9 Sigma. 

Like Edwin Moses, we WILL win. (with PIN)  The hackers don't hurt by "running" right through a processor's so-called security protocols.Here's an excerpt from the article:

Heartland's Lonely Quest For Reform
Bank Technology News | March 2009

By Rebecca Sausner

Heartland Payment Systems CEO Robert Carr has likened his company's massive data breach to the Tylenol moment when product contamination led to an overhaul in packaging safety. It's likely Carr has had a few Tylenol moments himself in the past couple of months as he dealt with perhaps the largest data breach ever, though the actual number of cards compromised is undisclosed.

Now Carr is using his standing in the industry - he founded Heartland and enjoys healthy respect among processors - to call for industry-wide reform of payments technology and information sharing about exploits to prevent criminals from successfully deploying the same hack on multiple targets.

Lots of industry players agree with his stance, but there's been scant input thus far from the industry's most influential parties: including titans such as MasterCard, Discover and Visa, which are mostly mum on the subject.

"Our concern is that an underlying principal of PCI compliance is that data can be held in its native form - unencrypted - as long as it is properly protected within a corporate firewall," says Bob Baldwin, CFO of Heartland.  Corporate firewalls are only as strong as their weakest link. "What we're trying to do in end-to-end encryption is have the data always remain in its encrypted form from the moment of the swipe to the moment it gets to the association."  (Editor's Note: that's going to be the biggest challenge as that will require the ecosystem of the payments landscape to be rebuilt)
It's easy to make a case that the Heartland breach should be a louder call for industrywide action than Hannaford or TJX.  The company is one of the leading processors, moving 11 million transactions each day, and was known to have invested heavily in its security. And, it had passed its latest PCI audit.


"I think it's more serious, how much worse can it get than a top 10 processor?" says Avivah Litan, Gartner vp. "Plus, it's a much bigger target. Visa's next."

Litan's in agreement with Carr that now's the time for the industry to pony up for end-to-end encryption. Some POS terminals can already encrypt data,

(Editor's Encryption Note 1
: Our PIN Entry Device was manufactured from "beginning to end" to do so)
processors can encrypt data while it's in their environment, (Editor's Encryption Note 2:  HomeATM not only "can" but DOES) and issuers could "theoretically" accept encrypted data and decrypt it in their environment.

Editor's Encryption Note 3:  That's the beauty of our PIN approach...it's not theoretical, it's reality.  PIN's remain encrypted all the way through the process...and not only is a KEY required by the processor to un-encrypt it, but HomeATM uses DUKPT (DuckPut)  which creates a "UNIQUE" key for every transaction.  In the extremely unlikely event "one key" is somehow obtained, only one transaction is put at risk because there's a new key for the next one.

For those interested, here's a quickie lesson.  Others, scroll down, my rant continues...


In cryptography, Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derivedfrom a fixed key. Therefore, if a derived key is compromised, futureand past transaction data are still protected since the next or priorkeys cannot be determined easily. DUKPT is specified in ANSI X9.24 part 1.

DUKPT allows the processing of the encryption to be moved away fromthe devices that hold the shared secret. The encryption is done with a derivedkey, which is not re-used after the transaction. DUKPT is used toencrypt electronic commerce transactions. While it can be used toprotect information between two companies or banks, it is typicallyused to encrypt PIN information acquired by Point-Of-Sale (POS) devices.

DUKPT is not itself an encryption standard; rather it is a key management technique. The features of the DUKPT scheme are:
  • enable both originating and receiving parties to be in agreement as to the key being used for a given transaction,
  • each transaction will have a distinct key from all other transactions, except by coincidence,
  • if a present key is compromised, past and future keys (and thus thetransactional data encrypted under them) remain uncompromised,
  • each device generates a different key sequence,
  • originators and receivers of encrypted messages do not have to perform an interactive key-agreement protocol beforehand.
The problem is without an agreed-upon standard - though triple DES would likely work - (Editor's Encryption Note 4:  HomeATM uses triple 3DES) there are "air gaps" between each of the players that even PCI doesn't address.


Still, it'd likely be worth the trouble.

Editor's Encryption Note 5:  It WAS worth the trouble, in fact that isn't what troubled us...what's  troubling is that it seems like it's taking forever getting other's (payment industry pro's) to understand what it written in this article...(maybe because it's written in "clear text.")

What we we need is an Edwin Moses approach to overcoming the hurdles involved with "parting that read/see" and getting industry insiders to "read" further into the risks mitigated by PIN and "see" what Avivah Litan see's...)


"I would say the cost of putting end-to-end encryption in place would be lower than the all the PCI security costs and the breaches," Litan says.

Editor's Encryption Note 6:  Ya think?  Now if we can only get "DUH!" so-called industry experts/insiders to see it that way...)  About the only thing HomeATM puts out there in "clear text" is that a "PIN Based 3DES DUKPT Encryption is the most secure way to process a transaction.  Beginning to End Encryption. 

Want to learn more about our Tales from Encrypt?  Contact us.
and we'll tell you all about it...from Beginning to End!


Continue Reading at Bank Technology News



Reblog this post [with Zemanta]

Visa: New Payment Processor Breach Not New

The new processor breach that has had everyone speculating over the past 2 weeks... is "not new" according to Visa. 

Everyone else's (100,000,000 plus cards) card information has not been kept a secret, yet the "identity" of the processor who let the hacking world into theirs HAS been.   Visa has already publicly stated that  this "new" breach was "unrelated to the Heartland breach," so that leaves only one processor in the running.  RBS Worldpay.  Developing...

Here's the story from ComputerWorld.com

Visa: New payment-processor data breach not so new after all
February 27, 2009 (Computerworld) Days after Visa Inc. seemingly confirmed that a data breach had taken place at a third payment processor, following on the recent breach disclosures by Heartland Payment Systems Inc. and RBS WorldPay Inc., the credit card company is now saying that there was no new security incident after all.

In actuality, Visa said in a statement issued today, alerts that it recently sent to banks and credit unions warning them about a compromise at a payment processor were related to the ongoing investigation of a previously known breach. However, Visa still didn't disclose the identity of the breached company, nor did it say why it is continuing to keep the name under wraps.

Visa said that it had sent lists of credit and debit card numbers found to have been compromised to financial institutions "so they can take steps to protect consumers." The company added that it currently "is risk-scoring all transactions in real time, helping card issuers better distinguish fraudulent transactions from legitimate ones."

Visa's latest statement follows ones that both it and MasterCard International Inc. issued earlier this week in response to questions about breach notices that had been posted by several credit unions and banking associations. The notices made it clear that they weren't referring to the system intrusion disclosed by Heartland on Jan. 20 and suggested that a new breach had occurred.

Visa's initial statement and the one from MasterCard were both carefully worded; neither said specifically that the breach being referred to was a new one, but they also didn't say that it was a previously disclosed incident. Visa said it was "aware that a processor has experienced a compromise of payment card account information from its systems," while MasterCard said it had notified card issuers of a "potential security breach" affecting a payment processor in the U.S.

MasterCard officials didn't respond today to requests seeking clarification on whether its statement referred to a previous breach or a new one.

Benson Bolling, vice president of lending at the Alabama Credit Union in Tuscaloosa, said today that officials there had understood the breach to be a new one based on the alerts sent out by Visa — but couldn't say that for sure. According to Bolling, the credit union, which posted an advisory on Feb. 17 and updated it two days later, was informed by Visa of a "big breach" shortly after getting the word about the intrusion at Heartland.

The identifying number that was used in the so-called Compromised Account Management System alert issued by Visa appeared to suggest a new breach, because it was different from those used in previous CAMS notices, Bolling said. It was his understanding, he added, that CAMS alerts related to a previous breach would use the same identifier as the original notifications...

continue reading at ComputerWorld.com


Disqus for ePayment News