Tag Archives: Criminal law

Malware Inside the Credit Card Machine

image

(Update, July 2009: A BusinessWeek article puts the company’s side; maybe I was a little too harsh on them in this post.)

This gives you an idea of how bad malware is getting, and how much we’re underestimating it: a U.S.. company that processes credit card transactions has just revealed that malware inside its computers may have stolen the details of more than 100 million credit card transactions. That would make it the biggest breach in history.

Heartland Payment Systems, one of the fifth largest U.S. processors in terms of volume, began receiving reports of fraudulent activity late last year. But it took until last week to find the source of the breach: “A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients,” according to Brian Krebs of The Washington Post.

Revealed were credit/debit card numbers, expiry dates and names of customers to some, or all, of more than a quarter of million retail outlets. Bad guys could make fake cards based on this data, but they probably couldn’t use it to buy stuff online, the company said. (At least one observer has characterized this as garbage, opining that a lot of eCommerce merchants turn off their Address Verification System because of errors, and fears of losing the customer.)

That it took so long is pretty extraordinary in itself—these are, after all, the company’s own computers. We’re not talking about investigators having to track down malware on one of its customers computers, or somewhere in between. But that’s not all that’s remarkable: It looks like the certification that these kinds of operations rely on, the Payment Card Industry Data Security Standard, or PCI DSS, was issued last April  (here’s the proof. Certificates are valid for a year). This suggests according to Digital Transaction News, that the bad guys have found a way around the industry standard level of protection.

Also remarkable is this: The company chose to release the news on Inauguration Day, a fact that has rightly prompted accusation the company is burying the news. The company has played down the seriousness of the breach, saying that not enough information was revealed about individual cards for identity theft to be an issue, while at the same time suggesting that it’s part of a wider “cyber fraud operation.” I’m not sure it can have it both ways.

The company but has set up a website for concerned individuals at 2008breach.com. (Note the cute use of last year to make it seem like something of historical interest only—or maybe 2009breach.com was already taken? That doesn’t seem to have stopped worried customers trying to log on; as of writing the website, and those of the company, are down—possibly because of visitor traffic.)

Apart from the insubstantial response of HPS itself, it’s worth pointing out that this kind of attack is not new. CardSystems, another processor was breached in 2005—apparently via malware which grabbed data it was storing (rather than processing.)

I was kinda skeptical back then of the way it was handled—the company itself delayed release of the information for a month. More digging suggested that the information had been available far longer. It was perhaps understandably coy, given these things never end prettily: Within a few months what was left of CardSystems was acquired by Pay By Touch, also known as Solidus Networks, just in time for it be slapped down by the FTC. Pay By Touch itself closed down last year and its website is no longer active.

What this new breach seems to tell us is that the bad guys are—and probably always have been—smarter than the good guys. Data within a payment processor like HPS does not need to be encrypted—indeed, the company argues it can’t be encrypted, because it needs to be processed—so while CardSystems was clearly in breach of the rules by storing data, HPS is arguing that it’s not.

But all this tells us is that the security measures in place to protect our data are not enough. God knows how that malware got into their computers. And why it was so hard to trace once it—or something–was known to be there. But the lesson from this miserably handled episode has to be that security and oversight need to be tightened, while transparency towards customers—the individuals who have to pick up the pieces, by scanning their monthly statements for months to come for possible fraud—has to be seriously improved.

The bigger issue, of course, is to finally wake up to the fact that malware is no longer some obscure corner of security matters, but something that affects all of us.

Image: Screenshot of the inaccessible 2008breach.com website.

Playing the Software Pirates at Their Own Game

In the last post I prattled on about how Microsoft et al didn’t get it when it comes to dealing with piracy. So what should they do?

I don’t know what the answer is, but I’d like to see a more creative approach. After all, these pirates have an extraordinary delivery mechanism that is much more efficient than anything else I’ve seen. Why not try an experiment whereby a user who buys counterfeit software, either knowingly or unknowingly, has six months’ grace period in which to ‘activate’ a legitimate version? This could be done online by a key download and a credit card. No big software downloads — prohibitive in a country where Internet speeds are glacial — and no shipping (time-consuming, and often not possible from most suppliers). Instead, a downloaded widget would scour the program the user wants to ‘activate’, check its version and integrity (I’m not talking values here, I’m talking software) and install whatever patches are necessary (hopefully done without need for a full upload.) After that, the software is legit.

Software vendors would argue that this encourages piracy. I would argue: if the user can’t buy a legitimate version of your software in the country they live in, either online or offline, should they just not use your software? Or

Secondly, I would argue that this approach is not far removed from the shareware try-before-you-buy approach whereby users get to play with software for free for 30 days or so before buying. Of course, if they want to, the user could just not pay and continue using the software. But I suspect that they weren’t the kind of customer who was going to pay anyway, so you can hardly count them as lost business.

Lastly, it may be possible to use this approach to disrupt the economics of the pirate software network by embracing the shareware model. Instead of restricting distribution of your product, you flood the market with shareware versions of your software, allowing users a grace period in which to try out the software. If users can find trial copie of OneNote or PhotoShop or whatever free in every computer shop they visit, why would they bother buying a dodgy pirate copy that may or may not work? Sure, the free version needs paying for at some point, but that’s the point. The piracy market exists in part because people don’t have access to legitimate software — certainly not the range of legitimate software — in these places.

OK, that’s not always true. There will always be pirates, and there will always be people who buy from pirates, even if the legitimate software is available next door. But I suspect a lot of people who buy pirate software buy it to experiment, to try out software. Indeed, someone living in a place like Indonesia is likely to be familiar with many more software programs than someone living in a non-pirate-infested country. It’s not that these people want this software desperately, nor that they would buy it all full price if they had to. They buy it because the price is so low, they may as well buy it and try it. Do they keep it installed? In most cases, probably not. But the calculation for Microsoft et al should be: How many of these people would buy this software if, after trying it, they liked it?

Finding the answer to that question will give you an idea of the real losses Microsoft and co are incurring in lost business. It should also make them realise that not doing a decent job of making their software readily available in a place like Indonesia — at a price that reflects the purchasing power of the local consumer — is creating this highly efficient, but highly parasitical economy in pirated software. If they can reach their customers through that economy, or bypass it with widely available shareware versions of their programs — then they may stand a chance.

The Big Ring

Good piece today by my WSJ colleague Cassell Bryan-Low on the Douglas Havard case which I mentioned a week or so back: As Identity Theft Moves Online, Crime Rings Mimic Big Business (subscription only, I suspect):

Most identity theft still occurs offline, through stolen cards or rings of rogue waiters and shop clerks in cahoots with credit-card forgers. But as Carderplanet shows, the Web offers criminals more efficient tools to harvest personal data and to communicate easily with large groups on multiple continents. The big change behind the expansion of identity theft, law-enforcement agencies say, is the growth of online scams.

Police are finding well-run, hierarchical groups that are structured like businesses. With names such as Carderplanet, Darkprofits and Shadowcrew, these sites act as online bazaars for stolen personal information. The sites are often password-protected and ask new members to prove their criminal credentials by offering samples of stolen data.

Shadowcrew members stole more than $4 million between August 2002 and October 2004, according to an indictment of 19 of the site’s members returned last October by a federal grand jury in Newark, N.J. The organization comprised some 4,000 members who traded at least 1.5 million stolen credit-card numbers, the indictment says.

The organizations often are dominated by Eastern European and Russian members. With their abundance of technical skills and dearth of jobs, police say, those countries provide a rich breeding ground for identity thieves. One of Carderplanet’s founders was an accomplished Ukrainian hacker who went by the online alias “Script,” a law-enforcement official says. As with many of its peers, the Carderplanet site was mainly in Russian but had a dedicated forum for English speakers.

Well worth a read as it details how Havard’s UK operation worked.

Update: Another Blaster Suspect Arrested

 Another Blaster suspect has been arrested. Prosecutors refused to release any information about the suspect, not even the youth’s gender or home state, AP reported. The variant the juvenile allegedly created was known as “RPCSDBOT.”
 
No one yet knows who created the main version. Collectively, different versions of the virus-like worm, alternately called “LovSan” or “Blaster,” hit more than a million computers. It’s interesting the two detainees both appear to be Americans. But it doesn’t mean the author of the original was, nor does it mean their motives were the same.