Picking Apart The Hannaford Breach- What Might Have Happened

Agreed, PCI is basically worthless.  I’‘ve seen retailers (not this one) store credit card transactions in a temporary daily flat file in unencrypted plaintext.  This file is stored on a local server for a period of time of up to 48 hours before the entire file is processed and sent to the appropriate credit card processor (albeit over an encrypted connection).  I believe that because of the semi-temporary nature of the file, by the letter of the law/standard, they were considered ‘‘PCI compliant.’’ 

To be fair they did go above and beyond monitoring that particular server in a variety of ways, but that doesn’‘t change the fact that anyone with access to that single point of failure basically had the keys to the kingdom.

A great analysis - but I disagree on one point.

You said:

No personal data such as names, addresses or telephone numbers were divulged - just account numbers.
——
This can’t be true. Without names, the card numbers are unusable.

You’‘d be partially correct if you said that they could not be used successfully.  In a CNP transaction, the bad guys could certainly attempt to use just the number and expire date.  You’‘re ‘‘partially correct’’ in that there are still a large number of on-line merchants that don’‘t verify the CVV2 and we all know that AVS is essentially broken.  This being the case, I see no reason why a certain percentage of the accounts could not be used - especially against CNP merchants.

A great analysis - but I disagree on one point.

You said:

No personal data such as names, addresses or telephone numbers were divulged - just account numbers.
——
This can’t be true. Without names, the card numbers are unusable.

You’‘d be partially correct if you said that they could not be used successfully.  In a CNP transaction, the bad guys could certainly attempt to use just the number and expire date.  You’‘re ‘‘partially correct’’ in that there are still a large number of on-line merchants that don’‘t verify the CVV2 and we all know that AVS is essentially broken.  This being the case, I see no reason why a certain percentage of the accounts could not be used - especially against CNP merchants.

Tom Mahoney, Director
Merchant911.org

There is one point where the data might not be encrypted and it isn’‘t the retailers fault.  I know of several retailers whose acquiring bank cannot process the transactions transmitted to them unless they are decrypted.  These companies cannot understand why they are required to keep the data encrypted at all possible points, but they have to decrypt it to send it over the frame network to the acquirer.  (this is not the transaction processing stage, but the later reconciliation stage between HQ and the bank.

I don’‘t think PCI is worthless.  It is better than no standard at all.  It does have flaws, but it is a good starting point. Achieving compliance is hard work, and you have to do it on a everyday basis, and this is where companies fail.  It is easy to be PCI complaint on a certain day, or even for a week, but hard in the long term (log monitoring, adds/moves/changes, staffing to continue to audit and test changes, etc.).

Mike:  I can’‘t imagine anyone passing a PCI audit if that stored PANs in any sort of unencrypted fashion, no matter how ephemeral.  Data MUST be encrypted "at rest" (on disk) and encrypted "in motion"  (over the network).  It is not optional for PCI DSS.

Leprechaun;

I would agree that it isn’‘t the retailers fault if decyption is done in transit during the rerconcilliation, but I’‘d be willing to bet that the card company would still hold the retailer responsible.  As I understand it, retailers are held jointly liable if PCI compliance is broken anywhere in the chain. That culpability might not result in sanctions for a given incident, but would probably be looked at as part of the retailer’s overall compliance record.

Tom Mahoney, Director
Merchant911.org

Often with PCI its a question and answer checkbox race…

Consultant:  Do you encrypt the data at rest? 
Client:  Yes
Consultant:  Check!

Consultant:  Do you encrypt the data in motion?
Client:  Yes
Consultant:  Check!

Even if this is not the case with some auditors/consultants and they actually ask to see proof.  Proof is not that hard to provide in a one time case.  As Jim Troutman said,  "It is easy to be PCI compliant on a certain day, or even for a week, but hard in the long term."

[...] Mogull says that personal data such as names and addresses must have been present and compromised because [...]

http://pcianswers.com/2008/03/18/hannaford-data-breach-and-pci/

@Mike

I just took a look at the PCI standard and it says that at the very least the "card number" must be made unreadable wherever it is "at rest" . It doesn’‘t state a time limit or excuse data that is at rest for a short amount of time and I would imagine that trying to prove that a temporary file that is around for 48 hours is not "at rest" would be very difficult to do whereas data in a network card’s cache (or such) for a few seconds would be easier to prove.

I think though that the PCI standard does fall apart in the restrictions on data in transit. Data in transit needs to be encrypted only on networks that are "easy and common for a hacker to intercept, modify, and divert data while in transit" which pretty. It goes on to detail what these networks are and an internal ethernet network is excluded.

Considering the amount of bots in the world today it may be time for the PCI guys to reconsider what type of network is at risk from a hacker, especially if ,as Hannaford claims, they were PCI compliant as per the current PCI standard.

Good analysis Rich. We’‘ve been looking at this and drew many of the same conclusions. The piece of info that stands out is the bit about CC numbers being breached but not personal details. I read elsewhere that PIN numbers were also breached, though I’‘m not sure. In that case the fraud could have been committed using duplicate CCs for withdrawals from ATMs.

Because if this partial info, it seems unlikely that this is a straight database breach, and also unlikely that it was some kind of "man in the middle" attack on network communications between Hannaford and their CC processor (and these communications are always encrypted).

Regarding how it was done, I think Mike’s comment on flat files is spot on. We’‘ve seen that too. That information is then either transmitted for log aggregation over an unsecured part of the network, where it could be picked up by a sniffer, or compromised on the host itself.

The PCI discussion is a different topic altogether. I don’‘t think PCI is worthless, but it’s not perfect either. The issues I see are mostly not with PCI DSS but with how it is being audited and enforced, a process that is still undergoing many changes.

@Allen the PCI standard evolves and changes with the ever changing risk environment.  Data in transit was not a big issues several years back but it is now.  I can expect the standard to change in response to the emerging attack patterns.

That said, to discount the program as "worthless" makes me question how informed the person saying it really is about this topic.

There are two very serious problems with PCI.  First of all, it doesn’‘t really kick-in until post authorization.  And there is the problem, as pointed out with the flat files, that the banks are no accommodating the clients to send encrypted files - which also ties to the first problems since the banks can’‘t/won’‘t handle encrypted authorizations.  In the first case, Hannaford may be 100% compliant and get off the hook if this was all pre-auth sniffing.  In the second case, the bank is on the hook.

PCI is still very good for businesses who would have NO security without PCI.  But it’s not bulletproof. As you see, it covers that 98% in the merchants hands and not that first or last 1% that is still susceptible. Hypothetically, this breach is related to WEP encryption and hypothetically it was passed by their auditor.  Hence, the transmission issue. Based on the volume, I would guess WEP at corporate, not each store.

Im writing up a separate PCI post instead of responding here- I know it’s a contentious statement that deserves a more thoughtful response.

Should be up in about 15…

[...] I posted an analysis of the Hannaford breach in which I made a contentious statement. In other words, PCI is [...]

Will wait for your response Rich. Good analysis but disagree a bit on PCI. Like the others have said, it’s good rather than nothing at all. PCI has been a good step. It takes a while but we’‘re all getting there. We just need to fix the process of verifying the controls.

Rich, nice post. I think all of your statements above are what I read as well when this news broke. I was especially disturbed inferring that Hannaford didn’‘t even know a lick about this until the fraud cases built up and someone else notified them. So much for detection. And of course prevention was incompete.

Like others have mentioned above, so I won’‘t wax long on it: PCI is not worthless. It won’‘t stop a breach, but it does have value to shops that otherwise have less security than what PCI requires. I’‘ll have to say it again: PCI does not stop a breach. Whether that means it is worthless to security or not depends on how you define security, as an all or nothing situation or a point on a scale. So, to some, yes PCI is worthless, but I’‘d bet those people are also already beyond the low denominator PCI sets.

Nice post Rich!
- Agree with you this had to be some central HQ breach.  Too many numbers gathered too quickly to be anything else. Disagree with the statement that PCI is worthless, unless you are also making the statement merchants should not be storing the numbers in the first place. A PCI audit on the other hand, as a bare minimum lowest common denominator set of practices, is worthless.  If you need someone to certify your doing the absolute minimum, you’re really missing the entire point of the exercise.

Great analysis, I have something to add that may not have been considered.

If the data was somehow sniffed during transit between the Hannaford network and the CC processor, considering the business model of a grocery store———-one has to assume that these are almost all ‘‘Card Present’’ transactions.

This being true; the mag-stripe may have also be captured which contains, Cardholder Name, Card Verification Value (CVV), and PIN verification data. In fact, with mag-stripe data, bad-guys can create their own cards out of hotel room keys and commit fraud.

This is much more that just card numbers and expiration dates as described in the press releases.

We had to contact our bank about this.  Wachovia doesn’‘t seem to know a thing about this situation.  Our cards are being reissued and I’‘m never shopping with them again.

Seems like an inside job to me. The data transmission was probably clear text over a private line and redirected to an unauthorized url after the authotization came back.  My bet is weak log review.

[...] favorites list:Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, wrote in his blog that since the information was stolen during the authorization process and was distributed over [...]

I am deeply hurt by what happened at Hannaford.  I am truly a frequent shopper, especially during these dates mentioned.
I only like Hannaford because it has all the natural products I prefer and they sell Goat Milk all the time.  I also like the organic breads with no HFCS.  Throughout the store now are many alternative choices of Nature’s Place which I prefer in many cases.  I do not really like PC that much, yet have sort of switched for a day.  If I go back to Hannaford, should I get $200 at the ATM and have a wad of twenties in my purse so I can get conked on the head?  Or should I write a check, in which my signature can be frauded?  Is that the right word?  This credit/debit card solution must be made secure as it is suppose to be a private transaction.  I do want to continue my shopping at Hannaford, yet when?  This problem was bound to happen with hackers all over the world having a great time using their brains for all the wrong reasons and considering it success when they can get into a private system.  I truly am saddened at the state of technology and the world.

Bank responses have been all over the map. When I heard the news I stopped in at my local branch - they ran my card and confirmed it was ‘‘on the list’‘. I asked them when they were going to tell me and they gave the the bank president’s phone number (I kid you not!). His representative said that they weren’‘t going to tell customers, and weren’‘t going to re-issue cards unless a customer ‘‘asked’’ - that they were confident they could monitor card activity and react in the case of a compromise. I asked what that reaction might be - and they said ‘‘cancel the card’’ - great! it normally takes 7-10 days to get one, and if you are on the road and it happens to be your only card you are out of luck. They seemed remarkably unmoved by my argument that we should have the right to know and then decide how we wanted to handle it.

Other local banks have stepped up to the plate and are letting customers know immediately - including one which is issuing new cards, then monitoring the old ones, but not canceling them until the new ones get activated by the customer. How’s that for great customer service!

[...] 18, 2008.  “The Hannaford Breach - What Might Have Happened”.  [...]