Saturday, March 11, 2006

Citibank PINs and the botnet arms race

I noticed this tidbit from a Gartner researcher quoted in a story about the recently disclosed PIN theft.
PIN Scandal "Worst Hack Ever;" Citibank Only The Start "That's the irony, the PIN was supposed to make debit cards secure," Litan said. "Up until this breach, everyone thought ATMS and PINs could never be compromised."    - Avivah Litan, Gartner
I wish the reporter or Gartner researchers would have checked with me or someone else who has direct experience auditing software systems. I've been warning my clients for years about the security exposure from data retention for e-commerce and credit card transaction systems and I know a number of other security professionals who've been doing the same. In fact, given the number of thefts of credit card data stolen from 3rd party web sites that have occurred in recent years it's unlikely that this is the first PIN number theft to have occurred, counter to the implication in this story. It might be the first that has occurred since legislation obligated disclosure of such thefts, but even that seems unlikely. There are literally thousands if not tens of thousands of different bits of software involved in credit card transaction processing, custom made, derived from free code available on the internet, purchased from third parties, custom made by third parties. Most of those systems originate in the web development world where robust software development and testing practices are not fully realized and security inspection or auditing is an afterthought if it's a thought at all. PIN numbers and the special security codes printed on credit cards are intended by the vendors to be "transient" data, used but not stored at the point of presence -- e.g. the cash register or web site where the transaction is initiated. However, it's impossible to audit all of the custom made systems in the world. In a recent article here discussing the Verified by Visa program, I speculated that proxy agents could be placed in front of an e-commerce engine on a compromised web server to defeat the Verified by Visa security measures. This technique could be used to harvest PIN numbers and security codes even more transparently. Without conducting a survey, I can tell you from my experience it appears that most organizations with e-commerce shopping carts on their web sites are not prepared to detect such an intrusion. Shopping cart systems are only the tip of the iceberg. I've seen dramatic, gaping security problems in systems that existed for years and were easy to discover by accident through ordinary use of the system. One such system provided full identity information for all accounts within the system, including bank account information, phone numbers, addresses, date of birth and other information -- matched to Social Security Number. The system's entire database could be enumerated by fetching them one at a time, simply by poking a randomly generated Social Security Number into a field. By poking them all in, one at a time, one could fetch the entire database. This could be easily accomplished by a "script kiddie" in a very short time. The system was not instrumented with any logging which would reveal that this type of enumeration has been performed. The system's database included many members of Congress and the Senate. (Surprisingly, all of the information in this paragraph doesn't narrow down the field of applications enough to give away what the application was, nor the agency which ran it.) Oftentimes when such issues are encountered it is a struggle to get the owners of the system to understand the exposure and act upon it. I spent two days trying to convince the Federal Agency that owned this system to act. I was only able to get the hole closed by identifying the private contractor who implemented the system and calling their CEO, who immediately understood the importance of the issue. If you find holes like these that are relatively easy to discover and exist in systems for extended periods of time, you must assume that they have been discovered before. In some cases you may be legally obligated to notify the persons whose data has been exposed. The complexity of e-commerce and other online software systems which handle sensitive data is high, and the cost of securing them and auditing them is very high. An audit performed by a commodity consulting shop may cost tens of thousands of dollars and take a couple weeks. Even then, the auditors will often be ill equipped to discover many of the weaknesses that exist in these systems. If you hire a specialty security firm which brings highly skilled and experienced security engineers and programmers to the table, the cost will likely be even higher. Contrast that with the money that firms typically spend on these systems. Oftentimes they don't spend much at all. They got the internet and find a "free" shopping card, don't audit the code so they really have no idea of how it works internally or even if it has already been instrumented with a data harvesting routine, and slap it up on a web server. Even large corporations are guilty of this, as the division with the need may not be given the budget to "do it right". Conventional wisdom says that the west won the Cold War by outspending the Soviet empire, leading to the eventual bankruptcy and collapse of the Soviet system. The economic principles behind this problem are similar to the issues with security and online software systems storing sensitive data like credit card, debit card, and identity information. The barrier to entry for the attacker is low. The cost to defend is high. The botnet arms race continues, and this time the stakes are your identity information, and your bank account balance.

Technorati Tags: , , , , , , , , ,

No comments: