Skip to main content

Citibank PINs and the botnet arms race

I noticed this tidbit from a Gartner researcher quoted in a story about the recently disclosed PIN theft.
PIN Scandal "Worst Hack Ever;" Citibank Only The Start "That's the irony, the PIN was supposed to make debit cards secure," Litan said. "Up until this breach, everyone thought ATMS and PINs could never be compromised."    - Avivah Litan, Gartner
I wish the reporter or Gartner researchers would have checked with me or someone else who has direct experience auditing software systems. I've been warning my clients for years about the security exposure from data retention for e-commerce and credit card transaction systems and I know a number of other security professionals who've been doing the same. In fact, given the number of thefts of credit card data stolen from 3rd party web sites that have occurred in recent years it's unlikely that this is the first PIN number theft to have occurred, counter to the implication in this story. It might be the first that has occurred since legislation obligated disclosure of such thefts, but even that seems unlikely. There are literally thousands if not tens of thousands of different bits of software involved in credit card transaction processing, custom made, derived from free code available on the internet, purchased from third parties, custom made by third parties. Most of those systems originate in the web development world where robust software development and testing practices are not fully realized and security inspection or auditing is an afterthought if it's a thought at all. PIN numbers and the special security codes printed on credit cards are intended by the vendors to be "transient" data, used but not stored at the point of presence -- e.g. the cash register or web site where the transaction is initiated. However, it's impossible to audit all of the custom made systems in the world. In a recent article here discussing the Verified by Visa program, I speculated that proxy agents could be placed in front of an e-commerce engine on a compromised web server to defeat the Verified by Visa security measures. This technique could be used to harvest PIN numbers and security codes even more transparently. Without conducting a survey, I can tell you from my experience it appears that most organizations with e-commerce shopping carts on their web sites are not prepared to detect such an intrusion. Shopping cart systems are only the tip of the iceberg. I've seen dramatic, gaping security problems in systems that existed for years and were easy to discover by accident through ordinary use of the system. One such system provided full identity information for all accounts within the system, including bank account information, phone numbers, addresses, date of birth and other information -- matched to Social Security Number. The system's entire database could be enumerated by fetching them one at a time, simply by poking a randomly generated Social Security Number into a field. By poking them all in, one at a time, one could fetch the entire database. This could be easily accomplished by a "script kiddie" in a very short time. The system was not instrumented with any logging which would reveal that this type of enumeration has been performed. The system's database included many members of Congress and the Senate. (Surprisingly, all of the information in this paragraph doesn't narrow down the field of applications enough to give away what the application was, nor the agency which ran it.) Oftentimes when such issues are encountered it is a struggle to get the owners of the system to understand the exposure and act upon it. I spent two days trying to convince the Federal Agency that owned this system to act. I was only able to get the hole closed by identifying the private contractor who implemented the system and calling their CEO, who immediately understood the importance of the issue. If you find holes like these that are relatively easy to discover and exist in systems for extended periods of time, you must assume that they have been discovered before. In some cases you may be legally obligated to notify the persons whose data has been exposed. The complexity of e-commerce and other online software systems which handle sensitive data is high, and the cost of securing them and auditing them is very high. An audit performed by a commodity consulting shop may cost tens of thousands of dollars and take a couple weeks. Even then, the auditors will often be ill equipped to discover many of the weaknesses that exist in these systems. If you hire a specialty security firm which brings highly skilled and experienced security engineers and programmers to the table, the cost will likely be even higher. Contrast that with the money that firms typically spend on these systems. Oftentimes they don't spend much at all. They got the internet and find a "free" shopping card, don't audit the code so they really have no idea of how it works internally or even if it has already been instrumented with a data harvesting routine, and slap it up on a web server. Even large corporations are guilty of this, as the division with the need may not be given the budget to "do it right". Conventional wisdom says that the west won the Cold War by outspending the Soviet empire, leading to the eventual bankruptcy and collapse of the Soviet system. The economic principles behind this problem are similar to the issues with security and online software systems storing sensitive data like credit card, debit card, and identity information. The barrier to entry for the attacker is low. The cost to defend is high. The botnet arms race continues, and this time the stakes are your identity information, and your bank account balance.

Technorati Tags: , , , , , , , , ,


Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual domai…

Hacker 0x80 0wn3d by FBI (Arrested after Accidental Outing by Washington Post) [1]

What can the botmaster 0x80's impending misfortune [1] teach us about information security? Quite a bit. What the botmaster and the reporter didn't count on is a security risk known as "the aggregation problem" or "point and click aggregation". It's not surprising, as even practicing security professionals are often unaware of this problem, or vaguely aware of the concept but not the name. Information Security dictionaries online generally lack the terms, and don't mention them in their discussion of "disclosure" either. The aggregation problem happens when a series of small facts, any one of which if disclosed present a minimal security risk, combine to present a greater security risk when disclosed together. When aggregated, information from publicly available sources may accidentally disclose information that was intended to remain confidential. As it happens, an IETF glossary contains a definition of the basic term. RFC 282…

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident.

I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company.

Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber