What lessons can we learn from the Heartland credit card breach?

The company's response is raising troubling questions about the security of such processing centers and laws ostensibly intended to protect consumers in general.

Millions of credit cards per month, primarily used in restaurants, could have been exposed to hackers who broke into the Heartland Payment Systems processing center network, in an incident the company said Tuesday took place the previous week.

Heartland began looking into the problem after it received reports from MasterCard and Visa about reports of suspicious activity. In addition, the company advised cardholders to check their monthly statements for suspicious activity, because the potentially stolen data could be used to generate new credit cards. However, because it said there was no personally identifiable data such as Social Security numbers in the data, cardholders didn't have to worry about identity theft.

That's the official story.

Heartland did not respond to requests for an interview, and the US Department of Justice, with which the company has been working, said it couldn't comment. But interviews in other media sources indicated that a malicious piece of software had been placed in the company's network for "more than weeks" and had been "sniffing" for card numbers using keylogging software.

Now, what's wrong with this picture?

• We don't know how long the software was in the system It could have been there for a much longer time, and not been turned on to capture numbers. Alternatively, numbers could have been captured for a very long time, but did not start becoming used until late in 2008 -- perhaps hoping they would be disguised in the busy holiday shopping season. Heartland isn't saying, if indeed it even knows. So the problem is conceivably much more than "last week," or even "last month." In fact, some people, such as security analyst Michael Argast of Sophos, wonder whether Heartland deliberately released the report on Tuesday, when the nation was occupied with the Obama Inauguration. The company denies this.
• Heartland did not discover the breach itself during its normal course of business, but only when it was notified by Visa and MasterCard - which is also hampering them in trying to determine the scope of the problem, said Argast. "If they had good auditing and logging practices, they would have been able to determine exactly when the attack occurred and what data was lost." "Why can't we periodically do more detailed forensics investigations of our own networks?" agreed Bill Sieglein, former US Intelligence Staffer and now CEO of the CSO Breakfast Club, a consortium of top Chief Security Officers across the US. Other analysts disagree. "If you can compromise the system processing credit cards, you can compromise the system that generates the log," said Mark Bower, director of information protection solutions for Voltage Security.
• People whose cards may have been breached aren't being notified. In fact, Heartland won't even give the names of the sorts of businesses that use its services -- using as justification laws that are supposed to help consumers by making sure they're notified of such breaches. "They are hiding behind state disclosure laws" that say such companies don't need to inform consumers as long as law enforcement is involved, said Dan Clements, President of CardCops, a division of the Affinion Group. The point of such a loophole, which was in the seminal California identity theft law since copied by 44 other states, was to give law enforcement the opportunity to arrest people before the breach became public, but companies are using it to give themselves "wriggle room," he said.
• We don't know whether it was an inside job -- which could be repeated. "We've seen insiders like IT managers, who maybe didn't get a raise, leave back doors open on servers behind firewalls," said Clements. Malicious hackers could then put keylogging on the servers, and compensate the insider, he said. "It's hard to prove an IT administrator looked the other way or didn't patch something."
• If it's not identity theft by the book, it may as well be. While it's true that the stolen data could not be used directly for identity theft, it could be used to help identity thieves know where to look, Clements said. They can tell from a card number whether it's a platinum card, look up the owner of the card number, and then use other sources to obtain information about that person. "They will piece you together, if they feel you're a valid candidate for identity theft," he said.
• We're not even sure this is an isolated incident. We don't know whether similar problems might be going on at other processing centers. Heartland is one of the five biggest, Argast said. So what about the other four? In fact, such processing centers are increasingly the target for thieves who want to avoid the middleman; Royal Bank of Scotland's processing arm for its gift and payroll card business was targeted in December.

Some security specialists -- particularly those who sell encryption software -- are suggesting that end-to-end encryption is needed. "Where this breach has taken place is in an 'air gap' in encryption," said Bower. When the data is collected by Heartland, it may be encrypted and follow other best practices and specifications collectively known as Payment Card Industry Data Security Standard (PCI DSS), but internally it decrypts the data to send it to MasterCard and Visa, and that's where it can be compromised, he said.

Sieglein also suggested improved encryption was necessary at the database level. "We need to get serious about data encryption and find ways to efficiently encrypt full databases at rest in a way that allows that data to protected, but also allows the applications that need that data to decrypt it quickly so as not to add undue latency," he told Betanews.

However, keeping the data encrypted causes a problem because then it doesn't "look like" a credit card number any more, which causes problems in other software. A technique known as "format-preserving encryption" encrypts data without having to rewrite all that software, Bower said.

What should people do?

• Look at statements and accounts and "watch them like a hawk," Clements said, especially for little charges -- as small as 35 cents, perhaps charged to a charity -- that are placed to help thieves determine whether a card is valid.
• Even if you get a new card from your bank, change the PIN, Clements said.
• Vendors in this area have a whole "laundry list" of tasks to perform, including better auditing practices, better monitoring, better logging, network intrusion protection, stronger malware protection, and detection of behavioral problems, Argast said.

But until the problem is dealt with on an industry-wide basis, "Expect to see more of this," Seiglein advised. "As long as criminals have a lucrative target and some modicum of success, they will continue to pursue the treasure. We've got to make it more difficult to get the treasure."