News Stay informed about the latest enterprise technology news and product updates.

Hacker charges also an indictment on PCI, expert says

PCI places the burden of security costs onto retailers and card processors instead of on the card payment brands, says security columnist Eric Ogren.

To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The federal indictment this week of three men for their roles in the largest data security breach in U.S. history also serves as an indictment of sorts against the fraud conducted by PCI – placing the burden of security costs onto retailers and card processors when what is really needed is the payment card industry investing in a secure business process.

A federal grand jury has indicted Albert Gonzalez of Miami and two yet unnamed Russian hackers for their alleged roles in the Heartland Payment Systems Inc. and Hannaford Brothers Co. thefts of 130 million credit and debit card data, plus the 40 million credit cards grabbed from TJX. 

SQL Injection still a major problem:

SQL Injection troubles firms, errors lead to breaches: Security experts see the secure software development lifecycle improving, but legacy applications and Web server flaws continue to offer a rich treasure trove for attackers.

Three indicted for Hannaford, Heartland data breaches: A grand jury has charged three men for their role in stealing more than 130 million credit and debit cards from Heartland Payment Systems and several other companies.

SQL injection attacks targeting Flash, JavaScript errors: Coding errors leave thousands of websites vulnerable, but attackers are starting to target Flash and JavaScript errors for exploitation, experts say.

The indictment makes for good reading, with references to SQL injection, distributed data collection servers, QA against major AV products and temporary messaging accounts to elude detection.

The hackers personally surveyed point of sale systems in retail outlets for vulnerabilities. This simple act takes advantage of perhaps the greatest weakness in PCI – the prohibitive expense required to secure remote sites with old solutions. There is mature technology available that encrypts credit card data at the initial swipe and keeps the data secure through processing. Any retail business, especially cash-constrained SMBs, should be using this technology on its POS devices and PCI should be mandating it.

The hackers chose SQL injection as the attack of choice. The hackers heavily used SQL injection to siphon credit card data out of unsuspecting networks. The leverage for a hacker is incredible – just a handful of malware writers were able to steal sensitive information on approximately 130 million cards (an average of about one for every other person in the U.S.). According to IBM and WhiteHat, SQL injection is still one of the leading attack vectors on the Internet. IT should conduct on all out assault on SQL injection, starting with secure software development practices of production software. 

The hackers ran their malware through 20 AV products to test detection avoidance. AV is very good at stopping known attacks of mass destruction, but is quite a bit less good about catching low profile designer attacks. Effective security should augment AV filters with technology that reflects control over the unique aspects of the organization's server and endpoint configurations. IT has choices here – application whitelisting on locked-down servers will prevent execution of unauthorized software, thin clients prevent attacks from persisting at endpoints, virtual desktops and servers give IT control over endpoint configurations and automated patching systems close windows of vulnerabilities. PCI should be more assertive in recognizing that signature-based schemes and reputation services will not catch low volume activity that is the trademark of malware designed to steal information.

The hackers were not caught by corporate security, only the detection of fraudulent use of stolen credit and debit cards. Once the attacks initially defeated the security architecture, the attacks executed undiscovered for years. IT should be sure to rotate security consultancies when conducting security assessments to get the benefit of different viewpoints and processes and to reduce the risks of blind spots in the security profile. Organizations with sensitive data may also want to proactively use search engines to look outside the security infrastructure for examples of leaked data that require a security investigation. Finally, an effective log management program can help with post-attack analysis to help ensure that history does not repeat itself. It would be nice if PCI could have protected 7-Eleven and others from the same attack technique that befell TJX years earlier.

Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to

Dig Deeper on Data security breaches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.