Attacks/Breaches

10/6/2014
02:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Heartland CEO On Why Retailers Keep Getting Breached

Robert Carr, chairman and CEO of Heartland Payment Systems, says lack of end-to-end encryption and tokenization were factors in recent data breaches.

Heartland Payment Systems chairman and CEO Robert Carr could be considered a rare breed of executive these days. He's been outspoken about the massive data breach the firm suffered on his watch in 2008 that exposed 130 million US debit and credit card accounts -- the largest breach ever recorded at the time. And in a new breach era when some corporate executives such as former Target CEO Gregg Steinhafel have lost their jobs over high-profile breaches, Carr is still firmly at the helm of the payment processing firm.

Carr led Heartland's adoption of technologies like end-to-end encryption, tokenization, and EMV chip-and-pin payment card technology to shore up its security after the breach. "We took a position in 2009 that we're not going to clam up and try to point the fingers at somebody else," he told Dark Reading today. "That most definitely helped us a lot."

He has watched the wave of record-breaking retail breaches over the past year, and he says there's a common theme. "What's happening in the meantime is, even though solutions are being introduced, encryption being one we [adopted]… a lot of companies haven't implemented the basics, and they are paying the price for it."

Big data breaches keep occurring because companies aren't investing in the proper security, such as end-to-end encryption and tokenization, Carr says. "The people responsible for spending the money necessary to be safe aren't spending the money. They don't take it seriously. What I've been saying for years is that it's going to continue to get worse, because the pool of victims not doing anything or doing enough is shrinking slowly."

Merchants that think they're too small to be a target will be hit as well, he says, especially as the Tier 1 merchants continue to step up their security game and raise the bar for cybercriminals.

Heartland Payment Systems chairman and CEO Robert Carr.
Heartland Payment Systems chairman and CEO Robert Carr.

Heartland paid out hundreds of millions of dollars to banks and payment card brands in the wake of its breach. Carr contends that the breached company itself should be held liable, not the payment card firms or other partners. The Heartland breach "was our responsibility," he says. "I think liability needs to be held by the breached party. Otherwise, there's no other way to police anything."

Blaming MasterCard and Visa for not phasing out magnetic stripe cards a long time ago is a separate argument. "Today, if a merchant doesn't do the minimum work to avoid a breach, then they are going to get breached. It's just a matter of when."

EMV or chip-and-pin payment card technology, end-to-end encryption, and tokenization are the key technologies merchants should be adopting. "These solutions are pretty readily available" today.

The move to chip-and-pin payment card technology -- where smart cards with embedded microchips authenticate the user's identity -- "is forcing merchants to change out their hardware and thereby spend money to get the equipment they need to get the [card] data out of their systems," he says. "If you make that hardware change, [it's] insane if you don't also solve the encryption issue. Put tokenization in to protect yourself on the backend," as well.

A lot of executives have taken the less expensive option of neither swapping out their payment hardware nor encrypting the full data transaction. "If the bad guys are intercepting transactions on the way to CPU, if you don't encrypt those and get that data out of the clear, you don't have a solution. But a lot of merchants have bought into that."

That's not to say Carr doesn't have a few regrets about how his firm handled its data breach and the aftermath, where malware infiltrated the company's payment processing system. "There are a lot of things I wish could have happened differently. Frankly, I don't know what we could have done differently."

He cited a forensics assessment his company passed with flying colors just before the breach. "We were given a clean bill of health the Friday before our breach" in the exam. "We found the problem, not the forensics teams. Three forensics teams could not find the problem."

For 90 days, Heartland went back and forth with MasterCard and Visa over who was actually breached. He says there was plenty of confusion during that period, and Heartland wasn't looped in on all the investigation specifics. Heartland later confirmed that the breach had begun in June 2008 and ended sometime that August, but the company didn't learn of the attack until January 2009.

"Everybody got a lot smarter about" handling these breach investigations since then, he says.

Carr occasionally gets asked for advice from newly breached retailers. "I tell them we're a processor, you're a merchant. Your situation is completely different from ours. But here's what we did -- take what makes sense for you."

[Yet another point-of-sale (POS) breach at a major retail chain, and the victim adds encryption. Read Breached Retailers Harden PoS, For Now .]

Meanwhile, Carr is skeptical that cyberinsurance is the answer for protecting firms from breach costs. "It gives a false sense of security. Read the exclusions page."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
the5thHorseman
50%
50%
the5thHorseman,
User Rank: Apprentice
10/9/2014 | 1:54:32 PM
Re: NOT blaming card issuers
Your comments are insightful. You are absolutely correct when you said "It's almost as if they are calculating the risk of a breach and the outcome versus making the initial investment to prevent breaches in the first place". The only thing wrong with your statement is "almost"; it's exactly what is happening everywhere. The reason is that the people making the decisions are NOT IT people, or even CIO's in many cases. Decisions to spend this kind of money ultimately end up with a CFO, or CEO, who make the decision just like they were taught to in their Management 101 class; risk vs profit. Corporations are so greedy now, that they simply won't spend their profits on security... until they loose millions of customers sensitive data. Once it goes public, they're forced to do something to save face. But the fact is it wouldn't have happened in the first place if they CARED about protecting their customers data. The only thing that changes this... don't spend your money at their store. Money is  the only thing they care about. Personally, I don't shop in the places that have been "breached". I would rather pay a higher price now then have my identity stolen, credit wrecked and fight the banks over unauthorized charges later. Their lower prices don't offset that kind of havoc in your life. And it won't be brief either.... it will go on for a long time... Pay a little more and buy from someone with your security interests first.
markfbower
50%
50%
markfbower,
User Rank: Apprentice
10/8/2014 | 5:10:08 PM
Heartland led, others followed, but many are still vulnerable
Great to see Bob speaking out on this and encouraging others to take their lead in changing the game in protecting sensitive data. When we helped Heartland with their data-security strategy, technology adoption and E3 project, they kindly agreed to a case study which is available on our site (the comments here dont permit URL posting).

Since then, a huge number of merchants and processors have moved to this data-centric approach of encrypting card data from the instant it is read through to the processing host, followed by PAN tokenization for storage protection for post-authorization processes. This approach neutralizes sensitive data from breach risks and has proven highly effective in preventing attacks yielding anything of value to advanced malware in the POS or retail IT. Of course, organizations who suffer major breaches can also quickly adopt these technologies to avoid subsequent attacks - a fast track to recovery and remediation, exactly like Heartland who led the way several years ago. Many savvy retailers, processors and gateways have embraced the data-centric approach since that industry-changing card breach in 2009. However, those that have not are increasingly at risk of compromise, and insurance isn't a solution as Bob makes very clear.

Regards, 
Mark Bower 
VP Products 
Voltage Security
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/7/2014 | 2:27:53 PM
Re: NOT blaming card issuers
I think we should blame card vendors and anybody and everybody using their products without asking any security improvement. We should not be still using a card for our transaction at this day of age. They are not improving, they can easily use a chip in the cards for sure.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/7/2014 | 2:22:52 PM
Re: the real issue is un-authorized programming
I agree. Apple Pay is the right late direction. There will be certain vulnerabilities we need to mitigate but we have to start somewhere.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/7/2014 | 2:20:38 PM
Not investing and not applying
Companies may not be investing end-to-end encryption, but most importantly they do not apply the policies they put in place such as not sharing information in the email, changing passwords periodically,... and so on. They are not doing these simple things to minimize the risk. Most problems and attack start from those simple information, unfortunately.
macker490
50%
50%
macker490,
User Rank: Ninja
10/7/2014 | 7:16:58 AM
the real issue is un-authorized programming
the real issue in these hacks is un-authorized programming (hacking).  by installing a "ram scraper" (i.e. an  un-authorized program) into your Point of Sale terminal the hacker exfiltrates illegal copies of the customer card data ("dumps") *before encryption*

Apple Pay is taking the right approach on this in establishing a system whereby a 1-time payment authorization key is sent to the merchant instead of reading all the customers card data into the POS terminal

in this manner there is no usable data in the POS for the attacker to steal.   EMV should have adopted this method.

the trouble with Apple Pay is that it is served off a "smart phone".   load a bad app in your phone and you'll be running up charges from Peking to Berlin.   the payment card should use a separate, single purpose chip that cannot be updated: only replaced.

in the end you have to start with a secure operating system: one which accepts only signed, authenticated, and approved software updates.   you *cannot* protect a vulnerable operating system by loading security patches into the application programming.
Stratustician
100%
0%
Stratustician,
User Rank: Moderator
10/6/2014 | 4:29:57 PM
Re: NOT blaming card issuers
I think part of the issue is that companies first look at the cost of updating their systems, both from a payment processing standpoint and a security standpoint, and when the see the sticker price on what it would cost to reach a preferred security state, it's often shut down.  It's almost as if they are calculating the risk of a breach and the outcome versus making the initial investment to prevent breaches in the first place.  It's utterly the wrong way to approach security, yet it is sadly the way things remain to be for the forseeable future.  We've all seen the lack of teeth legislations like PCI really have to influence behaviour, it's only the risk of public loss of trust that actually causes some of the changes in behaviour, yet sadly it's generally going to be an afterthought since no one seems to worry until it's too late.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 4:01:45 PM
and another thing...
He says that a forensics team (I'm assuming a third-party team) gave them a clean bill of health just days before the breach...   I wonder if there will ever be a time that forensics and pen testing companies end up getting smacked with liability lawsuits when they miss something. I'm not saying that I necessarily want it to. I'm just wondering if it will.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 3:56:44 PM
Re: NOT blaming card issuers
@Kelly  Especially because he's still with the company. Despite gag agreements, it's a lot easier for someone who's left a company to talk frankly about how he/they screwed up. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/6/2014 | 3:53:09 PM
Re: NOT blaming card issuers
Yep. I love his frank talk. It is very refreshing.
Page 1 / 2   >   >>
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.