Don’t be like: Heartland Payment Systems
August 20, 2009
If you work for Heartland Payment Systems, whether you like it or not, you currently represent “what not to do” in the world of Financial Transactions on the Internet.
If you’re a customer of Heartland then you should take this as an opportunity to verify the security of your own systems. Heartland Payment Systems is a very large organization and if they were more secure you may have been attacked instead. Don’t make their mistake. Be proactive not reactive.
To begin I’d like to immediately point out the DoJ’s release on this event and appreciate the department giving away some details on the attacks which aren’t available on Heartland’s site. I first heard of this story from someone at our office and immediately realized there was more to the story but it wasn’t until I read the DoJ’s release that my suspicions became more than a guess. My response to the email: “Heartland’s negligence was as severe as their assailant’s attack and for this, they should be prosecuted”. According to bloomberg, a shareholder filed suit against Heartland in July and “in a Feb. 24 conference call, Carr [CEO] said the company was the subject of an informal inquiry by the Securities and Exchange Commission, as well as investigations by the Justice Department, the Federal Trade Commission and the Office of the Comptroller of the Currency.”. It’s obvious that the attacks were malefic, but what about Heartland’s security? Was Heartland negligent? Did Heartland employ the “Highest Standards” of security which could have mitigated the severity of their compromise?
Per the DoJ release, Heartland was vulnerable to “sophisticated” SQL Injection attacks which were used in part to compromise more than 130 million credit and debit cards. The attacker, Albert Gonzalez, 28, of Miami, Fla., is now being charged for a “different pattern of hacking activity that targeted different corporate victims and involved different co-conspirators.” – in addition to two other trials for other hacking activities. Thief, criminal, hacker – whatever you want to call him, we can all conclude these attacks were wrong. This guy has been in your Internetz stealing your credit cardz.
Meanwhile, if you’ve been a business who accepts credit cards through Heartland you likely have customers with stolen credit card information and are in a delicate position considering the significant cost required to change payment processors, both technically, and contractually. Changing payment processors often requires programming and the contract agreements required by most payment processors are stifling, costly, or both. So now you’re left with the question as to whether you should trust Heartland with your customers credit card information?
I can’t answer these questions for you but we can at least explore the idea that Heartland’s operations were negligent and ineffective at providing “The Highest Standards” and “The Most Trusted Transactions” as, according to reports, their attacker profiled several systems before determining that Heartland’s system was one to be compromised. If Heartland’s system was as-advertised, would it have withstood these attacks or would the attacker have targeted a different system instead?
Based on the DoJ report of the attack and amount of information compromised I would suspect the attack was preventable if “standard” security systems and practices were adopted. SQL Injection, while it sounds like a complicated attack requiring intricate knowledge, planning, and acrobatic stunts — is really a simple exploit which has been documented and addressed for almost a decade. In fact, a similar attack – code injection – was used in the SQL slammer worm which essentially broke the Internet in 2003. Basically, both attacks depend on a “parameter” not being checked and then being executed; this is akin to letting a stranger drive your car. Being exploited by one of these attacks is like letting an intoxicated stranger drive your car into a pole; maybe he said he was good to drive, and maybe the pole jumped in front of him, but the point is you had no experience to trust a stranger and you shouldn’t ever let an intoxicated driver behind the wheel of a car.
Ignorance is not an excuse for information security just as it isn’t an excuse for tax evasion or violating regulations. If you want to sympathize for Heartland for being attacked then that’s your prerogative and I hope you’re not the person responsible for security at any organization. If you’re concerned for the privacy and security of consumer’s financial and personal information then it’s your right to ask these questions of Heartland Payment Systems, or any company who significantly compromises the security of your information.
September 28, 2009 at 4:14 am
If attacks are so “preventable” as you claim then why have over 600 banks in the U.S. also been hacked? Simple truth is that there will always be criminals who look for ways to get into the computing systems of large corporations. Heartland Payment Systems is now leading the industry with an end-to-end data encryption service that no other credit card processor currently has in place. And by the way, most if not all of the other major credit card processors have also been hacked during the past few years so Heartland is in “good” company.
While I agree that better precautions need to be taken by all corporations who process data let’s not unfairly single out Heartland Payment Systems.
September 30, 2009 at 10:06 pm
@Rick
You probably drive a car back and forth from work every day, that car keeps you safe from amazing risks, and I bet you’re insured; but, if you weren’t driving a safe vehicle: a) you wouldn’t be insurable, and b) you could die easily. For this reason, automobiles are very safe, people trust them, and manufacturers are mandated to certain levels of safety and security standards. Fortunately, people don’t die when bank security is breached or software programs fail, but at the same time, nobody is liable either because the attitude you have — that just because others fail, nobody should be held to a higher standard. This is why I composed my post, to single out a company — if I had any evidence to single out others, I would. Most of the time though, that evidence is either kept confidential or may even be under gag order which is unfortunate to everyone whose personal data is exposed.
I think it’s good Heartland is doing end-to-end security but that’s really nothing special. Public key infrastructure has been around since before online banking was prevalent and it’s a technology that’s more than a decade old — Heartland has had over a ten years to implement end-to-end data encryption and they’ve waited until after their system was compromised. Sure, you could say such an upgrade prior to now would’ve been expensive, and you would be right — such levels of security should be mandatory and expected.
I also composed this post to support share holders’ actions and because the exploit was via SQL injection. Being vulnerable to SQL Injection is like leaving your car running with the windows rolled down. Moreover, end-to-end encryption doesn’t hinder SQL Injection attacks.
You can google more on “SSL TLS” to find out the history of security and how end-to-end encryption has been done for quite awhile now.
I suppose if Heartland wasn’t so loud with PR about how they’re catching up to 1999, I wouldn’t say anything. All things considered, 1 out of 601 is a start.