August 20, 2009
If you work for Heartland Payment Systems, whether you like it or not, you currently represent “what not to do” in the world of Financial Transactions on the Internet.
If you’re a customer of Heartland then you should take this as an opportunity to verify the security of your own systems. Heartland Payment Systems is a very large organization and if they were more secure you may have been attacked instead. Don’t make their mistake. Be proactive not reactive.
To begin I’d like to immediately point out the DoJ’s release on this event and appreciate the department giving away some details on the attacks which aren’t available on Heartland’s site. I first heard of this story from someone at our office and immediately realized there was more to the story but it wasn’t until I read the DoJ’s release that my suspicions became more than a guess. My response to the email: “Heartland’s negligence was as severe as their assailant’s attack and for this, they should be prosecuted”. According to bloomberg, a shareholder filed suit against Heartland in July and “in a Feb. 24 conference call, Carr [CEO] said the company was the subject of an informal inquiry by the Securities and Exchange Commission, as well as investigations by the Justice Department, the Federal Trade Commission and the Office of the Comptroller of the Currency.”. It’s obvious that the attacks were malefic, but what about Heartland’s security? Was Heartland negligent? Did Heartland employ the “Highest Standards” of security which could have mitigated the severity of their compromise?
Per the DoJ release, Heartland was vulnerable to “sophisticated” SQL Injection attacks which were used in part to compromise more than 130 million credit and debit cards. The attacker, Albert Gonzalez, 28, of Miami, Fla., is now being charged for a “different pattern of hacking activity that targeted different corporate victims and involved different co-conspirators.” – in addition to two other trials for other hacking activities. Thief, criminal, hacker – whatever you want to call him, we can all conclude these attacks were wrong. This guy has been in your Internetz stealing your credit cardz.
Meanwhile, if you’ve been a business who accepts credit cards through Heartland you likely have customers with stolen credit card information and are in a delicate position considering the significant cost required to change payment processors, both technically, and contractually. Changing payment processors often requires programming and the contract agreements required by most payment processors are stifling, costly, or both. So now you’re left with the question as to whether you should trust Heartland with your customers credit card information?
I can’t answer these questions for you but we can at least explore the idea that Heartland’s operations were negligent and ineffective at providing “The Highest Standards” and “The Most Trusted Transactions” as, according to reports, their attacker profiled several systems before determining that Heartland’s system was one to be compromised. If Heartland’s system was as-advertised, would it have withstood these attacks or would the attacker have targeted a different system instead?
Based on the DoJ report of the attack and amount of information compromised I would suspect the attack was preventable if “standard” security systems and practices were adopted. SQL Injection, while it sounds like a complicated attack requiring intricate knowledge, planning, and acrobatic stunts — is really a simple exploit which has been documented and addressed for almost a decade. In fact, a similar attack – code injection – was used in the SQL slammer worm which essentially broke the Internet in 2003. Basically, both attacks depend on a “parameter” not being checked and then being executed; this is akin to letting a stranger drive your car. Being exploited by one of these attacks is like letting an intoxicated stranger drive your car into a pole; maybe he said he was good to drive, and maybe the pole jumped in front of him, but the point is you had no experience to trust a stranger and you shouldn’t ever let an intoxicated driver behind the wheel of a car.
Ignorance is not an excuse for information security just as it isn’t an excuse for tax evasion or violating regulations. If you want to sympathize for Heartland for being attacked then that’s your prerogative and I hope you’re not the person responsible for security at any organization. If you’re concerned for the privacy and security of consumer’s financial and personal information then it’s your right to ask these questions of Heartland Payment Systems, or any company who significantly compromises the security of your information.