Technical details remain light in supermarket data breach

Details remain sketchy regarding Monday's announcement of 4.2 million credit card and debit cards exposed at a Maine-based supermarket chain. However, public comments made by Ronald Hodge, CEO of Hannaford Supermarkets, suggest that even with recent improvements in payment card transaction security, there may be holes.

The standards organization, PCI Security Standards International, was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. In October 2007, they implemented the PCI Data Security Standard (PCI DSS), which includes, among other things, network specifications. Dr. Neal Krawetz of Hacker Factor Solutions said that PCI DSS allows for the storage of card numbers and expiration dates on a branch server. And that's what may be been compromised in this case.

Krawetz said, generally, that the traffic between the cash register and the credit card companies is secure. The transaction often takes place at the cash register with the customer standing by. After the customer leaves the information is broadcast to a branch server.

If criminals were to target a single cash register, they would not achieve the volume credited to this latest data breach; to steal 4.2 million accounts would require access to a larger repository. In retail stores, especially in large chains, branch servers are used to collect data from individual cash registers and may store the data locally, regionally, or nationally.

That's why branch servers are becoming the targets of sophisticated attacks. Last summer, Krawetz released a paper (click for PDF) outlining that the communication between the cash register and the branch server is not secure. Sometimes the data from cash register to branch server is transmitted wirelessly over unencrypted networks, although there is not enough information here to suggest that is what happened at Hannaford.

Krawetz cautioned that at this point many important details regarding Hannaford are lacking. "The size of the compromise sure sounds like it could be a branch or regional server." Hodge, in his public letter to Hannaford customers, acknowledged that the intrusion affected the Hannaford stores, Sweetbay stores in Florida, and certain independently owned retail locations in the Northeast that carry Hannaford products.

If branch servers are to blame, recent security standards would appear to be lacking. The Washington Post's Brian Krebs quoted a CyberTrust executive, Bryan Satrin, who echoed that concern, saying that "these organizations can be (compliant with the credit card industry security standards) and still have customer data stolen."

Last March, TJX announced that 45.7 million accounts were compromised over a two-year period in a data breach of customer records at T.J. Maxx and Marshalls retail chains.

[mbridge]

Compliance does not equal security. That should be the mantra of every good security consultant, security engineer, and PCI QSA (qualified security auditor) out there. Compliance is simply showing that you have followed a series of rules or steps set out by either a 3rd party, such as PCI or SOX, or your own organization. People need to keep in mind that PCI compliance does not guarantee security. No standard such as this really can since they are written for a broad array or businesses.

Only an internally written security standard can truly get to the breadth and depth of an organization's specific requirements. With all that being said, PCI is still one of the best, widely accepted, security standards available.

www.MBridge.com