http://nytimes.com/2005/07/26/business/26card.html
July 26, 2005
Main Street in the Cross Hairs
By ERIC DASH
Along a crowded stretch of highway just south of Miami's downtown is
a shopping area that might be called the data theft capital of the
United States. In the wireless hacker equivalent of a drive-by
shooting wave, criminals obtained the cardholder information of tens
of thousands of customers at four major stores there, including a DSW
Shoes retail outlet that appears to have been the initial source of a
chainwide data breach.
Recent investigations reveal that the thieves singled out stores with
strong wireless signals and weakly protected data. While their exact
methods are not known, they could have parked a car outside a store
or set up in the local Starbucks, using a laptop computer outfitted
with an off-the-shelf wireless receiver. They may have even received
help from Web sites listing the geographic coordinates of easy-to-
target stores.
From there, it would be easy to pick up signals being broadcast
around the store and use them to gain access to its computer systems.
For more than a month, the hackers "robbed" the same shops again and
again of premium card account numbers stored in their databases.
Then, after security upgrades were announced or investigators showed
up on site, the data thieves moved on - to another shop they had
already staked out on the same side of the street.
"It was as if they would hit one, drive down the road, and find
another," said Bryan Sartin, a lead investigator for Cybertrust, the
security services firm that was called in after each of the incidents.
Mr. Sartin is bound by confidentiality agreements not to reveal
details about the incidents he investigates. But his account
illustrates a larger point: While the banks and payment processors
have been targets in the largest and highest-profile attacks,
security specialists say the payment system's most vulnerable points
may be the estimated five million merchants where cards are accepted.
Unlike banks and other financial institutions, merchants often lack
technological expertise and management attention to keep their
customers' information secure. The widespread use of wireless
technology by businesses, as in homes, has left merchants' computer
systems increasingly susceptible.
Meanwhile, the credit card associations, like MasterCard and Visa,
have been lax about enforcing their own security rules. And the
requirements for retailers to protect consumer data frequently fall
through the cracks of government and industry regulations.
"The breaches at processors and Internet gateways are very few and
far between," Mr. Sartin said. "About 95 percent of what you are
seeing right now are data breaches involving e-commerce merchants and
retailers."
And it is no longer just unsophisticated mom-and-pop shops or fly-by-
night dot-com companies under attack. Well-known merchants with
millions of records are victims, too.
"What people don't recognize is that some of those companies are DSW,
BJ's Wholesale or Chipotle," said Robert McCullen, the chief
executive of AmbironTrustwave, a Chicago firm that is the payment
industry's largest data security auditor. "These are big names."
To be sure, even the largest merchants do not have the treasure
troves of cardholder data that a large bank or a payment processor
might keep. Merchants also have strong incentives to protect
cardholder information, because they often bear the cost of fraud
through hefty charge-back fees. But at a time when data crimes are
easier and more profitable than ever, they can be easy targets for
thieves.
"The problems we are seeing with merchants are problems that many
companies have in securing sensitive information," said Jessica Rich,
the Federal Trade Commission's director of financial practices. "We
are seeing a lot of sloppy practices."
As loyalty programs have grown, retailers are collecting more
cardholder information today than ever before. But until recently,
most gave little thought to its protection.
The majority of the swipe terminals found at checkout counters now
connect over the Internet, instead of by phone, to the Visa and
MasterCard networks. Insecure wireless systems that track inventory
provide another entry point for grabbing cardholder data, too. As a
result, many merchants - especially those that do not have a Web site
where consumers can make purchases - are unaware that their computer
systems are accessible online.
"I feel bad for some of the merchants we get involved with on a
forensics basis because they really don't know what happened," Mr.
McCullen said. The terminals, he added, are installed by software and
service providers, which get paid each time their products are leased
or used. They have no incentive to advise the merchants of the risks.
That may have just happened to a small, family-run Indian restaurant
in Santa Clara, Calif., which has only one terminal to punch in
customer orders and card numbers. Last week, the owner contacted Tom
Arnold, a payments security consultant in the San Francisco Bay area,
to report that his store was attacked by data thieves.
"He just bought a piece of restaurant software, installed it on his
computer, hooked it up to a D.S.L. line and said I'm good to go," Mr.
Arnold said, referring to the high-speed telephone connection.
Security compliance is another challenge. While banks are held
responsible for the actions of third-party payment processors they
hire to handle their accounts, no federal rules require merchants to
safeguard their data. Visa's and MasterCard's contractually binding
security standards are the closest proxy.
Yet, merchant advocates complain, those so-called payment card
industry standards are often so complicated that the average
shopkeeper cannot understand them. Security specialists say that some
of the banks, which are responsible for ensuring their merchants are
adhering to those data protection policies, can be inattentive to
security deadlines or unaware of those rules.
Visa and MasterCard encourage - but do not require - the vast
majority of small and midsize merchants to prove their compliance.
Only about 400 of the country's biggest retailers and just over
10,000 midsize merchants with a substantial online presence have that
obligation. That group must pass an annual security audit, often self-
assessed, and conduct quarterly scans of their computer networks for
vulnerable points.
Put another way, that means Visa and MasterCard require fewer than
three-tenths of 1 percent of the country's estimated five million
merchants to certify they are following their security rules. And
many of those online merchants missed a recent June 30 deadline.
Steve Ruwe, Visa's executive vice president for operations and risk,
said that many merchants "are working toward compliance" but it was
"an ongoing event to get them where we want them to be." He argued
that the primary responsibility for compliance rests on its member
banks, not Visa. "It's Visa's responsibility to act at a holistic
level, to provide leadership," he said. "Of course, we have a
responsibility but we don't manage them directly."
Chris Thom, MasterCard's chief risk officer, said that all its
merchants must follow the rules but that education and encouragement
rather than security audits may be the most effective tools with
smaller merchants. MasterCard recently tripled its staff to help
improve awareness and published its merchant security requirements
for the first time last August.
"We are trying to be much more transparent so at least there is a
good opportunity for the merchant to understand what is required of
him," he said. MasterCard executives have previously suggested that
90 percent of all data compromises could have been prevented if
merchants were following their security rules.
Many small merchants, however, still do not conform to the industry's
most basic security requirements, like encrypting their customers'
data and avoiding the use of commonly known passwords. Most do not
conduct quarterly network vulnerability tests that can cost as little
as a few hundred dollars.
Still, there are some signs of change. The high-profile data breaches
at stores like DSW Shoes, along with a recent unfair practices
complaint by the Federal Trade Commission against BJ's Wholesale Club
of Natick, Mass., have been wake-up calls to the entire industry. So
has the situation at CardSystems Solutions, the small payment
processor whose data compromise last month exposed 40 million
cardholder accounts. Security auditors and consultants report that
more merchants are inquiring about their services and are rushing to
sign up.
Meanwhile, a few of the larger card processors and merchant banks
have sent letters to businesses insisting on security compliance;
some make clear the real possibility of fines. Others have started
pressuring the software and service providers to educate their
customers and certify that their software and terminals are secure.
Visa and MasterCard are making the case to the merchants themselves.
Last Wednesday, Visa said it was forming a partnership with the
United States Chamber of Commerce to sponsor seminars for small and
midsize businesses about ways to prevent data theft; MasterCard sent
a letter to all domestic merchants last November alerting them to the
rules. In the past, MasterCard, Visa and others geared their pitches
mainly to their member banks and larger merchants.
Of course, Mr. Sartin still expects to be busy. The crimes he saw at
the four Miami-area stores could have taken place just about anywhere.
DSW Shoes confirmed that its Dadeland store had been attacked and
said that Cybertrust and the United States Secret Service had been
investigating. That location, people close to the investigation said,
was probably the initial site of the nationwide data compromise that
put the accounts of 1.4 million cardholders at risk for fraud.
But the real problem may be the information the thieves have already
obtained. Once criminals crack the code for entry to one business
location, Mr. Sartin said, they probably have the data security
blueprints of others. For some national chains, the passwords and
computer system protections can be as similar as the uniforms worn by
employees.
"Tell me, do you have a location in Miami?" Mr. Sartin now asks when
a national retailer calls. "Is it on the South Dixie Highway?" he
adds, before a short pause. "Don't tell me, is it on the odd-numbered
side of the street?"
---
You are currently subscribed to telecom-cities as: archive@mail-archive.com
To unsubscribe send a blank email to [EMAIL PROTECTED]
To set DIGEST mode and only receive one list message per day with all the daily
traffic, please visit the list website at
http://www.informationcity.org/telecom-cities