Home / Blogs

Global Payments Breach Confirmation

Gunter Ollmann

This morning, Global Payments held a conference call with investors and analysts covering their earlier breach announcement and projected earnings. Global Payments had also released an update advisory yesterday stating that "the company believes that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers have been exported" and that only Track 2 card data may have been stolen.

In discussing the breach, Paul Garcia, Chairman and CEO of Global Payments, reiterated that the investigation is ongoing, but that the 1.5m stolen card details likely represents an upper bound to the loss and that it only affected a "handful" of North American servers (i.e. this was not a Merchant breach). At this point, they are not aware of any fraudulent transactions related to the data theft.

Obviously, given the fact that they self-reported a breach, Global Payments is no longer Visa PCI certified and must now attempt to re-earn their ROC (Report on Compliance). Although they're not Visa PCI certified, that doesn't mean that they cannot process Visa cards — rather that, by being non-compliant, they will be liable for fines and additional losses. When asked during the call as to the likely charges and liability of the breach, listeners were reminded several times that the investigation is continuing and that the company has sufficient insurance to cover prospective liabilities. It was stated that Mastercard may take similar PCI certification actions.

I thought it was interesting that Global Payments had received assurances from competitors that they wouldn't capitalize on the breach — since any one of them could be similarly affected in the future (if not already breached, but undetected so far). I'm not sure how credible that is, and I'd be surprised that some of the competitor's sales folks aren't already independently using the breach to further their own agendas.

Global Payments stressed that, contrary to rumors, this is the first breach that the company has suffered. The breach itself is believed to be contained and was picked up by their server data monitoring and breach detection tools — "just not well enough" (no hints were made as to the nature of the technology deployed).

So, while the forensics investigations continue, what does it all mean? Based on the information disclosed thus far, it sounds like Global Payments is doing everything the right way. They disclosed as soon as they had enough information and confidence in their discoveries to do so. They've been using data monitoring tools to spot breaches — albeit these controls proved to be insufficient to stop the threat and don't sound like they were real-time reporting enabled. They've pulled in experts to help them get to the bottom of the breach. And they're aware of the business consequences — having taken out sufficient insurance to protect against associated liabilities. What's left?

Last week a number of 10,000,000 had been thrown out as to the size of the theft. It now appears that 1,500,000 cards were stolen. No discussion was provided as to what other data had been exposed (i.e. no "evidence" that it had actually been stolen). Regardless, while 1.5m is less than 10m, it's still a damned big number and it will cost the card distribution agents quite a bit of money to clean up and reissue cards — all of which Global Payments will need to cover. I think that lessons have been learned from the big data breaches like TJX, but it would appear that the cost of a breach is largely independent of the number of cards actually lost.

Global Payments has been deliberately cautious in revealing any details as to how the incident occurred and the nature of the systems that failed to protect against the penetration or alert to the breach. I'd expect that time will shed more light on the attack vectors. It is important that such details are exposed as and when it is prudent to do so. While Global Payments is a multi-billion-dollar enterprise, there are still hundreds of other card clearing houses around the world that could benefit from detailed disclosures of the incident so that they could construct better defenses. While these may be competitors to Global Payments, we — as in you and I — are the potential victims of their inadequate defenses and I'd like assurances that they're doing better than they are today.

By Gunter Ollmann, Chief Technology Officer at IOActive. More blog posts from Gunter Ollmann can also be read here.

Related topics: Cybercrime, Malware, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

When is the old legacy "grossly insecure" Phil Howard  –  Apr 07, 2012 3:07 PM PDT

When is the old legacy "grossly insecure" credit card payment system going to be fixed or replaced?  It's a system that depends on the trust of the millions of merchants all over the world to be honest.

It needs to be replaced with a smart-card type system that allows a bank account holder to communicate securely with their own bank (through a secure backchannel at each marchant terminal or via your computer) to authorize a transaction the merchant has pending (at the clearing house, where the bank queries for it).  The backchannel also needs to be TWO layers: one TLS layer to the clearing house itself, and another inside that layer to the bank, so the merchant does not even sniff what bank your account is at.

In such a system, the merchant gets to know if the bank authorized the transaction.  Any issues of invalid authorizations is between the account holder and his bank.

The merchant gets a unique 128-bit transaction ID from the clearing house.  That ID is sent over to the smart-card which can pass it on to the bank.  It asks the bank to get the transaction record from the clearinghouse, which includes the merchant's legal identification, and the amount and currency.  If the holder authorizes it, the authorization goes to the bank, then to the clearinghouse, and back to the merchant.

The smart-card requires a pass code entry by the account holder using configurable means the holder and bank agree on.  Things how long the pass code entry remains valid before expiring, etc.

This should NOT be a phone app for security reasons.  It should be implemented entirely in the bank issued smart-card that has its own CPU and UI.  Communication can be by "remote control" style IR LED to a like port at the merchant cash register, or via bluetooth to a PC or phone when making purchases online.

The key to this system is that we replace the worthless "trust in millions of merchants" with "singular trust in the bank your account is at".  Globally unique transaction IDs ensure no duplication of charges (the bank would have some explaining to do if they debit the same ID to an account twice).  So no more "double swipe" becoming "double charge".

Even this system is not without flaws.  But it would be significantly better than what we have now.

For consumers it eliminates the nightmare of random charges from all over if one merchant is sloppy or a phishing site managed to trick a consumer.  At best a phishing site can get money only for the transactions the user authorizes.  There is still the risk the merchant won't deliver on payments.  And chargebacks would be a different process (the merchant would need the right to know who the consumer is if the chargeback is approved).  And it would still be possible for the smart-codes to be physically stolen, either after they watched the pass code entry, or coerced the user to enter it (but we could have a pass code that would make things look valid for a while then freeze out the smart-card a random number of minutes later).

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Motivated to Solve Problems at Verisign

Diversity, Openness and vBSDcon 2013

Neustar's Proposal for New gTLD Collision Risk Mitigation

IT Project Management: Best Practices in Small-Scale Engagements

Sponsored Topics