Back in 1992, Dr. Neal Krawetz, now of Hacker Factor, and several partners had an idea: they wanted to bring credit card transactions to a local flea market. Better yet, they wanted De Anza Junior College in Cupertino, California, to offer wireless transactions from the open-air stalls, operating over packet radio. The idea was good enough that they secured a meeting with Verifone, the largest provider of credit card swiping equipment in North America. During the meeting, Verifone agreed to loan the them one of their Tranz 330 transaction units, perhaps the most commonly used credit card swiper in the world. But before handing it over, the Verifone person took out a 12-page document, then keyed in a master password reset. Intrigued, Krawetz remembers asking what's to stop someone from stealing the credit card data within. Verifone replied that it was aware of the risk and said "it's being addressed." Krawetz said recently, "if an expert tells me that, I'm going to believe them." Now, 15 years later, he has gone public (click for PDF), with more or less the details of the flaw he first observed in 1992, the flaw that Verifone and other companies still haven't addressed.
That was then...
Back in 1992 very few people were security-conscious. It was miraculous to no longer have your card imprinted on carbonless forms but to have instantaneous credit authorizations at the cash register. The credit card devices themselves seemed pretty secure. POS systems are often in highly visible parts of a store, and short of someone stealing the transaction unit itself, the theft risk here is low.
Branch servers are the true targets of sophisticated attacks and Krawetz says it's the communication--sometimes wireless--between the cash register and the branch server that is not secure.
The trouble is those same Tranz 330 machines are still in use. "In 2006," Krawetz told me, "my local gas station had a Trans 330 sitting on the counter. They had two, one by each of the cash registers." He went on to say, "If you want to steal credit cards, the easiest way to do it is to simply get a job at a retailer. Gain enough confidence in the manager so that they let you work the night shift. And the old Tranz 330 didn't log if you printed out everything, so just print out everything."
This is now...
Verifone has officially released the successor to the Tranz 330 model, the Trans V* series. What's great about the V* series is that "you're not suppose to be able to reset the master passcode and get everything out, and so the V* series actually does that," said Krawetz. "If you reset the master pass code on the V*, it's supposed to wipe the memory. This way someone can't just reset the master pass code on it, and then do a dump of everything that's in it."
Further, there are new standards. As of June 2006, there are new requirements for retailers and others called the Payment Card Industry Data Security Standard (PCI DSS). Unfortunately, as of today, only 40 percent of the Level 1 merchants--merchants who generate 6 million transactions or more annually--are fully compliant. The PCI DSS has 12 requirements that, for some reason, large retail stores just can't implement. You can learn more about specific requirements from the PCI DSS standards organization itself.
Compliance isn't the real problem either
Krawetz says what's vulnerable are the branch servers used to collect thousands of individual credit card transactions daily from local, regional, or national stores. Branch servers are the true targets of sophisticated attacks and Krawetz says it's the communication--sometimes wireless-- between the cash register and the branch server that is not secure. There have been a few well-publicized incidents of late.
Krawetz likened it to "security by obscurity": "You can walk into your bank and say 'Do you have a safe?' and they won't answer you, but you can see it over their shoulder."
In 2005, Paul Timmins, Adam Botbyl, and Brian Salcedo were sentenced for wardriving cash register data being transmitted to a branch server from a Michigan Lowes
. Recently the theft of 45 million credit cards from TJX
is also thought to have been done wirelessly. Initial speculation in both cases involved a free utility called the tracer utility. "They blamed the tracer utility," said Krawetz, "because it was able to collect both the account number and encryption keys, so basically you could decode everything that was there."
Krawetz doesn't buy that theory. "How did the software get onto the box in the first place, is the first question, and, second, how did the attacker get onto the box in order to get data that was collected from the tracer utility. If the bad guy can get onto the box in order to get the data, then the bad guy can place any software and get pretty much whatever they want on the system."
"And so this becomes a huge question of whether the tracer utility was even necessary. I claim that it wasn't. If they could get onto the system, they could have installed their own tracer utility."
Security by obscurity
Krawetz is going public with this because there's been little progress made on the critical issues. The data thefts in the news happened around 2003, yet we still have major retail stores noncompliant with security standards intended to take effect in 2006. Yet who do you talk to about this? Certainly the major players here don't talk among themselves. After submitting his paper to Visa, Fujitsu Transaction Solutions, and others for comment, and receiving none, Krawetz chose full public disclosure.
"Credit card companies are reluctant to talk about it even with banks. Or people who issue credit cards don't always know the full story back at the credit card company. It's very much on a need-to-know basis." Krawetz likened it to "security by obscurity": "You can walk into your bank and say 'Do you have a safe?' and they won't answer you, but you can see it over their shoulder." Like any security researcher who's attempted to work with a vendor to little result, maybe by going public we'll finally see some changes.
You can hear more of my interview with Neal Krawetz on this week's Security Bites podcast.
Shouldn't the credit card companies be doing more to stop these credit breeches? TalkBack to me.