Criminals increasingly are cannibalizing parts from handheld audio players and cheap spy cams to make extremely stealthy and effective ATM skimmers, devices designed to be attached to cash machines and siphon card + PIN data, a new report warns.
See source article for nice pictures of the actual devices...
The European ATM Security Team (EAST) found that 11 of the 16 European nations covered in the report experienced increases in skimming attacks last year. EAST noted that in at least one country, anti-skimming devices have been stolen and converted into skimmers, complete with micro cameras used to steal PINs.
EAST said it also discovered that a new type of analog skimming device — using audio technology — has been reported by five countries, two of them “major ATM deployers” (defined as having more than 40,000 ATMs).
In the somewhat low-res pictures supplied by EAST here, the audio skimming device is mounted on a piece of plastic that fits over the ATM’s card reader throat. A separate micro camera embedded in the plastic steals the victim’s PIN.
The use of audio technology to record data stored on the magnetic stripe on the backs of all credit and debit cards has been well understood for many years. The basic method for conducting these attacks was mentioned in a 1992 edition of the hacker e-zine Phrack (the edition that explains audio-based skimmers is Phrack 37). Since then, other electronics enthusiasts have blogged about their experiments with sound skimmers; for example, this guy discusses how he made a card reader device out of an old cassette recorder.
Recently, I had a chance to chat via instant message with a hacker in Eastern Europe who sells both audio-based ATM skimmers and the technology needed to decode audio skims or “dumps.” Below are some of the pictures of his wares that he sent me:
Larco releases new USB pressure mats. Originally the "Larco mat" came with rs-232 interface.
• 21 Sep 2010
Recognizing the vital need for increased protection against identity and information theft, Larco has introduced the hands-free and pressure-sensitive USB Kiosk Security Mat to protect critical data.
Tailgating events such as ‘shoulder surfing’ result in damaging consequences from stolen passwords, PINs, credentials, financial and other sensitive data.
Placed in front of the kiosk, pressure must be applied to the mat before system log-on is possible. When pressure is removed (or the user steps away), the mat automatically and instantaneously logs the user off the system. Utilizing a common plug-and-play connection with a standard USB cable, the mat can be quickly linked to the kiosk computer system and works seamlessly with existing security features.
The security mat is a preventative technology suited for transactional self-service kiosks at banks, financial centers, airport security, hospitals (patient check in/or visitation rooms), government and military offices, human resource stations, and retail stores (loyalty registry).
Larco is evaluating next generation kiosk mat technology as both a wireless and USB activation trigger for biometrics, RFID, robotic and remote camera imaging, digital signage, and inventory control.
KioWare kiosk software is configurable with retractable kiosk printers that work with the Larco Kiosk Security Mat. If printed documents are forgotten by the user, they are retracted back to an internal disposal box, thus maintaining the user’s privacy. Additionally, the application is reset, clearing all cookies, cache and user history immediately after the user steps away from the mat.
Larco’s product line includes door-activation mats and wall switches for the automatic door industry, heavy duty, safety presence sensing mats used for industrial machine safeguarding, and consumer privacy protection products in the security markets.
Hacker mastermind Albert Gonzalez was sentenced Thursday in US District Court to two concurrent 20-year stints in prison for his role in what prosecutors called the 'unparalleled' theft of millions of credit card numbers from major US retailers.
US District Court Judge Patti B. Saris announced the concurrent sentences in two 2008 cases against Gonzalez, 28, a Cuban-American who was born in Miami, where he lived when the crimes were committed. Gonzalez and co-conspirators hacked into computer systems and stole credit card information from TJX, Office Max, DSW and Dave and Buster's, among other online retail outlets, in one of the largest — if not the largest — cybercrime operations targeting that sort of data thus far.
They then sold the numbers to other criminals. Gonzalez pleaded guilty to conspiracy charges in two cases related to those thefts last December and the following day entered a guilty plea in a third case involving hacking into computer networks of Heartland Payment Systems and the Hannaford Supermarkets and 7-Eleven chains."
New security flaws discovered in chip & pin
Video from BBC -- link
Talk on PCI, UPT and Kiosks at the next KioskCom New York in November. Kirk Nelson with Arcatech and Craig Keefner of KIOSK are the joint speakers.
PCI and UPT – What is the impact on the kiosk industry?
Payment data breaches are now more frequent and sever than ever before. Are your kiosks compliant with payment and cardholder data security? How do the issues facing unattended payment terminals (UPT) impact the kiosk industry? Failure to design, implement these crucial compliance issues my result in devastating fines, losses and penalties for those companies that do not follow. Attend this session and learn:
Craig Keefner, Channel Manager, KIOSK Information Systems
Kirk Nelson, Associate Vice President of OEM Solutions, ArcaTech Systems
Amazing story of Gonzalez and the hacks into TJMaxx, Hannaford, 7-Eleven, others. He cut his teeth on Dave & Busters, then worked for the Feds, then went back to hacking more corporations. This our government did for us? Two articles one from Wired and one WSJ. The Wired one by Zetter is great. Also reveals SQL-injection attack on web servers was route in...The Tiger Woods of Cyber Crimes. Content from Wired, WSJ and NewsHour.
Here is the Wired report
TJX Hacker Charged With Heartland, Hannaford Breaches
By Kim Zetter August 17, 2009 | 2:34 pm | Categories: Breaches
The constellation of hacks connected to the TJX hacker is growing.
Albert “Segvec” Gonzalez has been indicted by a federal grand jury in New Jersey — along with two unnamed Russian conspirators — on charges of hacking into Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers, according to the indictment unsealed Monday. Gonzalez, a former Secret Service informant, is already awaiting trial over his involvement in the TJX hack.
According to the court document, the hackers allegedly stole more than 130 million credit and debit card numbers (.pdf) from Heartland and Hannaford combined. Prosecutors say they believe these breaches constitute the largest data-breach and identity-theft case ever prosecuted in the United States. They’re investigating other breaches and have not ruled out Gonzalez’s involvement in even more intrusions.
“We’re not seeing a huge array of hackers capable of doing this, but rather a more select group, [and that] demonstrates that there is a level of sophistication involved in these hacks,” said Assistant U.S. Attorney Erez Liebermann of the Justice Department’s New Jersey district office.
But these are just the latest in a string of high-profile breaches that have been connected to Gonzalez. He and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies. Jury selection is slated to begin Sept. 14 in one of those cases. With regard to the Heartland-Hannaford cases, Gonzalez and the two unnamed Russian hackers have been charged with one count of conspiracy to commit computer fraud and one count of conspiracy to commit wire fraud.
They each face a maximum penalty of five years in prison and a possible maximum fine of $250,000 on the computer-fraud count and an additional 30 years and $1 million fine on the wire-fraud count, or twice the amount they gained from the offense, whichever is greater.
Attorneys for Gonzalez were not available for comment.
According to the New Jersey indictment, Gonzalez, 28, and an uncharged conspirator identified only as “P.T.,” allegedly found their targets on a list of Fortune 500 companies and then did reconnaissance to determine the payment-processing systems they used and uncover vulnerabilities. The hackers used computers they leased or controlled in California, Illinois and New Jersey as well as in Latvia, Ukraine and the Netherlands to store malware, launch their attacks against the networks, and receive the stolen numbers.
Using a SQL-injection attack, the hackers allegedly broke into the 7-Eleven network in August 2007, resulting in the theft of an undetermined amount of card data. They allegedly used the same kind of attack to infiltrate Hannaford Brothers in November 2007, which resulted in 4.2 million stolen debit and credit card numbers; and into Heartland on Dec. 26, 2007. Of the two unnamed national retailers mentioned in the affidavit, one was breached on Oct. 23, 2007, and the other sometime around January 2008.
Liebermann declined to identify the two national retailers, or state the amount of data stolen from them, because he said they have not gone public with their breaches.
Once on the networks, the hackers installed back doors to provide them with continued access at later dates. According to authorities, the hackers tested their malware against some 20 different antivirus programs to make sure they wouldn’t be detected, and also programmed the malware to erase evidence from the hacked networks to avoid forensic detection.
“The fact that they were able to evade antivirus software that was running on the environment by testing it and programming the malware to erase itself suggests a degree of sophistication,” said Assistant U.S. Attorney Seth Kosto of the New Jersey office. “If it were just a case of getting onto the network, the card data would probably not have been exfiltrated.”
Heartland disclosed last January that hackers had installed sniffing software on its network that allowed them to capture unencrypted credit card data as transactions were being authorized in its system.
The thieves captured card account numbers and expiration dates and, in 20 percent of cases, the customer’s name as well. The company has never disclosed the number of cards compromised, although the company’s website indicates that it processes about 100 million transactions a month for about 250,000 businesses.
According to Liebermann, Heartland accounts for the “vast majority” of the 130 million numbers mentioned in the New Jersey indictment.
Heartland reported in May that the breach had cost it $12. 6 million so far, which includes legal costs and fines from Visa and MasterCard, who say the company was not compliant with payment-card–industry rules.
Heartland’s CEO Robert Carr told Wired.com recently that the initial breach into the company’s network in December 2007 was confined to the company’s corporate network, which Carr said was separate from its card-processing network. But by May 2008, the hackers had jumped to the processing network. Carr wouldn’t say how they accomplished this.
Heartland caught the breach of the corporate network, but was unaware the hackers were sitting on its system for months conducting reconnaissance. Trustwave, a computer security firm, conducted its 2008 audit of Heartland on April 30 and deemed it compliant with Payment Card Industry Data Security Standards (PCI DSS). But shortly thereafter, the intruders began stealing batches of unencrypted card-track data from Heartland’s network, and continued doing so for months before being discovered.
Gonzalez was a Secret Service informant who once went by the nickname “Cumbajohnny.” He was a top administrator on a carding site called Shadowcrew when he was arrested in 2003. Authorities discovered his connection to Shadowcrew and soon put him to work undercover on the site, setting up a VPN for the carders to communicate, which was controlled out of the Secret Service’s New Jersey office.
That undercover operation, known as “Operation Firewall,” led to the arrest of 28 members of the site in October 2004. After the site went down, Gonzalez changed his nick to “Segvec” and moved to Miami where he allegedly resumed his life of crime under the nose of authorities who were in pursuit of “Segvec,” while being ignorant of the fact that he was their old informant.
Gonzalez called his credit card theft ring “Operation Get Rich or Die Tryin.” As Wired.com previously reported, he spent $75,000 on a birthday party for himself and once complained to associates that he had to manually count $340,000 in stolen $20 bills after his counting machine broke.
Stephen Watt, a 25-year-old programmer who was working for Morgan Stanley, created a sniffing program dubbed “blabla” that Gonzalez’s gang used to allegedly siphon credit and debit card numbers from TJX and other companies and is facing sentencing this month. The indictment doesn’t charge Watt with writing the malware used in the Heartland and Hannaford breaches.
Photo: Albert Gonzalez/Courtesy U.S. law enforcement
Here is the WSJ story
By SIOBHAN GORMAN
A 28-year-old American, believed by prosecutors to be one of the nation's cybercrime kingpins, was indicted Monday along with two Russian accomplices on charges that they carried out the largest hacking and identity-theft caper in U.S. history.
Federal prosecutors alleged the three masterminded a global scheme to steal data from more than 130 million credit and debit cards by hacking into the computer systems of five major companies, including Hannaford Bros. supermarkets, 7-Eleven and Heartland Payment Systems Inc., a credit-card processing company.
[Photo of albert gonzalez released to wired.com by secret service] U.S. Secret Service courtesy of wired.com
Photo of Albert Gonzalez released to wired.com by Secret Service
The indictment in federal district court in New Jersey marks the latest and largest in at least five years of crime that has brought its alleged orchestrator, Albert Gonzalez of Miami, in and out of federal grasp. Detained in 2003, Mr. Gonzalez was briefly an informant to the Secret Service before he allegedly returned to commit even bolder crimes.
Authorities have previously alleged that Mr. Gonzalez was the ringleader of a data breach that siphoned off more than 40 million credit-card numbers from TJX Cos. and others in recent years, costing the parent company of the TJ Maxx retail chain about $200 million.
Mr. Gonzalez is in federal custody in Brooklyn, N.Y., awaiting trial for alleged efforts to hack into the network of the national restaurant chain Dave & Buster's Inc. He also faces charges in Boston in the TJX matter.
The alleged thefts in Monday's indictment took place from October 2006 to May 2008.
Mr. Gonzalez is "a very important player in a sophisticated ring that has real results at the street level of bank, retail, debit- and credit-card fraud," said Seth Kosto, an assistant U.S. attorney in New Jersey who specializes in computer fraud.
* Text: DOJ Indictment | Statement
* Q&A: What Consumers Should Know
* Earlier: Card Data Breached, Firm Says
* Discuss: How secure is credit card information? Have you been a victim of identity theft?
The indictment, interviews and recent court documents in the cases pending against Mr. Gonzalez paint him as a rising star in the cyber underground. He launched what he called "operation get rich or die tryin," targeting Fortune 500 companies with his data-theft operations, according to a sentencing memo filed in federal district court in Massachusetts in the TJ Maxx matter. These documents say he threw himself a $75,000 birthday party and at one point lamented he had to count more than $340,000 by hand because his money counter had broken.
Such large sums, primarily in $20 bills allegedly stolen from ATMs, proved tough to manage, the sentencing memo says. He was considering investing in a club, but told one of his co-conspirators in the TJX heist that he would only be able to pull together $300,000 in a "legitimate appearing form" like a check, according to the documents.
Federal investigators say Mr. Gonzalez is a high-school graduate and self-taught programmer who cut his criminal teeth as a leader in the self-styled Shadowcrew, an online credit-card hacking ring. In 2004, 26 leaders of the 4,000-person ring were arrested and convicted. "He was one of the key leaders," said Scott Christie, a former U.S. prosecutor who worked on the case.
Mr. Gonzalez wasn't charged when he was arrested in 2003 because he agreed to become an informant for the Secret Service following his arrest, say Justice Department officials. In November 2004, the government permitted him to move from New Jersey to Florida. Much of the subsequent hacking took place there, according to court records. He was arrested in conjunction with the Dave & Buster's hacking scheme in May 2008 and has been in detention since.
Subsequent investigations into breaches at Heartland and others led investigators back to Mr. Gonzalez. They found that he and his co-conspirators in Russia, which the indictment does not name, staged their crime on a network of computers spanning New Jersey, California, Illinois, Latvia, the Netherlands and Ukraine that would infiltrate the computer networks of the victim companies.
In computer attacks lasting more than a year, the trio allegedly scooped up credit- and debit-card numbers and installed so-called back doors in the victims' computer networks to enable them to steal more data in the future, the indictment said. They also installed "sniffer" programs to capture card data and send it to the hackers.
The indictment didn't estimate the losses associated with the alleged activities, nor did it spell out how the alleged co-conspirators may have made money off the stolen numbers. Typically, hackers sell batches of credit-card data online -- the current asking price in online forums is $10 to more than $100 per account profile, depending on the account's limit.
The trio made extensive efforts to conceal their activities, registering the computers they used under false names and communicating online under a variety of screen names, the indictment alleges. Mr. Gonzalez often used the online alias "soupnazi," an apparent reference to a character in the sitcom "Seinfeld."
The three were charged with gaining unauthorized access to computers, computer fraud and conspiracy to commit wire fraud. Mr. Gonzalez faces up to 25 years in prison and $500,000 in fines. His lawyer did not return phone calls Monday.
"We're pleased that the authorities have aggressively pursued this case to be in a position to bring an indictment against the alleged perpetrators," said Michael Norton, a spokesman for Hannaford Bros. Heartland commended the government's sleuthing in the case; 7-Eleven declined to comment.
Wire fraud, conducted in cyberspace because wire transfers now use networks that connect to the Internet, has exploded in recent years. The Treasury Department recently reported that of the more than 55,000 incidents of wire fraud since 1998, more than half of them occurred in the past two years.
"The financial sector may be more secure than most, but it's hemorrhaging," said Tom Kellermann, a former cybersecurity official with the World Bank who is now a vice president with Core Security Technologies, a cybersecurity company. "For too long a time they have not paid enough respect to the sophistication and organization of the underground economy."
—Robert Tomsho, Joseph Pereira and Timothy W. Martin contributed to this article.
Write to Siobhan Gorman at email@example.com
Nice writeup on StorefrontBacktalk
Interview on Newshour with Zetter of Wired and VISA
Record-setting Cyber Theft Stirs Questions on Security
The Justice Department indicted three men on Monday for stealing more than 130 million credit and debit card numbers by hacking into the computer systems of five major companies. Cyber-securiity experts discuss the case with Ray Suarez.
RAY SUAREZ: It's a case the Justice Department is calling the largest credit and debit card data breach in U.S. history. Twenty-eight-year-old Albert Gonzalez and two Russian co-conspirators are charged with stealing more than 130 million card numbers between October 2006 and May 2008.
The trio allegedly hacked around the firewalls of several companies' computer systems, including card payment processor Heartland Payment Systems, supermarket chain Hannaford Brothers, and convenience store chain 7-Eleven.
It's a record-setting breach, breaking the previous mark held, federal prosecutors say, by the same Albert Gonzalez. The Miami man was already in federal custody. He previously had been charged in identity theft cases involving the restaurant chain Dave & Buster's and the retailer T.J. Maxx.
With this latest cybersecurity breach, consumers are asking themselves, how safe is my financial information?
For some answers, we turn to Kim Zetter. She's been covering this story for Wired.com. And Rosetta Jones, she's vice president for corporate relations at Visa.
Kim Zetter, how does the government say Albert Gonzalez did what they're saying he did?
KIM ZETTER, Wired.com: Well, he worked with some co-conspirators who -- they chose their targets by looking at Fortune 500 company lists. And once they found their target, they did sort of reconnaissance to find out what kind of processing system they used for processing their credit and debit cards. Once they knew that, they were able to look at what kind of vulnerabilities might exist in the system.
In the case of Heartland and Hannaford and 7-Eleven, I think we know that they used a SQL injection attack on all of them. And a SQL injection attack is a pretty kind of standard attack that can be prevented if the server is configured correctly. And in these cases, it's showing up over and over again that many companies aren't configuring their servers correctly.
RAY SUAREZ: So they did the digital equivalent of casing these places before trying the attack?
KIM ZETTER: Yes, exactly. In some cases, they went onto the Web site of the company, and the Web sites gave them information that helped them infiltrate the companies. The Web sites can tell them what kind of processes they're using and that kind of thing.
And in the case of Heartland, you know, Heartland is a credit card, debit card processor, so it's sort of the middleman between retailers and banks. And so if you hit a processor like that, then you're getting millions of cards, as they did in this case.
RAY SUAREZ: Rosetta Jones, the program, according to the government, that these fellows were using burrowed into the systems and then started exporting the data they were finding there to places outside the United States, to some places inside the United States, but also to Latvia, Russia, the Netherlands. Why?
ROSETTA JONES, Visa: Your question was why they were exporting data?
RAY SUAREZ: Well, why to those places? Is it harder to investigate, harder to prosecute once you ship the data off to somewhere else in the world?
ROSETTA JONES: We think there's ample opportunity for the government to be involved to help international cooperation in catching the criminals. We think that is an important opportunity and a significant area where the government can be involved.
RAY SUAREZ: Have the two sides been learning from each other, the hackers and the institutions that are trying to fend off these attacks? Do they look for breaches and then exploit them and then your side tries to build new defenses?
ROSETTA JONES: Well, I think, as long as card data remains valuable, criminals are going to continue to seek that information. What we have to do as an industry is to work with financial institutions and with merchants to protect that card information. And we have to make sure that they're adhering to strict industry data security standards.
I think as an industry we also have to explore new ways to make that card data not valuable to criminals. And we're looking at things like the introduction of dynamic data into the transaction. We think that has a good opportunity to help prevent fraud.
Background of a hacker
RAY SUAREZ: Kim Zetter, Albert Gonzalez was already known to federal law enforcement before he was arrested, wasn't he?
KIM ZETTER: Before he was arrested this time? He's already in custody at this point, but, yes, he was known -- he's been known to authorities since at least 2003. He was arrested in 2003, and authorities discovered that he was the top administrator on a carding forum called ShadowCrew. It's basically an online community or was an online community where credit card thieves gathered and sold their goods.
And when they arrested him and found out that he was administrator, they flipped him to become an informant for them, and he worked out of the Secret Service New Jersey office from I think it was about late 2003, early 2004, until they brought down ShadowCrew in October 2004.
And he convinced the carders on that forum to use a special virtual private network for communicating, and that network was controlled by the Secret Service, so they were able to read all the communications that was going through there.
When the bust was over, he went back to his criminal ways, and he changed -- his online nick at that point was "Cumbajohnny," and he changed it to "Segvec," and he continued to commit crimes as "Segvec," and authorities were actually chasing this person named "Segvec" without knowing that he was the former informant for the Secret Service. And then he...
RAY SUAREZ: While he was working as an informant, was he learning things that he could then turn around and use against places like card processing services and retailers?
KIM ZETTER: He probably was. And of course, he was making connections during that point, as well, because also on ShadowCrew and other forums that were connected to it were, you know, Russian criminals from the Russian hackers. And those are, you know, pretty much the top ones in this field, are coming from Ukraine and Russia.
And in this case, on the indictment that came down yesterday, there are two unnamed Russian co-conspirators who helped him hack into the systems. So those connections were probably made at that period and thereafter, as well.
RAY SUAREZ: Rosetta Jones, are there a lot of people who know how to do this? Would it be happening more often if this wasn't such highly technical work?
ROSETTA JONES: Well, I think what you have to keep in mind is that, although you might read about hundreds of millions of accounts being compromised, that we know from our investigations less than 5 percent of those accounts are ever used fraudulently.
So while criminals might be trying to seek this information, the industry, Visa, and financial institutions are able to reduce fraud through effective monitoring of fraudulent transactions in the system.
And the fraud rate within Visa is actually at historic lows. It's just 6 cents out of every $100 transacted, and that's about half of what it was 10 years ago.
So, yes, we have more work to do to protect card information, but we know as an industry we're doing a good job at keeping fraud at bay.
RAY SUAREZ: So there's less fraud today than during the old days of running a card through one of those pressing machines and having carbon copies?
ROSETTA JONES: Today, using credit and debit cards remain one of the safest way to pay, especially over cash and checks. It's just the reality. Zero liability today exists for cardholders, so if there is fraud on your account, that you do not have to pay for that fraud. That's a protection that exceeds cash and checks.
Protections for consumers
RAY SUAREZ: But if you're reading the news and you see that there's been this latest breach, what can you be doing in your own interest? What should you be doing to protect yourself and check that your identity isn't being stolen, that your information isn't being used fraudulently?
ROSETTA JONES: Well, I think, first and foremost, again, it's important to remind consumers that you have important protections with using credit and debit cards. Zero liability is one of them.
But, of course, consumers should always monitor their accounts. We encourage consumers to have online banking and check their accounts real time and check their statements for fraudulent activity, and if they notice anything suspicious, to call their financial institution right away.
RAY SUAREZ: Kim Zetter, what do you think about the position of the consumer? Are people more vulnerable than they realize? Or, as you just heard Ms. Jones suggest, really the problem is with the credit card companies and they're the ones bearing the cost?
KIM ZETTER: Yes, I mean, I should point out that consumers, at least in the case of credit cards, we know there's zero liability. What's happening to our debit is that debit cards are being taken, as well. And, of course, when a debit card is stolen and, in some cases, PIN numbers are being grabbed, as well, then, you know, it allows an attacker to basically drain your bank account.
And in some cases, we're finding that consumers, it's not so easy for them to get that money back. They have to prove that they didn't use the card in many cases, and it can take months. In some cases, people aren't getting it back if it's, for instance, a business account instead of a personal account.
But, you know, I want to point out that even if consumers have zero liability, retailers are the victims in this, as well as the banks, the card issuers who have to reissue, you know, millions of new cards to customers whose numbers have been breached.
And there are lawsuits because of this, you know, against Heartland, TJX. You know, when they have unsecured systems that are breached, the cost, you know, is passed down to the retailers for the fraudulent transactions and then also for the people who have to reissue the cards.
RAY SUAREZ: We'll have to end it there. Kim Zetter, Rosetta Jones, ladies, thank you both.
ROSETTA JONES: Thank you.
KIM ZETTER: Thank you.
By now we have heard about the Clear program run by Verified Identity shutting down. Question now is about the data and is it protected or erased? Writer on StorefrontBackTalk picks up on language from Lockheed on how the data at Verified is going to be handled.
Security Kiosk Company Vows To Wipe Personal Data. Or Not
Written by Fred J. Aun
July 8th, 2009
The company running an airport security kiosk program that folded in June effusively promised to completely erase all its customers’ personally-identifiable information from the units. As for the info kept on its main databases—which are apparently identical copies of that kiosk data—well, bring on the bids.
The kiosk program raises key issues about data protection and ownership when the data-using firm goes out of business or even just modifies its business. There is also the semantic issue of the privacy value of wiping data in two places if it also exists in a third.
Citing a financial problem, Verified Identity Pass shut-down its “Clear Lane” airport security-screening kiosks in June. The express screening kiosks were in about 20 U.S. airports and about a quarter-million people had paid as much as $199 per year to use them (and they won’t be getting refunds).
The devices used retina scans and fingerprints to verify the identities of plane passengers whose information was kept on a Verified Identity Pass database. In a statement announcing the kiosk closures, Verified Identity Pass went to great lengths to ensure its former customers that their highly-personal information, “including fingerprints, iris images, photos, names, addresses, credit card numbers and other personal information” would be completely erased from the kiosks and any PCs in use by company employees.
June 25, 2009 - ID TECH, the leading manufacturer of custom and standard POS peripherals, has extended its field of service to provide certified secure PIN pad key injection services for companies utilizing electronic payment systems.
Due to the rapid increase of credit card fraud cases in recent years, certified high-security key injection service facilities have become a vital part of the payment industry. The TG-3 and VISA PIN Certifications not only have stringent requirements on the physical integrity of the facility but also on key handling and personnel management to prevent keys from being compromised.
A company with more than 20 years of expertise in POS peripherals and the latest PCI certified PIN entry devices, ID TECH is proud to announce that its key injection facility has successfully been certified for TG-3 & VISA PIN as of May 2009.
Encryption key management and PIN pad key injection are both mandatory for any electronic payment system that supports debit cards, EBT cards or other transactions that require PIN entry. ID TECH will work with consumers and electronic payments processors to establish and maintain keys in a physically secure site by conforming to strict industry standard rules. ID TECH’s Key Injection service includes support for ANSI Standard Single and Triple DES DUKPT encryption.
With the ability to perform both DES and TDES encryption, ID TECH can take a customer’s PIN pad order and perform key injections on site, thus eliminating the need to go through a third party. By doing so, ID TECH is combining its quality products with certified services to provide tremendous convenience.
-TG3 certified by external auditor
-VISA PCI PIN Security certified by external auditor
-Using Futurex SKI Secure key loading device
-Ability to perform SDES or TDES encryption
-No need to ship product to 3rd Party for KI
For more information, contact firstname.lastname@example.org or call (800)984-1010.
About ID TECH
Founded in 1991, ID TECH employs people in locations around the world. The company has built a reputation for technical excellence through research and design engineering. Building dependable, feature-rich products has made ID TECH a leading supplier of magnetic stripe, smart card, contactless card, and bar code reader products for OEMs, VARs, resellers, distributors, and major end users. ID TECH provides both standard and custom solutions to support customer requirements. ID TECH products are sold worldwide through direct sales, distributors, product representatives, and agents. Find more information about ID TECH online at www.idtechproducts.com or call (800)984-1010.
|Wal-Mart, E-Play and NCR get called to explain by StorefrontBacktalk and Fred Aun article. Gist is trial of 77 stores running trial of used video buyback kiosks that take card data and drivers license info, and then talk about linking into retailer POS.|
Written by Fred J. Aun of StorefrontBacktalk.com
Wal-Mart this month became the latest major retailer to experiment with self-service kiosks, selling space in 77 stores for units that buy back used video games and issue credits directly to various payment cards.
The initial trial is entirely isolated, with the kiosk vendor having access only to its own network and not to Wal-Mart’s. But the $375 billion chain is officially considering having the machines offer in-store credits in the form of gift cards, which would mean allowing the kiosks two-way access to POS and potentially CRM data. That would force some serious strategic debate about how far outside vendor kiosks can—and should—be allowed to play inside a retailer’s databases.
The initial version of the kiosks collect payment card information as well as drivers license data. Even setting aside the potential future POS/CRM access, the payment and highly-sensitive driver’s license data will force some of that debate right away. How secure are the kiosks? Who is ultimately responsible in the event of a security breach, both from a legal and PCI perspective?
Beyond lawyers and assessors, consumers and the dollars they control will likely blame the retailer for any problems that started with a kiosk in or right next to its store. Wal-Mart officials are stressing that the Wal-Mart logo will not be used on any of the trial kiosks, although the Wal-Mart blue and yellow brand colors will absolutely be used. “This is not Wal-Mart’s machine,” said Melissa O’Brien, a spokeswoman for Wal-Mart’s entertainment division. “We are leasing space to them in our store vestibules just like with do with other companies.” And that nuanced distinction will be explained to every Wal-Mart customer how?
The insistence that no brand be used displayed will be a nice point for the lawyers, but it won’t do much for public perception. PCI Safe Harbor and legal indemnification won’t help much if consumers feel betrayed.
Another troubling issue is data ownership. If Wal-Mart gets consumers to come to their stores and asks them to interact with a kiosk in the store, can the kiosk vendor use that information to help other retailers? As a pragmatic matter, how can they not do so?
WAKEFIELD, Mass. — The PCI Security Standards Council, which manages the PCI (Payment Card Industry) Data Security Standard, yesterday announced that nominations for election to its board of advisors are now open.
The board represents the council’s current roster of more than 500 participating organizations and provides strategic and technical guidance to the council on data security standards.
Current board members include Wal-Mart Stores, Tesco, McDonald’s, as well as financial institutions, processors, POS vendors, industry associations and others. Twenty-one seats are available, 14 of which will be open for nomination by current participating organizations.
“We encourage all those involved in the payment process to become a participating organization and consider an elevated board position to continue shaping the next generation of PCI security standards,” said Bob Russo, general manager, PCI Security Standards Council, in a statement.
Organizations interested in becoming a participating organization may obtain more information at
So how big was the breach and what the experts are saying what damage was done and what Heartland should've done to prevent it.
Heartland Breach: Bigger than TJX?
Experts Debate How it Happened and What Damage Could be Done
January 26, 2009 - Linda McGlasson, Managing Editor
Exactly how big was the Heartland data breach?
This is the great unanswered question since last week, when Heartland Payment Systems (HPY), a Princeton, NJ-based credit card processor, revealed that its computer systems had been breached, and an unknown number of credit card account numbers were exposed to hackers. Heartland Payment Systems data breach coverage
Since then, at least eight financial institutions have stepped forward to say their customers had cards affected by the breach, and one security expert says, in theory, that Heartland could be bigger than the TJX breach that dominated the news and set the data breach benchmark in 2007.
The Scope of the Breach
Heartland officials say they haven't been able to assess the total number of card numbers that may be taken, but VISA and MasterCard have already been contacting banks and credit unions around the country, informing them that debit and credit cards issued to their customers were affected as a result of the Heartland breach.
Added to the growing list of institutions that say their customers have been hit are:
Piedmont Credit Union, Virginia;
Oregon Territory Federal Credit Union;
Notre Dame FCU, South Bend, IN;
Kennebec Savings Bank, Augusta, ME;
Forcht Bank, Kentucky;
GFA Federal Credit Union, Gardner, MA;
TD Bank and TD Bank North, Portland, ME;
PeoplesChoice Credit Union, Saco, ME.
State Employee's Credit Union (SECU), Raleigh, NC
Innovations Federal Credit Union, Bay County, FL (400 cards)
Summit Federal Credit Union, Rochester, NY (500 cards)
The Bank of Fayetteville, Fayetteville AR
Farmers and Merchants Bank, Stuttgart, AR
Arkansas County Bank, Stuttgart, AR
The Central National Bank and Trust Company of Enid, Enid OK, (1600)
Adams Bank & Trust, Grant, NE
Valley Bank & Trust, Gering, NE (16)
According to company leaders, Heartland's computer network was compromised sometime in 2008, when a hacker installed sniffer malware that was able to see credit card numbers and other details. It is unknown how long the sniffer software was active or how much card data was captured. But Avivah Litan, Distinguished Analyst at Gartner Group, says the Heartland breach is potentially an historic one.
"In theory, at least (without more details disclosed) this is more severe than the TJX breach since the criminals intercepted good live card transactions," Litan says. In the TJX breach case, many of the cards accessed were dead and deactivated.
Payment Processors: The New Target?
Fraud and security experts have already predicted that larger retailers and businesses would be victims of hackers, and payments processors such as Heartland are a prime target for criminals who want to have a large amount of data that could be sold quickly.
"That's where they get the most data - so why wouldn't they," Litan says. "It shows that they can likely penetrate just about any part of the payment system that they choose to, and in my mind it means compliance with the PCI standard is putting a Band-Aid on a systemic problem, and that it is likely to come off relatively easily."
"From a criminal's perspective, they want to compromise the most information with the least amount of work," says Mike Urban, Senior Director of Fraud Solutions at Fair Isaac. "Obviously, a large processor will see more unique data than a large merchant and therefore be an appealing target to the criminals,"
Adil Moussa, card payment systems analyst at Aite Group, agrees with Urban, adding, "Hackers are changing their target... retailers are still going to be their favorite target; however, why have so little ambition when you can go to the merchant processor who processes for thousands of these retailers? Hackers can get more information that way."
In general, Urban says criminals will target any organization they can get into - large or small. "They don't limit it to a specific type of organization. That said, criminals will target specific types of data that they know they can market, and payment card information is very high on their list."
How Did It Happen?
The Heartland breach, because it involved the use of a sniffer, made it hard to detect, says Dave Taylor, head of the PCI Knowledge Base. "It is a type of passive attack (meaning it just watches traffic over a network node, rather than modifying the traffic). Since they don't communicate or interact with other systems, they are hard to detect."
The sniffer, also referred to a network analyzer, would be programmed to look for a pattern in the text (a 16-digit number in this case), and then copy any related content to a file, which then - somehow -- had to be communicated to the thieves. "That's hard, since I assume the server where the sniffer resides would not be connected to the Internet," Taylor says.
Taylor theorizes that some social engineering was used (or someone on the inside cooperated) to get the code on one of the servers doing card processing, with another server that does the external communication. "Very few people likely have the credentials to install code, and [the servers] are not (or should not be) accessible to the public Internet," Taylor says. "I'm guessing a rootkit was installed - somehow. That helps cover the tracks of the communications and could keep configuration monitoring or file integrity monitoring systems from detecting it, assuming they were up and running."
Paul Kocher of Cryptography Research, an information security expert and researcher, says although the technical details of the attack are different, "The situation is eerily reminiscent of the CardSystems mess a few years ago."
"While it is unlikely that we'll ever know how the software got there, as it could have been an inside job, an attack from the Internet, a CD with Trojan-horse software mailed to someone," Kocher says, "once installed, the software was able to record payment transactions as they go past. This is easy to do if the data isn't encrypted."
In this situation, Kocher notes there were a handful of things that went wrong:
Heartland failed to prevent the bad code from getting installed in the first place;
The processor had an inadequate cryptographic architecture. Ideally, incoming payment data should have been encrypted on a dedicated hardware box immediately as it arrived;
The sniffer presumably was transmitting off the data it captured, and this type of connection often can be observed and/or blocked.
How to Avoid the Next Breach
Financial institutions should take notice of the Heartland breach, says Gartner's Litan. "Institutions need to continue beefing up fraud detection efforts," she says.
It's quite possible that Heartland had 'state-of-the-art' security controls and that the malware still remained undetected because it was not spotted by largely-signature-based detection systems, she says. "I think the payments industry needs to take some long-needed security steps including end-to-end encryption (which is now employed relatively successfully for ATM PIN processing) and stronger cardholder authentication so that even if data is stolen, it's useless unless the thief steals the physical card belonging to the legitimate cardholder," Litan says.
Litan sees more radical steps, such as end-to-end encryption and stronger cardholder authentication, are called for and have been for a long time. "But we probably need a few more breaches before those steps are mandated by the card industry, if indeed they ever are," Litan says. "In these cases, the breached entity ends up bearing most of the costs, so as long as that continues to be the case, other involved companies aren't likely going to want to fork up large sums of money for more radical security improvements."
A Ukrainian man accused by US authorities of involvement in the TJX data breach has been jailed for 30 years in Turkey after being found guilty of hacking the computer systems of 12 banks in the country. Turkish law prevents his extradition to the US until after he serves his sentence, one of the heaviest ever seen for a cybercrime.
Maksym Yastremskiy was arrested whilst on holiday in Turkey in July 2007, and accused of breaking into Turkish bank accounts electronically.
US authorities quickly linked him to the theft and sale of over 40 million credit and debit card numbers that were hacked from the computer systems of nine major US retailers, including TJX.
American investigators claimed that information from Turkish police holding Yastremskiy, along with details from credit card issuers, indicated he was a major trafficker in stolen information, including data stolen in the TJX hacking.
Yastremskiy allegedly sold card numbers through online forums hosted outside the US and was responsible for millions of dollars of losses.
Although US authorities filed extradition papers against Yastremskiy he has now been convicted in Turkey on the separate charges. According to local reports, he pleaded not guilty but was convicted yesterday in a court in the city of Antalya.
Turkish law prevents his extradition to the US until after he serves his sentence, one of the heaviest ever seen for a cybercrime.
In August 2008 Yastremskiy was one of 11 people, including gang leader Albert "Segvec" Gonzalez, indicted by US authorities over the TJX breach.
The group are accused of hacking into the wireless computer networks of retailers and installing "sniffer" programs that would capture card numbers, as well as password and account information, as they moved through the retailers' credit and debit processing networks.
Yastremskiy is not believed to have been involved in the actual hack but is alleged to have acted as a fence, selling card numbers to other criminals over the Internet.
Starting Jan. 1, 2010 Visa Inc. is requiring all new fuel-dispensing machines being installed at gas stations around the U.S. to support the Triple Data Encryption Standard, a mandate that is designed to make it harder for identity thieves to steal debit card data from gas pumps by shielding the personal identification numbers (PIN) of customers.
Posted on gokiosk.net
|Officials are ramping up their membership drive with airports and airlines. Serving international fliers, the current three airports have a combined user base of over 140,000 people (people who travel internationally 4 or 5 times a year). [picture/image provided]|
Monday, December 8, 2008
Standing in long lines at customs and border checkpoints is a hassle, especially after sitting on an airplane for what was most likely half a day.
The U.S. Department of Homeland Security and its Customs and Border Protection agency are trying to alleviate the wait times for some of those travelers with the Global Entry Trusted Traveler Program, says John Wagner, director of the program at DHS. The program is based on the Nexus and Sentri programs that expedited U.S. and Canadian citizens border crossings. “It’s a risk management approach to process frequent, low-risk international travelers,” he says.
The program, still a pilot, is in place at Los Angeles International, Hartsfield-Jackson Atlanta International, Chicago O’Hare International, Miami International, George Bush Intercontinental Airport in Houston, John F. Kennedy International Airport in New York and Washington Dulles International Airport.
The eventual hope is to roll it out to all international airports and have reciprocity so U.S. citizens can participate in similar programs with other countries, Wagner says. Agreements have already been signed with the UK and the Netherlands with others in the pipeline. “Both countries do the vetting on their citizens,” he says.
Travelers interested in the program undergo a voluntary background check, Wagner says. It begins by filling out an online application and paying a $100 fee, which is good for five-years’ enrollment in the program. The application seeks basic demographic data and asks questions about past international travel.
At that point the individual’s information will be checked and after a couple of weeks he will be conditionally approved or denied, Wagner says.
If approved the traveler will have to go to an enrollment center, which is typically located at his home airport, Wagner says. The applicant will have his fingerprints taken, passport scanned and be interviewed by a Customs and Border Protection official.
If everything checks out the individual is typically approved on site and his registration in the program is completed. The traveler is then shown how the kiosk will work when reentering the country.
From there, whenever the traveler is coming back to the U.S. he can use the kiosk, which is similar to an ATM or airline self-check in kiosk, Wagner says.
The traveler confirms enrollment by scanning his passport and authenticating with a previously enrolled fingerprint biometric. A camera on the kiosk then takes the traveler’s picture and he fills out the declaration on the screen.
While the traveler is answering these questions the system is running queries in the background to confirm airline and other information. Once successfully processed the traveler can claim his bags as he leaves the airport.
Using the kiosk takes about two minutes, compared to the three minutes it takes a customs official to check a traveler through, Wagner says. But the more significant time savings comes from not having to wait in line to see the officer.
The traveler can use either an old passport or a new electronic passport with the program, as long as it has the machine-readable zone on the data page, Wagner says.
|Kiosk manufactured and designed by KIOSK of Colorado|
As of late September, 3,500 travelers have enrolled in Global Entry and more than 1,100 members have used kiosks at the three existing pilot locations since the June 10 opening date.
To drive membership in the program Wagner is working with the airports and airlines to get the word out. This includes ads in trade publications, some airlines marketing it to their members and signage at the airport, Wagner says.
But the best message may be when travelers are waiting in line to see a customs official and they see others using the kiosks and getting on the way much quicker.
Couple of stories on hacks and security in the last few days. One was some comments regarding the need for lockdown on systems (common knowledge & practice to use those) but this one caught our eye because 1) it was a thin client (easiest to lockdown), 2) it is in prison systems (very fast growing market unfortunately), and #3 inmates simply exploited the legal software they were entitled to use. The system design was probably very secure but flaw exploited in 3rd party software. Common story...
Inmate hacked prison network, broke into employee database
Plymouth County's not-so-protected computer
By Dan Goodin in San Francisco
Posted in Crime, 8th November 2008 00:09 GMT
A former prison inmate has been arrested and charged with hacking the facility's computer network, stealing personal details of more than 1,100 prison employees and making them available to fellow inmates.
Francis G. Janosko, 42, gained access to the names, addresses, dates of birth, social security numbers and telephone numbers of employees working for the Plymouth County Correctional Facility in Massachusetts, according to an indictment unsealed Wednesday in US District Court in Boston. Using a thin client that was connected to a prison server, the prisoner was able to access an employee database by exploiting a bug in legal research software made available to inmates.
Once he obtained the personal information of the employees, he made it accessible to other inmates. Janosko also managed to obtain the username and password to a prison management program, and to access the internet to download videos and digital photographs of prison employees, inmates and aerial shots of the prison. The accused hacking took place between October 2006 and February 2007.
"Although the legal research computer server was connected through the prison's network to the internet solely so that it could obtain updates to its Windows operating system, the legal research server was configured to disallow access to the worldwide web," the indictment stated. Computer use was limited to legal research only; use of the internet was forbidden.
Janosko is charged with one count each of aggravated identity theft and intentional damage to a protected computer. If convicted, he faces a maximum sentence of 12 years in prison and a fine of $250,000. He could also be forced to pay unspecified restitution.
According to The Boston Globe, Janosko was arrested in 2005 on child pornography charges after investigators discovered nude photos of children on his cellphone. It was the third time he faced such charges, The Globe reported. He was listed as a Level 3, or high-risk, sex offender in Massachusetts in 2005.
|AP Newswire is reporting this morning that CLEAR has found a laptop (also see CLEAR Press Release) that had gone missing for over a week from one of its kiosk locations that contained the “personal data” of over 30,000 enrolled members at San Francisco International Airport|
AP Newswire is reporting this morning that CLEAR has found a laptop (also see CLEAR Press Release) that had gone missing for over a week from one of its kiosk locations that contained the “personal data” of over 30,000 enrolled members at San Francisco International Airport, and that CLEAR enrollment has been temporarily suspended pending further investigation, which should be completed by the TSA within several days.
Click on the “Read the rest of this entry” link below for more.
While this all sounds bad on the surface, it’s really no big deal. The laptop was found in the same location it had been “missing” from, so really, they never lost it or had it stolen in the first place. The so-called “personal” information that the laptops contain?
“The data in question on the laptop included a limited amount of the online applicant’s personal information, but did not include any credit information, including credit card numbers. And it did not include the applicant’s Social Security number. It also did not include any biometric information, such as the applicant’s encrypted fingerprint images or encrypted iris images (which are supplied during the second, in-person enrollment process that takes place at the airport).”
Nothing entirely different than you would find in your average phone book – no Social Security Numbers, no Credit Card numbers, no ID photos. Nothing that could be used to perform identity theft. After speaking with CLEAR’s representatives this morning, it seems that all the laptop does is provide basic identification data – name, address and phone number, and birth date (which arguably, isn’t that useful to an identity thief without an SSN) the same information which is used in the Phase II kiosk enrollment process, which occurs AFTER you have provided data online that contains your vitals which are screened an initial time by the TSA as well your billing info. It’s not used to actually pass you thru the CLEAR lanes. The personal identification data on the laptop is also protected with two layers of passwords, so even if the laptop were to get stolen, it would be difficult to compromise (EDIT: although the laptop should have used encrypted drives and encrypted data as well, which I understand is something the company is now going to enforce) And without your CLEAR card which stores your biometric “favorites”, you can’t be screened through their lanes anyway.
Apparently, it is CLEAR policy to have laptops bolted down or cable secured to the desks at airport-based phase II enrollment facilities so they can’t just “go missing”. However, in this instance, it appears to be a case of Murphy’s Law where what can go wrong, will go wrong — it wasn’t bolted down, a staff member picked it up and moved it, it disappeared for a week, and they found it in the same location it originated from. God knows, it happens to the best of us.
But CLEAR needs to now ensure that EVERY piece of IT equipment that contains customer information is completely secured and just can’t go walking. The data on these systems must certainly be encrypted with the strongest cyphers that are available for commercial use. A good start would be PGP which is what many financial institutions use to give to their mobile workers that handle sensitive data.
If I were Steven Brill, I’d also strongly consider eliminating laptops entirely with local caches and using Thin Client technology that talks to a central server for whenever they actually need to access customer information. A Wyse graphical terminal with a Citrix connection to the home base is all they need. CLEAR can simply partner with the Wi-Fi ISPs in the airports and create a secure VPN tunnel to their servers in Florida and have no enrollment information stored at the kiosks at all. Yes, it introduces further complexity and introduces the possibility of a link going down occasionally when a customer wants to do a Phase II enrollment, but for piece of mind, it’s worth it.
Has your confidence in CLEAR’s security protocols been re-established now that you know the truth of the matter? Talk Back and let me know.
Jason Perlow is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. See his full profile and disclosure of his industry affiliations.
First noted y AP writer back on July 1st, 2008, CSN reports yesterday. 7-Eleven spokeswoman Margaret Chabris told CSNews Online: "7-Eleven Inc. is aware of the federal investigation in New York concerning ATM fraud that has apparently impacted Citi customers.
Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.
"We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts," the bank said in a statement released last week.
Citibank does not own or operate the machines. The Houston-based Cardtronics Inc. owns all the machines, but only operates some, while the Brookfield, Wis.-based Fiserv Inc. operates the remaining machines.
"We understand that Citibank has already contacted any account holders who may have been impacted or that needed to receive a replacement card," said Chabris. "However, 7-Eleven is confident that its ATM provider, Cardtronics, has included the appropriate safeguards designed to prevent unauthorized access to our customers' personal data in the ATMs located in our stores today."
In other news, Unisys Corp.'s Canadian subsidiary, Unisys Canada, was awarded a contract from NEC Corp. of America to provide outsourced IT support services for 470 7-Eleven retail convenience stores throughout Canada.
"Unisys outsourcing expertise combined with NEC's retail solution integration skills will assist us in growing our 7-Eleven business in Canada," Sharon Stufflebeme, 7-Eleven's chief information officer, said in a released statement. "We'll be able to serve our customers more effectively and efficiently through enhanced in-store technology support."
Valued at $6 million over a three year term, the contract states that NEC Corp. of America is the prime contractor and will manage applications development and support for 7-Eleven Inc. Unisys Canada will provide maintenance and support services for IT back-office equipment, on-site wireless networks, point of sale (POS) and inventory ordering systems for the 470 Canadian 7-Eleven retail stores from Ontario to British Columbia.
"We look forward to working with Unisys on this important initiative," Naohide Takatani, general manager, Retail Solutions Group for NEC Corp., said in a released statement. "Drawing on Unisys expertise in technology support and maintenance in this engagement with 7-Eleven expands the range of benefits we can provide our client."
Bob Binns, president, Unisys Canada, said in a released statement: "Unisys is confident that in working with our partner NEC, we will provide 7-Eleven with a secure, flexible IT infrastructure that can accommodate its growing business in Canada."
|SAN JOSE, Calif. - Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record. The other part of interest is what about the 2000 supposed Vcom units installed at 7-Eleven? [picture of unit]|
he scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs — the numeric passwords that theoretically are among the most closely guarded elements of banking transactions — by attacking the back-end computers responsible for approving the cash withdrawals.
The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption — which means encoding them to cloak them to outsiders — some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.
"PINs were supposed be sacrosanct — what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the Gartner research firm. "The banks need much better fraud detection systems and much better authentication."
It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it doesn't own or operate any of them.
That responsibility falls on two companies: Houston-based Cardtronics Inc., which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc., which operates the others.
A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly.
All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines — which means they had carte blanche to grab information — through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering they could detect. In previous PIN thefts, thieves generally took steps that might draw notice — sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs.
Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.
Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an "alarming" spike in the number of attacks on back-end computers for ATM networks over the past year.
"This was fairly large, but I don't think it's anything out of the ordinary — these kinds of scams go on every day," Jackson said. "What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren't reported."
The alleged plot is outlined in court papers supporting the prosecution of three people — Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.
Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michigan and Florida's driver licenses in a February FBI affidavit for an arrest warrant.
Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.
"We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts," the bank said in a statement.
Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers.
"Fiserv," she said, "is confident in the integrity and security of our system."
Organizations handling credit cards feel pressure building as the deadline for PCI Requirement 6.6 compliance, June 30, 2008, approaches. Most are still evaluating how to strategically ensure compliance with this requirement, while maintaining a strong security posture.
The addition of stringent industry guidelines for web application security is long overdue. With the escalating threat of web attacks, organizations must remain vigilant. Web applications are a special breed of living code -- always online, always accessible, always being modified, and always subject to attack. Diligent web application security demands frequent assessment/attack research and findings targeting specific web applications are posted daily.
Requirement 6.6 is currently the subject of debate due to confusing terminology and the objective has been veiled by clever vendor marketing campaigns promoting specific solutions.
What does PCI Requirement 6.6 really say?
Requirement 6 is about “developing and maintaining secure applications and systems.” Requirement 6.1 requires that vendor-supplied security patches be applied within one month of release. Securing and fixing custom application code is not quite as easy as downloading a patch from your favorite software vendor. web application vulnerabilities must be identified, fixes developed, tested, and deployed. In short, you're on your own for the entire process.
Specifically, PCI Requirement 6.6 mandates the following:
PCI DSS version 1.1 Requirement 6.6: Ensure that web-facing applications are protected against known attacks by applying either of the following methods:
* Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.
* Installing an application layer firewall in front of web facing applications.
PCI DSS version 1.1 Requirement 6.6 Testing Procedure: For web-based applications, ensure that one of the following methods are in place as follows:
* Verify that custom application code is periodically reviewed by an organization that specializes in application security; that all coding vulnerabilities were corrected; and that the application was re-evaluated after the corrections.
* Verify that an application-layer firewall is in place in front of web-facing applications to detect and prevent web-based attacks.
The confusion stems from the interpretation of the requirement. First, let's clear up some high-level misconceptions:
* Requirement 6.6 is not just for “level ones.”
* It does not specify service providers or merchants.
* It does not specify either source code reviews or web-application firewalls.
What does PCI 6.6 really want?
The spirit of 6.6 can be met objectively and systematically. The ultimate goal is to ensure secure web applications. For applications developed or customized in-house, the following process must be continually performed: Identify vulnerabilities (find), correct them (fix), and test to confirm that the correction is effective (prove). Find, fix, prove, find, fix, prove.
Some security vendors have marketed that PCI Requirement 6.6 may be met through either installing a web Application Firewall or outsourcing expensive source code reviews. This marketing distracts from what the PCI Council is seeking in Requirement 6.6.
The intended outcome of Requirement 6.6 is the establishment of a web application vulnerability lifecycle – leading to the effective elimination of risk. Vulnerabilities must be detected, communicated, and corrected.
This can be done through various measures such as:
* Black box testing (run-time assessment)
* White box testing (source code review)
* Binary analysis
* Static analysis
* Remediation by developers
* Web application firewalls
Requirement 6.6 also requires separation between the developers and the security testing team. Clarification released by the PCI Security Standards Council states the testing must be objective.
Application security testing is complex, and resource intensive. The tools and expertise required to perform safe and accurate testing can be costly. Keep in mind both hard and soft costs associated with finding vulnerabilities -- hard costs for tools, training, consulting, employees, etc.; soft costs such as resource outages, development meetings, production outages, resources required to work outside hours, manual validation and elimination of false findings, among others.
How to comply with Requirement 6.6
Requirement 6.6 is about protecting web applications, plain and simple. Given our modern threat landscape, it is no wonder that PCI Requirement 11.3.2 dictates “application penetration tests” be performed after every “significant change.” Meaningful web application security management requires frequent assessments as code and threats evolve continually. Requirement 6.6 is about developing a repeatable methodology that connects the “Find” (the vulnerability detection) process to the “Fix” process for the systematic, efficient elimination of vulnerabilities from web applications.
1) Find vulnerabilities in web-facing applications
Regardless of your classification as a Merchant or Service Provider, if you have a web-facing application, it must be assessed. This will be far more exhaustive than a network vulnerability scan, and will require authentication to access the majority of application functionality. This testing requires human expertise to exercise the application, validate findings, and test for logical vulnerabilities and other threats a testing tool cannot identify.
The PCI Council has not asserted itself as an authority on application security; it leaves the verification of compliance to approved auditors. What the PCI Auditors seek is evidence of due care.
Demonstration of due care in testing requires:
* Thorough coverage. Automated tools alone only cover roughly half of the web Application Security Consortium's Threat Classifications. If an application is worth protecting, test it thoroughly with both automated and human means.
* Frequency of coverage. Web applications are continually changing, as is the threat landscape. Test the application, in production, as frequently as is meaningful, for example, with each code change.
* Efficient communication. Vulnerabilities identified become a known liability and must be managed. Vulnerabilities must be communicated clearly and effectively to groups tasked with remediation.
* Precision in testing. Testing custom application code must be done methodically, and retesting must follow the same processes where possible. Patch development, validation of remediation, and corrections will be simplified if you follow a consistent methodology.
Vulnerabilities in custom application code can be found in a variety of ways. The Web Application Security Consortium has classified 24 different types of attacks targeting web applications. Half of those threats (13 technical vulnerability classes) can be identified at some level of effectiveness through automated means, including run time code testing as well as source code analysis. As with any detection technology, there is a certain signal-to-noise ratio; human validation is required to separate true vulnerabilities from false findings. There are many variables in application security testing, so your mileage will vary. There are 24 threat classifications, with two current appendices (HTTP Response Splitting and Cross Site Request Forgery), which have not yet been formally ratified into the WASC Threat Classification document.]
Runtime assessments (referred to as “black box” testing), Source Code Reviews (“white box” testing), binary and static analysis, etc., are all effective methods to find vulnerabilities in web applications. There is a misconception that the detection techniques all try to achieve the same end goal and compete for the same budgetary dollars. The fact of the matter is that each testing ideology brings different benefits to the table at different price points, almost all of which are complementary and help paint a complete picture of application weaknesses.
2) Fix vulnerabilities
PCI Requirements 11.3.2 and 6.6 require this. For context, reread PCI requirement 6.1. Proving you have installed a patch to commercial applications and operating systems is easy. Proving you have corrected a weakness in custom application code is a little more complicated. This is where having a consistent testing and reporting methodology will come in handy. There are two approaches to code fixes:
* If you own the web application code -- fix it.
* If you do not own the code, or have valid business case or cost restrictions that are impediments to fixing the raw code, correct the vulnerability through other methods (e.g., a web application firewall).
Be aware that simply buying expensive WAF hardware does not meet this requirement. Configuring that application-layer firewall to fix known vulnerabilities is complex, and entails the risk of misconfiguration, and potentially blocking legitimate traffic to your website -- but you must configure the WAF in blocking mode to satisfy PCI 6.6 requirements that the vulnerability has been corrected.
3) Prove it
After significant investment in managing the web application vulnerability lifecycle, an auditor (SOX, PCI, or any other auditor) needs documentation to prove the fix worked. Ensure the mitigation applied does in fact correct the vulnerability in practice and in writing.
The PCI 6.6 compliance process of “Find, Fix, Prove” can be simplified further. If the “Find” process is done with sufficient precision and creates proper documentation, the “Find” process can be done in a continual or ongoing manner -- and will in turn document proof of the “Fix” actions as they occur. Auditors like to see trends, especially when they involve continual detection and removal of vulnerabilities -- this makes proving due care very easy.
Find, fix, prove(n)
With a clear understanding of PCI Requirement 6.6, compliance is not only achievable, but can provide great value to web application owners and users. This requirement creates a need for visibility into the lifecycle for vulnerability detection and correction, and will serve to mature web application security. Applying metrics to the efficiency of detection, the cost of producing vulnerable code, and the associated costs of correction will only serve to advance the goal of total web application security.
Trey Ford serves as director of solutions architecture at WhiteHat Security, a leading provider of website security services. Questions can be directed to PCI@WhiteHatSec.com
SC Magazine, one of the leading security publications, today published an article by Rosen Sharma of Solidcore about point-of-sale security.
Point of sale (POS) payment devices, servers and self-service kiosks have enjoyed rapid deployment. Most make use of off-the-shelf components and readily available operating systems. Vendors may try to hide this fact with custom enclosures, but the fact is that they morph and meld into just another one of the fixed-function devices on the Merchant's Point of Service payment network. Each disclosure of yet another breach in the news exposes this truth. In retail environments in which average lifespan of POS systems is approximately seven to nine years, the ability of thieves to continue to use standar systems for profit will continue.
In retail, the focus is on how to reach more buyers with technology innovations -- enabling more business. Some key trends I've been reading about are alluring, and as a consumer, I am looking forward to the added convenience and personalization they may bring. Self-service kiosks aid consumers in the selection and purchase of merchandise, extending the on-premise inventory options. The shift from standard check-out lanes to self-service options co-located with merchandise within normal retail zones offers quick cashless purchases. And of course there is a trend to track and integrate the buying habits and preferences, bringing the use of CRM and the POS closer together. For my first preference, I'd request my local Safeway grocer to not read my name from my sales receipt accompanied with a “Thank you for shopping with us today” as it provides a false means for the clerk to pretend they have an interest in knowing who I am. Personally, I find it a security risk. What happened to shopping with anonymity? A stranger announcing my name in a group of strangers leaves me feeling a bit exposed.
The general guidelines and assumption used when first conceiving POS systems and how to protect them are shifting, and these new trends elevate the need to re-evaluate current practices. Multi-channel transactions at the store premise can now be generated through a kiosk -- say, to order parts or accessories in addition to buying stock merchandise at the checkout. This gives potential thieves another digital means to collect information about critical backend systems or network configurations. Both self-service kiosks and the shift away from checkout lanes leave deployed POS systems open to potential mischievous or malicious tampering without the watchful eyes of a lane clerk. Can a person with a USB key install malware or a sniffer, or alter configurations to open a back door for later use? Can a PIN pad be swapped or altered? The integration of CRM and POS information for better retail analytics and the adoption of points based rewards programs are valuable to the retailer facilitating the purchase of merchandise. But will these things be future targets for theft and fraud as these systems process and store personally identifiable information?
Even without considering these new innovations, current POS systems are still the weakest link and have been neglected in overall risk assessments because individually they process only a small percentage of overall merchant transactions. The focus -- especially with PCI DSS -- has been targeted at directly-connected critical backend systems to the payment network and the largest merchants (Tier 1 and Tier 2), which pose the largest liability to Visa if they are not compliant. But in any offensive maneuver, attack are made where there is weakness, and due to the large amount of POS distributed systems, all that is needed is persistence and motivation. Current headlines scream out on targeted breaches within several sites across multiple states -- toward the same type of POS system -- proving that persistence has the potential for profitability.
Today's layered approach for securing against malware includes properly configured firewalls, changing vendor defaults and passwords, encrypting the transmission of sensitive cardholder data, and regularly updating antivirus protections. This multiple-step approach takes a lot of human effort to oversee. At larger merchants, the ability for technicians to meet current service level agreements is at jeopardy, especially with costs of goods rising and with heightened competitive pressures in the retail sector. At smaller merchants, the skillset and knowledge is lacking as to what proper configurations should be established for POS systems, with many organizations relying on distributors to provide a minimum level of service. The security implementation at the POS system must be easier and accessible to all merchants regardless of size.
I enjoy visiting my favorite breakfast spot where the owner and staff knows me by my first name. Their POS system looks very much like a standard desktop with a cash drawer and attached PIN pad. I know this is the workhorse of their establishment -- assisting with inventory, orders, payroll, etc. I'll recommend the food always. However, I'm not as upbeat about their POS security. Easing the burden of security and compliance must come from all participants in the retail environment: the manufacturers, the software and hardware providers, the technology added-value resellers and the distributors.
You've heard of the ten commandments, or maybe Miles Davis and Seven Steps to Heaven. Well here are the 12 payment card industry (PCI) data security standards (DSS).
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Credit card security is in the new again. First it was TJX and then Hannaford. Now it looks like another firm has been hit by hackers. In this case it was sniffers on the servers that listened to data transfers back to main office.
Breaches Make a Mockery of PCI Security Standards
By Jason Z. Cohen
05/13/08 10:24 AM PT
Dave & Buster's, a popular eatery and arcade, is the latest U.S. firm to be hit by hackers bent on stealing credit card data. This breach, much like one a few months ago at the East Coast grocery chain Hannaford, was the result of strategically placed malware that recorded credit card data in transit. These breaches illustrate the need for more stringent payment card security standards.
The restaurant-slash-arcade-slash-bar Dave & Buster's is the latest U.S. outlet to suffer a breach of its credit card processing system.
Hackers based in Ukraine and Estonia -- assisted by a guy in Miami -- installed packet sniffer malware at the point of sale systems in several D&B outlets, which siphoned off "Track 2" data as the information was being transmitted over the company's network from the point of sale server to a data processor's server, the U.S. Department of Justice said.
Track 2 on a card's magnetic stripe contains the credit card number and expiration date, but no personally identifiable information.
At one restaurant, the packet sniffer captured 5,000 credit and debit card numbers, which were used to make US$600,000 in fraudulent purchases.
Relatively Small Breach
The scale of the breach is relatively small, at least at this point in the investigation. The Justice Department says the packet sniffer was installed at 11 locations, so a little simple math would tell us that 55,000 cards were compromised for a total fraud of about $6.6 million, assuming the one store for which the government provided figures is a good indication.
The grocery chain Hannaford ultimately determined that malware was to blame for its data breach, which came to light a few months ago. In that case, 4.2 million credit card numbers were compromised.
In the largest breach to date, TJX -- the parent of Marshall's and T.J. Maxx -- had to pay nearly $45 million to MasterCard and Visa to reimburse those companies for the costs of the breach, which resulted in the exposure of 45.7 million customers' card numbers.
Look for an Increase
Of course, in both the Hannaford and TJX cases, the initial estimates of the number of accounts compromised were tiny in comparison to the final figures, so stay tuned and watch the numbers go up in this case.
All three of these companies -- Dave & Buster's, Hannaford and TJX -- are large corporations with big IT departments and their own armies of lawyers. All are subject to the Payment Card Industry Data Security Standard, a dozen requirements that mandate a level of security in processing credit card payments.
The standard is administered by a consortium of credit card issuers, including MasterCard, Visa and American Express (NYSE: AXP) Latest News about American Express. Outlets that are found to be out of compliance can lose their ability to process credit and debit payments, or they can be fined.
Hannaford, for one, stated specifically that it had been in compliance with PCI standards at the time its breach happened.
New Standard Needed
PCI is a fairly basic set of rules that anyone who's going to be handling other people's credit card data should follow -- whether or not there's a standard in place. Its provisions include maintaining a firewall and unique user names for everyone who accesses the system, for example.
Perhaps it's time for a PCI upgrade. Criminals are getting smarter and craftier, and the people who try to prevent criminals from committing crimes need to be just as agile.
The PCI standards are getting a bit stale, Jim Dempsey, vice president for public policy for the Washington-based Center for Democracy and Technology Latest News about Center for Democracy and Technology, told the E-Commerce Times in March.
"[The Hannaford case] certainly illustrates that, and I can't blame the credit card industry," Dempsey commented. "I think they did the right thing. They developed a set of standards that seemed appropriate at the time and did serve undeniably to raise the bar. Now, though, as part of the normal security cycle -- and you need to think of it as a cycle -- the credit card companies, the issuing banks and the merchants need to reassess [and] basically issue a revised and strengthened standard."
It sure beats paying for credit monitoring for millions of your customers.
Using debit cards at a self-service terminal means that you'll be sending encypted pin data somewhere to be decoded/transacted. At that server enpoint will sit the HSM which will do that. ATM people know it well. Kiosk people are just beginning to learn about it.
A Hardware Security Module (often abbreviated to HSM, also often called a Host Security Module) is a plug-in card (PCI) or external device (RS232/SCSI/IP/USB/PCMCIA) for a general purpose computer and may even be an embedded system itself.
The job of the HSM is to securely generate and/or store long term secrets for use in cryptography and physically protect the access to and use of those secrets over time. Generally these are private keys used in Public-key cryptography; some HSMs also allow for hardware protection of symmetric keys.
Many HSM systems have a means to securely backup the keys either in a wrapped form via the computer's operating system or externally using a smartcard or some other USB token. The most robust HSM systems are those when secrets are not exported even when migrating between HSMs or performing backup operations.
Most HSM systems are also hardware cryptographic accelerators. Since they do not allow the keys to be removed from the device in an unencrypted form, they must be able to perform the common cryptographic operations, as a happy consequence these HSMs will accelerate the intense maths (especially the case in Public-key cryptography) and provide better performance than a normal software based crypto system.
It is important to note that keys protected by HSM are only truly 'hardware protected' if they were generated inside the hardware itself, importing a standard software protected key into an HSM will still mean that a non-hardware protected copy of the key material might still exist on old backups.
The physical security of the HSM is usually assigned as a level of the FIPS 140-2 validation, being FIPS 140-2 Level 3 and the recent FIPS 140-2 Level 4 the ones preferred by customers, since they assure high physical security.
HSM Software APIs
* PKCS#11 - RSA's API, designed to be platform independent, defining a generic interface to HSMs. Also known as 'cryptoki'
* JCE/JCA - Java's Cryptography API
* Microsoft CAPI - Microsoft's API as used by IIS, CA and others, also available from .net
On Tuesday, the Department of Homeland Security unveiled a plan to make meaningful exit controls at airports a reality. The administration is proposing that airlines collect fingerprints from departing aliens. DHS would match the records against prints taken when aliens arrived to find out who hasn’t left on time.
April 24, 2008, 4:00 a.m.
Exit Stage Right
Taking border control seriously.
By Nathan A. Sales
For more than a decade, the feds all but ignored congressional calls to build an exit system capable of tracking whether visitors to this country leave when they’re supposed to.
No longer. On Tuesday, the Department of Homeland Security unveiled a plan to make meaningful exit controls at airports a reality. The administration is proposing that airlines collect fingerprints from departing aliens. DHS would match the records against prints taken when aliens arrived to find out who hasn’t left on time.
Exit has been a long time coming. Congress mandated exit controls in 1996, in the Antiterrorism and Effective Death Penalty Act. The issue became even hotter after 9/11. 2004 saw DHS launch the US-VISIT program, which takes biometrics — fingerprints and photographs — from aliens when they enter the U.S. Its exit component was slower to get off the ground. At the time, it made sense to prioritize entry over exit. The administration reasonably decided that it was more important to keep terrorists out of the country than to verify whether visitors had left.
Yet Congress understandably has grown eager for DHS to turn its attention to the other half of the problem. In 2007 legislation that implements some of the 9/11 Commission’s recommendations, Congress set a hard deadline of August 3, 2008 for DHS to establish a biometric exit system.
The main value of exit is related to immigration — the ability to verify that guests don’t overstay their welcome. Federal immigration officers can use exit data to track down violators who are still in the country and have them deported. Less direct enforcement is possible, too. State and local police can use exit data to check whether an alien pulled over for a traffic stop is out of status. And if border officials know a particular visitor previously overstayed, they can bar him from entering if he later tries to return to the U.S.
While exit is largely about immigration, it also has national security-advantages. According to the 9/11 Commission, four of the September 11 hijackers — including Mohamed Atta, the plot’s operational ringleader — had overstayed in the past. Hijacker Ziad Jarrah was an overstay when a Maryland state trooper gave him a speeding ticket just two days before the attacks. With an exit system, border officials could have turned away some of the hijackers when they subsequently tried to reenter the U.S. And police could have taken Jarrah into custody after a garden variety traffic stop.
Why is DHS asking airlines to gather departure information on its behalf? The short answer is: Because they already do so. Right now, airlines are responsible for collecting biographic data about departing aliens — names, passport numbers, and the like — and transmitting it to DHS. The administration proposal simply adds another type of information to the list — fingerprints, a more reliable data point for matching entry and exit records.
The longer answer is: Because there’s no other way to run exit effectively. Taking fingerprints at the TSA security checkpoint would distract already overburdened screeners from their job of keeping weapons off planes. And allowing aliens to check out at out-of-the-way airport kiosks — which DHS tried in an early exit pilot — virtually guarantees low passenger compliance.
This is not to say the administration’s plan is flawless. It isn’t.
For starters, airlines are on the hook for buying fingerprint scanners, taking prints, and sending large data files to DHS. That won’t be cheap. According to one estimate, the tab could run as high as $2.7 billion over ten years. In an era of soaring fuel prices and airline bankruptcies, it seems gratuitous to pile new costs on the travel industry. If airlines help the government track departures, the least the government can do is help airlines foot the bill. Congress and the administration should consider appropriating funds to offset at least some of the airlines’ costs.
Also, the DHS plan could engender confusion among travelers. Under the administration proposal, airlines get to choose where at the airport they will take fingerprints. The desire to give airlines flexibility is laudable, but it virtually assures they will adopt inconsistent solutions. Passengers flying out of JFK might have their fingerprints taken at the check-in counter, while aliens leaving Dulles might give their prints at the gate. Even worse, different airlines at the same airport might adopt different practices.
Certain passenger confusion is not a recipe for success. The administration should pick a uniform standard on where departing aliens will have their prints taken. Perhaps the best option is to do it at the jetway. If aliens give their prints at the ticket counter or a kiosk, it would be possible for them to check out but then abscond from the airport without actually leaving the U.S. It’s harder to game the system if a traveler’s fingerprints are taken as he boards the plane. Gateside collection offers stronger assurances that aliens in fact leave the country.
Exit controls aren’t a new idea. Congress has been calling for them since the 1990s, and other countries across the globe have run successful exit systems for years. What’s new is that the United States is finally getting into the game. The administration’s proposal is a reasonable way of keeping tabs on visitors who overstay their welcome and others who travel to this country with more malign intentions.
— Nathan A. Sales is a law professor at George Mason University School of Law. He served in the Bush administration at the departments of Justice and Homeland Security.
Demonstration breaking into XenApp unsing Ctrl-H/Ctrl-N and if no keyboard then right click save image technique.
Public information kiosks are supposed to allow users to find out more about a company or government agency, and that's all. But on Saturday afternoon, Shanit Gupta, a senior consultant at McAfee Foundstone, demonstrated several ways that he and others have been able to map the internal network on a system running XenApp, formerly Citrix Presentation Server.
On the demonstration screen at ShmooCon, an East Coast computer hacking conference, Gupta showed how the familiar toolbars and browser frame are missing on a system running XenApp. The idea is that on a kiosk the public can click on links only within the single page. But if there's a keyboard or a mouse present, which there often are, Gupta was able to open additional sites, exposing the internal network.
Starting with Ctrl-H, he was able to pull up the browser's history. If the history revealed no outside search engines like Google, one could also type Ctrl-O and then type in Google there. If all else fails, one could also hit Ctrl-N and open a new tab, which will show the usual address bar and toolbar for navigation.
Typing Ctrl-P calls up the printer; however, Gupta pointed out that you can also save to file there and, while doing so, see the internal network.
No keyboard, no problem. Gupta says simply right click on any image and chose Save As ...
Gupta's demo concluded prematurely, hampered by an overall loss of Internet connection at the conference.
Citrix says on its site that when running XenApp, "built-in endpoint scans and policy controls take into account each user's role, device characteristics and network conditions to determine which applications and data they are authorized to access." However, Gupta said that the flaws were first called to his attention at a government agency. Using the standard Internet Explorer keyboard hotkeys, Gupta and partner were able to see inside the agency's network.
On eve of subcommittee examination of the Registered Traveler program, we see some criticisms of how it is being implemented particularly where RT members must now show two forms of ID (that would seem in excess). Nice article by Jim Harper.
TSA’s Embarrassing “Double ID” Rule
I’ve written here before about the Clear card, which allows people to prove their membership in the Transportation Security Administration’s Registered Traveler program without telling TSA who they are. I disapprove of Registered Traveler, but if it’s going to exist, the Clear card system’s restrictiveness with users’ identities is a key anti-surveillance feature.
Today, the House Homeland Security Committee’s Subcommittee on Transportation Security and Infrastructure Protection is holding a hearing entitled “Managing Risk and Increasing Efficiency: An Examination of the Implementation of the Registered Traveler Program.”
Steven Brill, the Chairman and CEO of Clear, is one of the witnesses, and he has some choice criticisms of TSA.
The anti-surveillance feature in Clear? Undone by incoherent TSA dictates:
Beginning last fall, TSA suddenly required that RT members using the RT line show a picture ID and their RT card right before entering the line. These are the same RT cards that, when put into the RT kiosk, will use the traveler’s fingerprint or iris scan to biometrically match the user to the data embedded in the card. That’s right, RT members are the only travelers who must present TWO forms of identification.
In case it’s not (ahem) clear to you, the Clear system checks government-issued ID and collects biometric information on enrollment. It does a background check on that identity, and ties the approval/credential to the biometric on the card.
The Clear kiosk does a far more reliable comparison of the biometric on the card to the individual presenting him- or herself at the airport than any TSA screener is going to do looking at driver’s license pictures. Yet, Clear card holders still have to show a government-issued ID. The “Double ID” rule is nonsensical, embarrassing, and stupid.
To top it off, Brill tells how the TSA’s rules would require a twelve-year to show two forms of ID if he or she is a Clear card-holding registered traveler (as youngsters can be with the approval of their parents), even though kids under 18 don’t have to show any ID at all in the ordinary airport security line.
Digital identity managment systems like this will grow more important as more and more of our interactions and transactions are conducted using digital technology. Data from digital transactions are almost always put in databases where, unlike analog records, they remain easily available for copying, sharing, and reuse. Resisting unnecessary data collection (often referred to as “data minimization”) is the key response to this problem.
Systems like Clear, which prove a credential without sharing identity information, minimize data collection by design. The phrase “digital identity management” is often used inaptly, I think, to denote an organization’s efforts to control the access given to employees, customers, etc. Clear is a true “digital identity management” system because, well, it allows people to manage and control their identity information.
Daon, a global provider of identity assurance software, is playing a critical role in Verified Identity Pass, Inc.'s Clear® Registered Traveler program by supplying the central biometric identity management platform that allows Verified to easily incorporate new biometric devices, such as the kiosks developed by L-1 Identity Solutions, Inc.
The Clear® program allows frequent fliers who are pre-approved to be positively identified at the airport through biometric technology. These passengers go through expedited security screening at specially designated lanes in participating airports. Registered travelers pay a small fee, provide background information and are issued a biometric identification card.
According to Clear founder and CEO Steven Brill, "Daon's technology has performed excellently, providing flexibility and security to the program. Clear is based on providing the highest quality to the traveler and airport. This focus on quality is what drove us to make a long-term commitment to Daon."
In June 2005, the Greater Orlando Aviation Authority awarded a contract to Verified Identity Pass, Inc. and Lockheed Martin to design and manage a pilot Registered Traveler program. Dubbed Clear by Steven Brill, founder of Verified Identity Pass, the program began lane operations at Orlando International Airport on July 19, 2005. Daon provides the biometric management system - which is the heart of the central processing system at the Lockheed secure data facility located in Orlando. With over 40,000 members today, Clear operates lanes at five US airports with several others expected to launch this year.
"We have worked as a partner to Verified Identity Pass and their Clear® Registered Traveler program since the beginning," commented Tom Grissen, CEO of Daon. "We are excited about recent expansions of the program and see incredible revenue potential for Daon and its partners. With the growing security concerns at airports, the registered traveler program offers a sensible way to ease congestion at security checkpoints and allow the TSA screeners to focus on the real threat, while providing a valuable benefit and added convenience to the program participants."
About Clear® Registered Traveler
Verified Identity Pass's Clear Registered Traveler is the only registered traveler program operating at U.S. airports. Clear has been operational since July 19, 2005, at Orlando International Airport and has over 40,000 members. Earlier this year, Clear launched lanes at JFK's British Airways Terminal 7 and San Jose, Indianapolis and Cincinnati International Airports. Next month, Clear will begin operating programs at JFK's Terminal 1 and 4 and Newark's Terminal B. In addition, Clear has been selected by Albany International Airport and Little Rock National Airport for programs at those airports, and the company also has an agreement with Toronto Pearson International Airport to operate a Canadian program, working with Canadian authorities. Clear's verification kiosk with shoe scanning technology, co-developed with Verified Identity Pass's partner GE, will allow members, in most instances, to keep their shoes on as they pass through the Clear lanes at the security checkpoint. For more information: www.flyclear.com.
Daon is a leading provider of identity assurance software products focused on meeting the needs of governments and commercial organizations worldwide. Daon supports customers and system integrators in building enterprise solutions requiring the highest level of security, performance, scalability, reliability and privacy. The DaonApplicationSuite provides a powerful tool for faster development of scalable, robust and secure identity registration and vetting solutions. Daon's multi-modal authentication infrastructure, DaonEngine, integrates seamlessly with IT platforms and applications and manages the identity life-cycle of small and large populations. Daon's offices are located in Washington DC, Canberra, London and Dublin. For further information please visit www.daon.com.
Cheryl W. Waldrup, 703-984-4040