New York City police made one of the largest identity theft busts in the country’s history this month, arresting more than 100 suspects. Five organized crime rings running out of Queens were caught in a scam that involved fraudulent credit cards resulting in $13 million in losses over a 16-month period. Law enforcement officials allege that those involved unlawfully obtained credit card numbers, which were used for purchasing luxury items like five-star hotels and private jets.
In the wake of this incident, Terence Spies, chief technology officer of Voltage Security, talked to Government Technology about the dangers of credit card fraud and what public agencies can do to prevent an attack.
The recent bust of a major crime ring committing credit card fraud in New York City has shed more light on the issue of identity theft. Should government agencies that process credit card transactions be worried about this issue?
Yes. I think anyone that touches credit card data needs to be aware of the risk of basically any system that’s transmitting or storing that kind of data. I think there’s a lot of awareness out there already in terms of what PCI [payment card industry] has done to make people aware of what they need to be thinking about when they have systems that take that kind of data. Because the minute you’ve got that sort of data, you’re definitely a target in some way, shape or form.
How vulnerable are government agencies to attacks relating to stolen credit cards?
There’s no way to distinguish on a website if a credit card is coming from the right person or not unless you have some other authentication mechanism. But the typical risk is that government agencies that are processing credit cards become a target because of malware that wants to basically steal that credit card and then go use it on some other site or for some other purpose. Once the credit card has left the system, that data is vulnerable to being used anyplace because it can be replayed onto another site and, in some cases, enough data can be captured that potentially a physical counterfeit card can actually be built.
So that’s why what we tend to talk about the importance of encrypting that [credit card] data, so that you’re not part of the problem — in terms of not creating an exposure for yourself. Somebody getting in either through an insider attack or through malware on your front end is going to enable them to steal that data as it’s stored in the system.
What are some examples of data encryption best practices?
What we think the most important best practice is — and certainly the PCI regulations cover a great many of them — is making sure that that data is encrypted as soon as it can be encrypted in what we call an “end-to-end” fashion the minute the data arrives into the system. It’s encrypted and it’s passed and stored within internal processing systems in an encrypted state and only be decrypted when it’s being used to originate the transaction. The PCI regulations, for example, govern what can and can’t be ever stored.
Government agencies either accept credit card numbers in person or online. Which method do you think is more at risk of a potential breach?
I think there’s been a lot of focus on online transactions because they tend to be a little bit more anonymous. But we’ve certainly seen that criminals will go after either path. And they use very different methods. So if you are attacking a website, it tends to be malware by finding some way onto the website so that those cards can be recorded, transmitted and pulled out of a database. The very large-scale breaches we’ve seen tend to be those kinds of attacks.
So, for example, we saw with Sony [earlier this year] or any of these other high-profile breaches — they were unencrypted databases that the attacker was basically able to go into and harvest a huge number of cards all at once. That doesn’t take the risk away from the in-person transaction side. You’ll see skimming devices or tabs, or other kinds of activity that are used at physical points of presence in order to intercept magnetic stripe data before it goes into a machine — tampering with the point-of-sale device to get access to those cards. Those tend to yield fewer cards for the attacker, but we certainly see them in all kinds of industries.
Anywhere you are accepting cards, there needs to be some care taken that the equipment being used to do that isn’t also being used to record and divert that credit card data.
Anything else government agencies can do to prevent themselves from these attacks?
The primary way to protect yourself against these attacks is to identify the types of data you have that are at risk. And certainly credit card numbers are one of those kinds of data. But there may be other kinds of personal identifiable data that agencies are dealing with. Encrypting that data so your storage systems are not a potential point of breach is one very powerful strategy.
And we’ve seen a number of commercial companies start adopting that strategy by identifying crucial data types and identifying an encryption strategy that allows them to say wherever that data type is stored, it’s going to be stored in an encrypted form — where even if an attacker got it and was able to take that data away, it would not be useful to them in any way. And there are other pieces of security strategy that are equivocally important in terms of logging transactions, working with a new credit card processor to make sure you’re in compliance with PCI regulations, and how your logs are managed — modern security measures around your website and where you’re accepting credit cards to make sure that data is being handled prudently.
In the event an agency finds out it has suffered a cyber-attack, what are the proper steps that need to be taken?
You should approach security in a pessimistic way. Don’t make your baseline assumption that you won’t have a breach, but that it will happen at some point. Organizations should protect sensitive data accordingly, so that when attackers do get in, the data they’re seeking is useless. Further, PCI regulations require that a breach plan is in place, and that plan should be tailored to the needs of the particular organization. Each organization needs to think through this plan and determine with their internal staff what the right thing to do is in case of this kind of emergency.