Back in January and February 2006, many people received replacement credit cards due to a
potential compromise. I did a followup in order to find the source and scope of the compromise. What I found was a description that closely matched a very old class of exploits that I came across back in 1992 -- and it wasn't new back then.
I wrote up my findings in March 2006. The paper describe a series of fundamental flaws in the credit card processing industry. The industry has been very good at keeping these exploits quiet, even if they have known about them for more than a decade. Adding to the problem: every vendor seems to do the same thing; even if the exploits were widely known, it would take years to address these issues. (Imagine requiring
every retailer, restaurant, and bank to change their credit card processing system -- this won't happen overnight.) Because of this, I spent more than a year distributing the paper only to people with a need to know. Now that it has been over a year, I am releasing the paper publicly:
Click here to read: Point-of-Sale Vulnerabilities
Why now?
One question that I expect to be asked is "Why now?" I mean, I have not release it in 16 months, so why release it today?
Even though Visa never acknowledged receipt of the paper and never directly communicated with me, I
know that they
did receive the paper. Two months after being passed copies of the document, they issued
three security advisories, updated the
PCI DSS, and even placed
stricter security requirements on retailers. This is progress. As long as I saw progress, I would not release the paper. (One recipient had asked to delay the public release in order to give recipients, such as Visa and Verifone, time to respond. The public delay was set for a year, and that has ended.)
Unfortunately, I have not seen any progress since
March of this year -- when the TJX compromise came to light (the announcement of this compromise was progress). And recently, Visa has taken a step in the wrong direction, by lessening their stance on
tighter security for retailers. In addition, many of the issues raised in the paper have never been addressed; not in the 16 months of the limited release, and not in the decade prior when these issues were known but never treated as a risk.
Why release it at all?
Although I am a strong believer in
Full Disclosure, I do not necessarily believe in public disclosure. I also believe that many of the common conventions, such as setting short durations (e.g., 1 week) for vendor acknowledgment, are frequently used more as publicity stunts than to actually benefit society. I have been
known to sit on exploits, vulnerabilities, and information for months or even years, while continually trying to report it to the right people. I believe that public disclosure should be an option of last resort.
However, I also believe that companies should be made accountable. The entire payment card industry has nothing more than a security façade. They have been aware of their limitations for over a decade and actively strive to maintain their foundation of
security by obscurity. I believe that they only make changes in reaction to active exploits, and only when the exploits cause them enough damage. For example, banks and credit card agencies did not begin to address phishing until after the financial loss became significant. I cannot recall a single example where any member of this industry proactively took efforts to implement changes to their security model
before a growing threat became established.
NOTE: I am
not advocating the exploitation and compromise of these systems. I am hoping that this industry will change from reactive to proactive security measures. When they know of a class of vulnerabilities, they should strive to mitigate the problem before it becomes wide-spread. Failing to address known vulnerabilities after more than a decade is not proactive.
The credit card industry also has a very bad habit of turning the focus away from their deficiencies. Consider the
Fujitsu Transaction Solutions compromise from January 2006. First it was
blamed on retailers like OfficeMax. Eventually they blamed a free "tracer" program. As I describe in the
paper, the exploit may have used the tracer utility, but there is no way that the tracer utility was required for the exploit. The fundamental problem was due to poor architectural decisions, bad security practices, and weak security requirements. They should not blame some free software for their own faults.
(And did nobody else notice that the Fujitsu Transaction Solutions
lists TJX as a customer? We all remember the huge
TJX compromise from earlier this year. I cannot help but ask why Kroger and BestBuy are not vulnerable. Or maybe they just have not noticed.)
It is my sincerest hope that this paper will raise awareness, hold the payment card industry accountable for their myopic vision, and act as a catalyst for change.
