By Robert Vamos
Defense in Depth
March 19, 2008
Details remain sketchy regarding Monday's announcement of 4.2 million
credit card and debit cards exposed at a Maine-based supermarket chain.
However, public comments made by Ronald Hodge, CEO of Hannaford
Supermarkets, suggest that even with recent improvements in payment card
transaction security, there may be holes.
The standards organization, PCI Security Standards International, was
founded by American Express, Discover Financial Services, JCB,
MasterCard Worldwide, and Visa International. In October 2007, they
implemented the PCI Data Security Standard (PCI DSS), which includes,
among other things, network specifications. Dr. Neal Krawetz of Hacker
Factor Solutions said that PCI DSS allows for the storage of card
numbers and expiration dates on a branch server. And that's what may be
been compromised in this case.
Krawetz said, generally, that the traffic between the cash register and
the credit card companies is secure. The transaction often takes place
at the cash register with the customer standing by. After the customer
leaves the information is broadcast to a branch server.
If criminals were to target a single cash register, they would not
achieve the volume credited to this latest data breach; to steal 4.2
million accounts would require to a larger repository. In retail stores,
especially in large chains, branch servers are used to collect data from
individual cash registers and may store the data locally, regionally, or
That's why branch servers are becoming the targets of sophisticated
attacks. Last summer, Krawetz released a paper (click for PDF) outlining
that the communication between the cash register and the branch server
is not secure. Sometimes the data from cash register to branch server is
transmitted wirelessly over unencrypted networks, although there is not
enough information here to suggest that is what happened at Hannaford.
Krawetz cautioned that at this point many important details regarding
Hannaford are lacking. "The size of the compromise sure sounds like it
could be a branch or regional server." Hodge, in his public letter to
Hannaford customers, acknowledged that the intrusion affected the
Hannaford stores, Sweetbay stores in Florida, and certain independently
owned retail locations in the Northeast that carry Hannaford products.
If branch servers are to blame, recent security standards would appear
to be lacking. The Washington Post's Brian Krebs quoted a CyberTrust
executive, Bryan Satrin, who echoed that concern, saying that "these
organizations can be (compliant with the credit card industry security
standards) and still have customer data stolen."
Last March, TJX announced that 45.7 million accounts were compromised
over a two-year period in a data breach of customer records at T.J. Maxx
and Marshalls retail chains.
Subscribe to InfoSec News