Experts: More Heartland-Style Breaches ExpectedDespite Arrests, Analysts say 'This is Probably Just the Start'
In response to the indictments, information security experts say this activity might represent a battle won, but the war against hackers is nowhere near over. "The fact that three folks (assuming that that's all there were) can do all this says that it's pretty darn cost-effective to steal card data," says David Taylor, founder of the PCI Knowledge Base. "Talk about 'low overhead.'"
"It's always great to see the bad guys being hauled in, especially with a case this big, but it would be a mistake to assume that there aren't other criminals out there with similar goals and skill sets," says Tom Wills, Senior Analyst, Security & Fraud at Javelin Strategy and Research. Because law enforcement and the various victim companies' fraud departments did such a good job of investigating the case, it looks like prosecutors stand a good chance of getting a conviction, he notes. "Although we now know the form of attack that (Albert) Gonzalez and his accomplices used, it would be valuable for the information security community to get a detailed, blow-by-blow description of both the attacks and countermeasures adopted against them."
Even with this high-profile indictment, the entire payment stream remains at risk, says Nick Holland, analyst at Aite Group. "These crimes are unfortunately not rocket science, and while the reward of card data outweighs the risk of being caught acquiring it illegally, this will continue to happen," Holland notes. In fact, Holland believes U.S. card data will increase in value, as almost all other major countries move to a smart card architecture, making counterfeiting more expensive for criminals. "This is probably just the start," he says.
The professionals entrusted with information security must realize there are more out there, says Brenda Eaden, head of IDTELi, an identity theft prevention workforce education firm. "The more sophisticated thieves are ingenious, and no company or government agency should rest easy with a false sense of security that our bad-guy days of worry are over," she says. "A few very skilled hackers slipped up and got caught, but one can only imagine that even smarter ones are still out there and hard at work."
When breaches occur, who knows how many other multiple hackers paid a price to be let in the door "and haven't left the party," Eaden says. "Sometimes they lie in wait, testing and testing, waiting for the coast to clear or for an open opportunity."
There Will Be More Breaches
In a review of the information released by the Department of Justice, Avivah Litan, Distinguished Analyst at Gartner Group, says, "It looks like Gonzalez started the attack on Heartland right when he was getting indicted for TJX." She speculates that while perhaps his activities "have been curtailed for the time being, no doubt he has cronies either above or below him that can carry on with more attacks."
Litan says this information validates the number of accounts she estimated were breached at Heartland. "I said over 100 million accounts, and it in fact it was well over that - and these accounts were all good, live card accounts, unlike TJX, for example, where a lot of inactive accounts were compromised."
U.S. card issuers and the industry need to strengthen the core of card payment security, Litan says, with technologies such as chip and PIN and true end-to-end encryption (retailer to issuer). "It's aggravating for the non-U.S. card issuers who spend millions upgrading to Chip and PIN cards, only to have their cardholders come to the U.S., use them as magstripe cards and get their data breached at companies like Heartland," she says. Those card issuers can't remove the magstripes from their cards if they want to enable their cardholders to shop in the U.S. or other countries that have not implemented chip and PIN. Litan asserts it's time for the U.S. card industry "to get on the bandwagon and upgrade payment card system security, and stop pretending that PCI is working."
Impact on PCI Standards?
One indictment of three hackers won't replace the need for Payment Card Industry Data Security Standard (PCI DSS) compliance. The PCI standards raise the bar with respect to securing sensitive data in the merchant card acceptance environment, Wills says, but they're not a complete solution. Compliance doesn't equal security, he adds. PCI DSS isn't going to go away, so in addition to staying compliant, merchants and payment processors need to continually assess threats and vulnerabilities and fold the results into their security programs. "They need to actively manage risk, not just follow a checklist, which is what PCI DSS essentially is," Wills says.
Privacy and information security expert Dr. Larry Ponemon of the Ponemon Institute agrees with Wills. "This case demonstrates that good compliance does not equal good security," Ponemon says. "While PCI standards are important, mere compliance with these standards does not ensure that security or data protection activities adequately address security threats and vulnerabilities."
PCI Knowledge Base's Taylor defends the standards, saying that PCI alone cannot prevent breaches. "As implemented, there will always be gaps between the ideal and the real, plus the standards themselves are basically best practices," he says. The standards were not really designed to prevent breaches, "because the cost of really trying to do that would be prohibitive, and would be so technically constraining that businesses could not function."
What Does This Mean To Heartland?
Taylor doesn't see Heartland getting off the hook just from the arrest and indictment alone. "There are lawsuits, Qualified Security Assessor (QSA) liability issues and other issues to answer to, so Heartland will continue to be at the center of this for a while," he says.
This indictment has no bearing on the class action suits against Heartland, says Gartner's Litan. "This indictment does not let them off the hook at all. If anything, it exacerbates their situation because now everyone knows for sure just how big a breach it really was," she says, adding "the QSAs should be called to task here for validating these breached companies as PCI-compliant. How come they totally get off the hook?"
Will the QSAs and others be brought into the fray? "The blame game has heated up and is in full force," says Eaden. "Everyone is being thrown under the bus and I would expect to see the QSAs and the anti-virus vendor Heartland was using to be next among the cast of characters to surface in this drama in the coming days."
Not all experts agree. Ponemon sees the cyber criminal story now will outshine the data breach event. "The public will now see Heartland as just another victim rather than the sole source of the problem," he says.
Heartland is doing everything possible to restore its reputation, Aite's Holland says. "I suspect that the groundwork that they are doing now will pay dividends in due course as they become a showcase of data security best practice," he says. But the big unanswered question is: When will the other shoe drop?" Was this the tip of the iceberg," Holland says. "Who else has been breached that we are not currently aware of?"