With indictment of three conspirators accused of
breaching Heartland Payment Systems’ security system, the
internet’s inherent weaknesses have become more apparent than ever.
But despite efforts to resolve weaknesses building a new internet
platform may be the only solution, security expert Ori Eisen told
In a sequel to one of the most widely publicised data breaches yet
involving theft of credit and debit card numbers and related
personal identification information, Albert Gonzalez and two
unnamed accomplices have been indicted by a US court in New
The most serious offence of which they stand accused is breaching
the security of Heartland Payment Systems, the US’ fifth-largest
payments processor, in the process obtaining 130 million payment
card numbers. This made it the biggest data theft in US
In addition, the indictment covers theft of 4.2 million payment
card numbers from supermarket chain Hannaford Brothers’ computer
network and an unknown number of payment card numbers from
convenience store chain 7-Eleven and two unnamed national
Gonzalez, together with 10 other people, was last year charged with
theft of an estimated 47 million credit and debit card numbers from
nine major retailers including TJX Companies, BJ’s Wholesale Club
and Barnes & Noble.
The latest indictment specifies the method used by Gonzalez and his
accomplices as being a SQL injection which, according to Microsoft,
targets internet applications where vulnerabilities of the
underlying database are known or discovered attackers. SQL, or
structured query language, is a computer programming code designed
to retrieve and manage data on databases and was developed by IBM
in the early 1970s.
Once infiltrated, data and other information moving through a
corporate victims’ payment card processing networks was intercepted
on a real-time basis and then transmitted to the conspirators by
implanted malicious computer software (malware).
Taking every precaution to evade detection by anti-virus software,
the indictment alleges that the accused tested the malware against
about 20 antivirus programmes. The indictment also alleges that
Gonzalez and his accomplices visited retail stores of potential
victims to identify payment processing systems used at their POS
terminals and assesses potential vulnerabilities.
Potential victims’ websites were also assessed to identify payment
processing systems that the would-be victims used and to understand
potential vulnerabilities of those systems.
“Code weakness on e-commerce sites is the single greatest
vulnerability exploited by hackers to directly compromise and
illegally extract credit card and personal data online, so it comes
as no surprise that it has been used to such dramatic effect in the
Heartland case,” Neil O’Neil, principle digital forensics
investigator at card payment specialist The Logic Group, told EPI
in a written comment.
“The problem is SQL injection,” he continued. “If a SQL database
cannot deal with escape characters then it is vulnerable to the
injection of variables and strings that will give hackers direct
access to data. Hackers can extract data from a vulnerable database
by simply heading onto the login page and entering an exact string
of code. This string selects a particular user’s password and
potentially their credit card details. This occurs because the
input into the form in the webpage is unverified or
In essence, an escape character is a single character used to
change the meaning of the characters which follow it and can be
interpreted by a computer as a command to be executed rather than
“To resolve SQL injection issues there needs to be specific lines
of code that deal with escape characters,” explained O’Neil. “For
all other code weaknesses it is best to ensure that all the website
development complies with the Open Web Application Security Project
which provide guidelines to resolve all the major known web
Tip of the iceberg
The alleged Heartland data theft perpetrators may securely behind
bars, but this represents only a minor victory in the war against
online criminals, Ori Eisen, founder and chairman of security
specialist 41st Parameter told EPI.
“It is folly to think that in Gonzalez we have captured the
mastermind behind online crime,” he stressed.
Eisen, who was formerly American Express’ worldwide fraud director,
continued that the payment cards compromised in the Heartland data
breach and other major breaches are only “the tip of the
It is not the card data breaches we know about that are of most
concern but the ones we do not know about, he added.
“I would estimate that details of more than half of all payment
cards worldwide have been subject to a data breach,” said
Central to the online fraud problem is the internet itself,
stressed Eisen. He explained that when the internet was created in
the 1960’s the need for online security was not remotely
“No one said then it had to be secured,” Eisen quipped.
However, the internet has only been in use as an instrument of
commerce and financial services for a decade and the current state
of security development can be equated to the early days of, for
“Thanks to advances made in aviation since the early days crashes
are far less common,” said Eisen. This did not deter financial
institutions that have since the late 1990’s “jumped” into the
online market, he continued. But now they are facing massive
security threats they can’t get out, he added.
Steps taken to secure online transactions such as the Payment Card
Industry Data Security Standard (PCI DSS) are merely steps forward
and not solve the fraud risk problem, he stressed. The PCI DSS
specifies what security threats a data processor’s system does not
have but cannot assess potential unspecified threats that may lay
undetected, said Eisen.
“A breach such as that suffered by Heartland will happen to someone
else,” said Eisen.
The reality, he stressed, is that the internet is an open platform
that is likely to prove impossible to secure fully against criminal
ingenuity. By 2015 Eisen believes banks and other online payments
market players will have exhausted all options to fully secure
online transactions. The ultimate solution, said Eisen, will be
creation of an entirely new, separate internet platform on which
security will be paramount.
Creation of a new internet system would be a five to 10 year
project and cost about $50 billion, he estimates.
Perhaps this is a high cost but, stressed Eisen: “Just think of the
cost to global commerce and finance of loosing the internet to