January 2009 Archives

Heartland Payment Systems (HPY) on Tuesday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants: http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm I took a moment to see if they were PCI Compliant and they were audited in March 2008 by Trustwave.

They said the start of it all was a keylogger that got into their systems, as described in this snippet from http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=212901505&subSection=News

---------- 
"the breach was the result of keylogging malware, which covertly captures anything typed on an infected computer, such as user names and passwords. ... 

There were two elements to it, one of which was a keylogger that got through our firewall," he said. "Then subsequently it was able to propagate a sniffer onto some of the machines in our network. And those are what was actually grabbing the transactions as they floated over our network." 
---------- 

You have to wonder if the keylogger software came in over a network, or if it was carried in by an employee on a USB token, in a laptop they infected while using it at home or while traveling, etc.We're not sure PCI DSS can effectively prevent problems like those, although it can recommend good security practices that reduce the possibility.


PCI DSS mandates that machines that store/process/transmit cardholder information should not have direct Internet connectivity. There shouldn't really be a means for a sniffer to send results back to it's employer over the Internet, so in a way the exploit described does violate PCI DSS.

Also, integrity, anti-virus and event monitoring controls should certainly pick up things like keyloggers and an IDS/IPS/firewall could be used to identify some rather odd connections from certain servers.


SUBWAY announces a partnership with Torex to implement its Quick Service Restaurant POS solution globally. Upon completion of the roll out the SUBWAY chain will have Torex software installed in over 30,000 of its restaurants in 87 countries. 

With a large network of franchisee operations, SUBWAY needed one global POS solution designed for large complex environments; achieving a balance between the franchisee needs for value and the corporate mission to support growth. Torex Quick Service Restaurant (QSR) POS was selected for its unique ability to scale across the entire global organisation as well as Torex staff's deep knowledge of the needs and challenges facing SUBWAY on an international scale. The solution is also capable of growing with the business as the SUBWAY restaurant chain continues its expansion program. Additionally, working with a proven global solution means that sandwich franchisor minimizes the risk to its business while controlling costs and enabling speed to market. 

"We understood that this evaluation process was going to result in the largest global deployment of a commercially available solution in the QSR market. We spent over 11 months evaluating over 25 vendors, our choice was unanimous...Torex," says Thys Van Hout, SUBWAY's chief technology officer.

More than 100 million electronic passports have been issued in the two plus years since governments initiated production of the new travel credentials. The U.S. State Department alone has issued almost 15 million of the contactless documents.

But while there are many e-passports in circulation the inspection systems used to read them have not been widely deployed at border crossings. Putting these systems in place, while not adversely impacting wait times, will be the next challenge for countries.

European Union countries have that and another obstacle to hurdle as well: extended access control (EAC). Since EU countries are storing fingerprint images on e-passports they are using the more advanced security of EAC, a public key infrastructure scheme that secures the biometric data. EU countries are supposed to start issuing passports with EAC by next June.


Even the U.S., the initiator of the move to e-passports after the terrorist attacks of Sept. 11, hasn't deployed many inspection systems. The U.S. Department of Homeland Security's Customs and Border Protection (CBP) has requested funding for 5,000 e-passport readers to deploy at 372 air, sea and land border entry points, said Warren Burr, director of the fraudulent document analysis unit at Customs and Border Protection. The new readers would replace the current devices that just read the machine readable zone on the passport.

But so far only 500 of the readers have been purchased and less than half of those, just 247, have been installed, Burr said. The concern is that using the new scanners will adversely impact wait times.

The readers in the field are at the 33 U.S. international airports, which covers 97% of visa waiver country travelers entering the country, Burr says. CBP is analyzing how to deploy e-passport readers to all border entries and assess how it will impact wait times. Burr made these comments at the Future of Secure Document 2008 conference in Chicago.

There are concerns around how long it will take to process travelers with the e-passports. With the older documents customs officials would swipe the machine readable zone, check a few other items in the book and ask the traveler some questions.

E-passports require a little bit of extra finesse, says R. Michael Holly, director of international affairs for passports with the U.S. State Department. "They need to get the inspectors prepared and familiar with how to deal with the new documents," he says. "They have to deploy full page scanners and you need to let them sit awhile so the data can be accessed."

The State Department is working on getting sample e-passports to border officials so they can test the systems and train officers, Holly says. When the U.S. introduced e-passports they also changed some of the physical security in the book as well and officers need to be able to spot the different features.

Already, use of the new documents is rising rapidly. Between Oct. 1 and Dec. 31, 2006 Customs and Border Protection scanned 165,921 electronic passports, Burr said. In all of 2007 1.4 million were checked and in the first half of 2008 CBP officers had scanned more than 1 million e-passports.

Inspection challenges trump issuance challenges

But the challenge to deploy these inspection systems is what most countries are facing. The change was evident in September at the E-Passport EAC Conformity and Interoperability Tests in Prague, says Mike Bond, security director at Cryptomathic. "The guys from the inspection side outnumbered the guys on the issuing side," he said. "Their money has been spent and the project is done, now it's time for the border control guys to come in."

The European border control officials have quite the task in front of them. Extended access control is a PKI scheme that secures biometric data on e-passports. EU countries decided to store fingerprint and iris biometrics on the passports as well as the photo and other data. This biometric information is stored as images, not templates, so countries want to take extra steps to make sure the data is protected.

In order to view the biometric on the passport and match it with the traveler the other country will have to have the proper PKI certificate so the data can be unlocked. Vendors and border officials are still trying to figure out how these certificates will be exchanged and read while also making sure that systems from different vendors are interoperable.

While EU countries have to start issuing e-passports with EAC by next June there is no deadline to actually read the biometric data from the passports, Bond says. "With regards to inspecting we're 18 months away from starting pilots. The UK was talking about initial inspection by the end of 2009, scanning the full biometrics of some people, but only about 1% of travelers, and moving to 30% by 2016."

There are numerous reasons for the seemingly long timeline. First and foremost, governments don't know how it will work. This was a reason for the Prague conference in September.

The purpose of the test was to enable European countries to verify the conformity of e-passports using EAC and fingerprint biometric data. A related target is verification of the cross-over interoperability of different EAC inspection systems and e-passports. In addition countries attempted to verify interoperability of EAC PKI infrastructure for national border inspection systems, including official exchange of EAC certificates.

The tests went well, but were not without issues. "Overall results are that not all passports worked with all readers," says Neville Pattinson, director of government affairs and marketing, identity and security at Gemalto.

Four of the countries participated in a test that put in place a fully-operational PKI infrastructure, says Tim Moses, director of advanced security technology at Entrust, one of the participants. Entrust is supplying the PKI infrastructure to the UK and Slovenia.

Considering it was the first time the infrastructure was checked, the test was pretty successful, Moses says. "There were a few minor issues on the certificate exchange but we resolved them." Full results from the conference are not expected until December and another test will be scheduled before the June 2009 deadline.

Moses emphasized that countries are going to have to work to make sure EAC is done properly. "The EAC environment requires a lot of interaction among countries," he says. "The PKI system must be built to manage the trust; it's not just a set of tools."

Added security likely to add further delays at inspection points

One of the larger issues with EAC is the time it's going to take to process travelers. Pattinson says it can take anywhere from two to 15 seconds for the information to transmit.

Cryptomathic has released a new product it claims will accelerate the speed of inspecting electronic passports by a factor of four. The product uses a different type of caching mechanism, a storage area that holds an encrypted version of the e-passport biometric data.

When the e-passport has its initial contact with the border control station, the biometric data is transferred from the chip into the inspection system, and at the same time a unique key is calculated from the e-passport chip which is used to encrypt the stored data.

The storage key is then deleted from the memory of the border control system to make it impossible to retrieve the stored data. In order to recreate the decryption key for the record and view the biometric data, the original e-passport document must be connected to the inspection system.

Long lines at border control points is the fear when countries start deploying inspection technologies for e-passports, Bond says. He saw one presentation at the Prague conference that said wait times at some busy airports during peak times could be as long as 90 minutes.

And some countries are making the problem worse because they're not standardizing the biometric, Bond says. For example, most EU countries are storing the index fingerprint images on the passport, regardless of the quality of those fingerprints. But Germany is taking the two best quality fingerprints from passport applicants; it may be the index, but it also may be the thumbs.

This may lead to slow-downs at border crossings. German travelers won't remember what fingerprint image is stored in the book or a border control agent may be asking for the index when he needs the thumb. "When the delays start to happen they'll either pull the plug or soldier on," Bond says. He expects a few false starts. Countries will roll out systems and then roll them back and reconfigure as problems arise.

One solution that could potentially alleviate wait times are self-serve kiosks, says Gemalto's Pattinson. (See Global Entry story) "The consequence of EAC is more automated kiosks for border control," he says. "Have the document authenticated by the kiosk instead of manual inspection."

While the focus shifts from issuing e-passports to inspecting them, lines at international border checkpoints may be interesting over the next couple of years as travelers and officials get used to the new documents

Basic oversights create high-tech havoc

Sometimes in IT classic "d'oh!" moments sneak up on you. This particular situation occurred sometime in the mid-1980s, back when the Web was in its infancy or maybe even before it was conceived.

Posted by Anonymous on January 13, 2009 03:00 AM on InfoWorld

I worked for a large corporation on a new project that involved shopping kiosks that one would use for purchasing goods from a number of recognized merchants -- a project considered quite high-tech at the time. The terminals featured a touchscreen, keyboard, credit card reader, and receipt printer for the transaction. In addition, it had lots of color images of products and an interactive touchscreen interface to make shopping for items on a computer more like shopping for real. We placed terminals in shopping malls and areas where there would be lots of foot traffic. In addition, we placed a terminal on the floor in our office so that we could use the system ourselves.

As part of the pilot, we distributed about 40 of these terminals around the local metropolitan area to introduce the public to the kiosk's concept. I was a systems programmer and was responsible for the communications code that enabled price changes, sales information, and other data to be transferred to and from the mainframe computer. The protocol we established was that the kiosk would collect sales during the day, and at a configured time it would place a call (no TCP/IP) via an internal modem to the datacenter and upload the day's sales. Next, it would download from the host any price changes, identities of items to be removed, and so on. Finally, it would obtain from the host the next time it should dial in for data exchange and the phone number for it to call.

One day, we had to make a change to the communication software so we sent a programmer to the datacenter to install the change and test it. Later that afternoon, this programmer and I were hanging around the office of the CICS programmer and someone walked up and told us that the kiosk on our floor was constantly dialing. She was a project member and was able to obtain the phone number it was attempting to dial. When she told us what the phone number was, the CICS programmer reacted.

"That's my realtor's number."

We let that sink in for a few seconds. Then he told us that he had used that phone number for every data entry field that required a phone number on the test CICS system. (He was in the process of buying a house at the time and I guess that's the number that was very much on his mind.) When the CICS programmer shared that information, the programmer who earlier had installed the change to the communications code reacted.

"I forgot to switch back to production after testing my code at the datacenter!"

That's when we all realized why the kiosk in our office was constantly dialing: When the kiosk began its communications sequence after the systems programmer ran his test, all the sales information went to the test environment, and more importantly, it was instructed to dial the CICS programmer's realtor's office for the next exchange -- which was set at 4:00 that afternoon. We also realized this: The kiosks were programmed to retry every minute after a failed communications attempt. So every minute it would dial a well-known real-estate office, listen for a modem tone, and when none occurred it would hang up. Then it dawned on us that the 40 other terminals around the area (some up to 2 hours away by car) were doing the same thing. The only way to correct it was to reset the phone number on the kiosks themselves, because once the kiosks had the phone number changed by the process in place, they were effectively cut off. They no longer knew the datacenter numbers, they only knew a bogus number (the real estate office) which wasn't giving them any useful information back.

We called the realtor's office to let them know what was going on, then we resolved the problem by dividing up the area among the project members, driving out, and resetting each machine. The realtor kept staff at work until late that night, answering the calls. The next day we used the kiosk on our floor to send flowers and a note of apology to the realtor's office. I guess they decided they really wanted the sale on the CICS programmer's home, because the realtor didn't pursue any action.

Eventually the project died and the project team was first in line for the fire sale of all the unsold merchandise we had in a local warehouse. I still have the set of screwdrivers and some wood tools from that sale.


January 7, 2009 (Computerworld) Lower gas prices aren't the only thing that's new at the pumps these days. Data encryption tools are also becoming part of the picture.

Starting Jan. 1, Visa Inc. is requiring all new fuel-dispensing machines being installed at gas stations around the U.S. to support the Triple Data Encryption Standard, a mandate that is designed to make it harder for identity thieves to steal debit card data from gas pumps by shielding the personal identification numbers (PIN) of customers.

So-called card-skimming devices placed on gas pumps have been used to compromise payment card data in the past. For example, in 2005, data at gas stations operated by Wal-Mart Stores Inc.'s Sam's Club division was compromised.

Visa's new requirement calls on gas retailers to ensure that all new pumps capable of processing debit card purchases are equipped with an encrypting PIN pad, or EPP, that supports Triple DES. Although Visa is the only credit card company mandating the use of the encryption technology now, the requirement is expected to become part of a broader specification for unattended point-of-sale (POS) systems that is being developed by the PCI Security Standards Council, which is responsible for the Payment Card Industry Data Security Standard and other data-protection measures.

Gas station owners have until July 1, 2010, to ensure that all of their existing pumps are upgraded to support Triple DES. Robert Renke, executive vice president of the Petroleum Equipment Institute in Tulsa, Okla., estimated that about 1.4 million gas pumps would need to be retrofitted with new software -- for an average of more than 2,500 per day in order for retailers to meet Visa's deadline.

The chances of that happening are remote, according to some analysts. The upgrade requirement is "a major deal for gas stations with old equipment," said Gartner Inc.'s Avivah Litan. And with the economy in tatters and drivers cutting back on gas consumption after prices hit record levels last summer, "this could not come at a worse time for gas station operators," Litan said. "I'm sure many will be late when it comes to compliance."

She added that if an existing gas pump can't support a software upgrade to make it compliant with Triple DES, a replacement pump may have to be installed. And on top of the encryption requirements, gas stations will need to ensure that the POS systems on their pumps comply by July 2010 with a separate payment application security standard that was crafted by Visa and then adopted by the PCI council. Full replacements can cost between $8,000 and $29,000 per pump, Litan said.

Retailers that need to upgrade only their existing pumps can expect to spend between $1,800 and $2,000 per card reader, Renke said. But he added that given the razor-thin profit margins and fiercely competitive environments that most gas station owners face, investing even that much money in the security upgrades will be a major challenge for many.

"This is going to be a huge undertaking," agreed Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill. Between 20% and 30% of gas purchases made at the pump are processed via PIN-based debit transactions, Huguelet said. He noted that gas stations that can't or are unwilling to make the required investments in pump upgrades or replacements may have to stop accepting such transactions next year.

The new data encryption requirements for gas stations are part of a wider effort started by Visa five years ago to enforce tougher security standards on self-service gas pumps, ATMs, retail kiosks and other unattended POS systems, as well as PIN entry devices that are monitored by employees at a retailer or other merchant.

According to a document that Visa issued in September to outline the Triple DES requirements (download PDF), a complete conversion to the encryption technology on POS devices will require upgrades to systems and networks at banks and payment processing firms in addition to the ones at gas stations and other merchants.

The PCI Security Standards Council announced plans in August to add security requirements for unattended POS systems that all entities accepting payment card transactions via such devices will need to comply with. A draft of the requirements has already been published for review, and council members have submitted comments about the draft. A final version is expected to be released sometime this year.

Source Technologies reintroduced itself today with the inauguration of their new corporate logo, tagline and corporate color scheme. The time had come to articulate itself with a fresh and contemporary image for the company that has, for more than 20 years, delivered state of the art secure printing, payment and self-service solutions.

"The nature of the company is changing," said William Bouverie, President and CEO. "We are transitioning from a successful value-added distributor to an organization that designs, develops and manufactures its own world-class solutions. We want to recognize this transformation with branding elements that reflect where we are going as a company."

The new logo, in green and grey, has a distinctly modern edge and the addition of the globe symbolizes the relationships Source Technologies has with its international customers and business partners. The new tagline, Innovate. Inspire. Achieve. ℠ represents the key aspects of Source Technologies' approach to business opportunities.

The company's new corporate brand will help to showcase their new solutions and continued commitment to expanding their market focus. Source Technologies has already begun converting to the new brand with the re-launch of their corporate website and a host of rebranding initiatives.

About Source Technologies

Source Technologies' self-service kiosks and secure print solutions empower businesses to automate a wide-range of processes including complex banking transactions, customer-facing retail and hospitality interactions, and the secure printing of sensitive information and negotiable documents. Our self-service kiosks support multiple applications including bill payment, price checker, quick serve orders, and digital signage. Our secure printers and MICR printing solutions support even the most time- and information-sensitive applications, such as payroll, accounts payable and prescription printing. For fresh inspiration, come see what Source Technologies can help you achieve.

Innovation underway at www.sourcetech.com




Related Ring Sites:
  GoKIS  |   ThinClient.org  |   keefner.com  |   Visi Kiosk site  |   KIOSK  |   Kis-kiosk.com  |
Resource Sites:
  Elo TouchSystems  |   Acire Inc.  |   Nextep  |   TIO Networks  |   Olea  |   Self-Service Networks  |   Meridian Kiosks  |   Provisio  |   Kioware  |
  Selling Machine Partners  |   Source Technologies  |   Seepoint  |   5Point  |   Nanonation  |   Netkey  |   KioskCom  |   Summit Research  |   NCR  |