A Miami-based hacker indicted Monday for stealing 130 million credit card numbers from known US retailers, including 7-Eleven Co Inc, employed an old technique of SQL injection that takes advantage of the “unlimited number of vulnerabilities” in retailers’ databases, said one security expert.
“You are just using a browser pretending to be a real customer, but you send specially crafted character strings back and that allows you to speak to the control structure of the database,” said Brian O’Higgins, a Toronto-based independent security consultant.
“You are essentially looking like a database administrator,” said O’Higgins.
Albert Gonzalez and two unnamed co-conspirators have been charged with stealing credit and debit card information from U.S. retailers including convenience store chain 7-Eleven Co. Inc., card payment processor Heartland Payment Systems Inc., and supermarket chain Hannaford Brothers Co.
Also known as segvec, soupnazi and j4guar17, Gonzalez was also charged in May and August 2008 for his alleged roles in hacking other retailers in which data from 40 million credit cards was stolen.
According to O’Higgins, once posing as a database administrator, the hacker can easily inject any command and hijack the database.
But while SQL injections is an old technique, Gonzalez and his co-conspirators were quite smart in how they actually exploited that vulnerability, said O’Higgins. They installed malware that remained undetected for a long time, he said, “and that malware may just sit there silently and record credit card numbers and occasionally report it back to the home server.”
SQL injection attacks are successful because database vulnerabilities are numerous, said O’Higgins. Software developers do try to write electronic commerce applications that are not susceptible to SQL injections, “but programmers always make mistakes and people find a way of sneaking these command characters in.”
In light of how these U.S. retailers have fallen victim to such attacks, O’Higgins said every Canadian retailer should absolutely be concerned for the security of the applications they either build internally or buy from third parties. And, while nothing is perfect, a robust development lifecycle that takes security and testing seriously is a necessity, he said.
The situation basically whittles down to compliance and how retailers are protecting consumer data, said Candice Low, research analyst with London, Ont.-based Info-Tech Research Group Ltd.
Retailers like the victims named in this attack are required to comply with PCI, lest they should be penalized an escalating fine with every repeat of non-compliance, said Low.
“If they were fully compliant, it may not have happened,” said Low. Heartland Payment Systems and Hannaford Brothers are listed as participants of PCI DSS, said Low, “but we don’t know if they were listed necessarily whenever the hacks were perpetrated.”
The attacks on these retailers could have occurred anytime between 2006 and 2008.
Having a retailer’s applications audited by a third-party can also help ensure PCI compliance, especially when the greater the volume of credit card transactions, the higher the standard the retailer is held to, said O’Higgins.
But even PCI compliancy is not fool proof because it is a point-in-time measurement, noted O’Higgins. “In some of these 130 million credit card numbers, some of the big name retailers were definitely PCI compliant … and they were still broken into,” he said.
However, retailers are still better off being compliant, said O’Higgins. “Retailers are always under attack. The more visible and popular they are, the more attacks there are. They’ve got to do a better job with security.”
Low said retailers should ensure the data on their networks remains secure, data being transmitted is encrypted, anti-virus software is updated, and information that is not required is not collected.
“Really, it all comes down to, how are you protecting the data and is it enough?” said Low.
