Security Experts:

The Security Mirage of the Browser Padlock

After Your Secure SSL Session Ends, Merchants can Theoretically Keep your Entire Customer Profile in Clear Text. Attackers love to Exploit Vulnerabilities in Online Stores to Steal that Data.

During Anonymous’ Operation Payback, in which they conducted DDOS attacks against organizations that supposedly “wronged” Wikileaks, a part of the group suggested that they should try and embarrass these organizations in other manners. One of the proposed ideas was to create a fake list of several thousand credit cards, claiming that they have been compromised. They anticipated that this news would be perceived as shocking, causing damage to the reputation of their targets. Why eventually the group has decided not to go ahead with the plan is unknown. A possible explanation would be that they’ve learned the real amounts of compromised credit cards. The TJX compromise alone spanned 45.6 million cards and the news media these days is filled with stories about other mass compromises, so a bogus story about a few thousand compromised cards wouldn’t even cause a dent.

SSL False Sense of SecurityThe big compromises that hit the news only tell a part of the story. As Black Hat hackers have traded their morals for profits long ago, smaller online merchants have also been prey to hacking attempts. These merchants often use off-the-shelf shopping cart software, which are not invulnerable to exploits. As these exploits become public, the merchants that use these software products and do not patch their systems become prime targets for script kiddies and less sophisticated hackers. These attackers, who do not possess the skills to target giants such as TJX follow a known procedure to exploit these vulnerabilities and obtain administrator access to these online stores. Once they’re in, the credit card credentials are harvested from the orders logs. Administrator access to online merchants is known in fraudster terminology as “shopadmins” and is often traded in the underground markets. The card holders’ credentials, stolen from the order logs, are also traded in the underground.

While it’s not easy to identify the specific source of compromise for anyone who is not the issuer (and even then they’d need multiple cards compromised in the same place), it’s easy to know what type of source the cards were stolen from. When cards from compromised brick-and-mortar merchants or processors are sold in the underground, the credentials will be in the form of the track 2 information on the magnetic stripe – or “dumps” in fraudster terminology.

When cards have been obtained from “shopadmins”, the credentials include the name of the card holder, address, credit card number, expiration date and CVV2. These credentials are called “CVV2”s (or “CVV”s) in fraudster terminology. Confusingly, this term refers to the entire set of data I’ve just described and not just the three digits on the back of the card. Some “CVV2”s are actually obtained from fraudsters’ Trojan logs, stolen directly from the victims’ infected machines. But while these records have the same types of data, the format in which they are sold looks quite different. The ample amount of “CVV2”s being traded in the underground (certain underground stores offer tens of thousands of compromised cards to prospective buyers) reveal the sad truth that many small and medium-sized merchants not only remain non-compliant with PCI DSS, but they also fail to encrypt credit card records.

For consumers who are interested in purchasing items online, it is impossible to know which merchants are really secure and which are not. We hand over our personal details without ever knowing what the merchant does with the data. Is the data kept in clear text or encrypted? Are parts of the data obfuscated?

Taking into account that hackers prey on merchant order lists as much as the pigs from “Angry Birds” prey on the eggs, it should very well be a consumer’s concern. Even without liabilities, who wants his or her information to fall into the hands of an identity thief? After all, online lookup services allow fraudsters to collect additional information on their victims, including date of birth, Social Security number and mother’s maiden name, using only the data that can be found in a CVV2 credential.

PCI and CybercrimeToday, we have a very clear and visible indication when the communication with the merchant is secure, in the form of the padlock icon in the browser. We were taught to search for it and beware of making transactions online without it. However, simply securing the data as it passes to the merchant is like keeping your eyes open while driving. It would be a bad idea to drive with your eyes closed, but keeping your eyes open isn’t a guarantee that you won’t crash your car. In other words, while the data may be transmitted securely to the merchant, there is no visible indication for a consumer how a merchant is handling your data after it is received and the connection has ended.

Merchants can theoretically keep your entire customer profile in clear text and yet have the padlock icon show up during the transaction, as the communication is indeed secured by an SSL connection. And while the companies that are hired to conduct compliance validation may provide merchants that use their services a special badge to put on their site (i.e. “Secured by…”), these are far from being a standard. They are placed on every site in a different location, and searching for these badges can turn into a “Where’s Waldo” game.

Some of you may have noted that there’s already a data security standard that has been defined by the payment card industry – PCI DSS (which literally stands for “Payment Card Industry Data Security Standard”). However, PCI DSS compliance may be a bad indicator for the way merchants handle card data for a simple reason. PCI DSS is a holistic standard which refers to many aspects of security – from the storage of sensitive data to securing wireless networks and applications.

While it may be true that merchants who are truly PCI DSS compliant dramatically decrease the risk of suffering from a breach, it is not uncommon for some merchants, once they receive their badge of approval, to fail to maintain that compliance. However, if an organization fails to proactively patch system vulnerabilities on a regular basis for example, that PCI DSS compliance certification is really no longer valid, even just days after it was issued.

Therefore, PCI DSS compliance is a very fluid state and therefore any claim of compliance may be inaccurate, even mere days after an audit. It also means that merchants that are not PCI DSS compliant may still properly encrypt and hold on to the sensitive data. Their lack of compliance may originate from security gaps in their infrastructure which of course is not ideal, but it’s a very easy situation to get into. If the infrastructure isn’t completely secured – at least have the data in it stored securely. As the way data is stored is much more constant, an indicator that refers only to those specific guidelines in the PCI DSS would provide a much more accurate indication to consumers. “Someone may still come barging through the window, but if they do, know that your jewelry is stored in the safe”.

Such an indicator should not replace PCI DSS, which is the standard every merchant should strive to achieve, but instead be an addition indicating that a certain bare minimum is kept. In the same fashion as SSL encryption is visible, why not make merchants visibly identify that they are taking precautions to store a consumers’ data with encryption, tokenization or some other type of strong data masking after the transaction has occurred? These could be obtained after an audit by compliance companies that were verified by Visa (pun intended) and other organizations in the payment card industry. As buyers refrain from doing business with merchants that do not have the padlock icon showing up in the billing page (in some geographies in the world more than others), a similar standard indicator could have the same effect. That, in turn, would force merchants and shopping cart software developers, to handle consumer data in an encrypted manner.

While having all merchants PCI DSS compliant is a very worthy goal to strive for, in this far from ideal world, consumers should know which merchants are investing in their security and which ones are not. The additional, limited security standard should not lower merchants’ motivation to become PCI DSS compliant, as the rewards and punishments for being compliant or non-compliant shouldn’t change. A new type of standard may require a whole new ecosystem and consumer education, which probably makes this article a bit naïve. However, when security stops being driven by the demand to meet compliance and becomes an integral part of a merchant’s bottom line, it would serve as a catalyst to protect all of us just a little bit better.

Read More Cybercrime Columns in the SecurityWeek Cybercrime Section

view counter
Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.