Heartland Payment Systems: remember that decade-old breach?
What was then the sixth-largest payments processor in the US announced back in 2009 that its processing systems had been breached the year before.
Within days, it had been classified as the biggest ever criminal breach of card data. One estimate claimed 100 million cards and more than 650 financial services companies were compromised, at a cost of hundreds of millions of dollars. Prosecutors have said that three of the corporate victims reported $300m in losses.
The “biggest ever” designation applied to Heartland, but it was one of many corporate victims in a worldwide hacking and data breach scheme that targeted major networks. In total, the hacking ring responsible for the Heartland attack compromised 160 million credit card numbers: the largest such scheme ever prosecuted in the United States. Individual consumers also got hit, incurring what court documents said were “immeasurable” losses through identity theft, including costs associated with stolen identities and false charges.
It might be an old breach, but it hasn’t been collecting dust.
On Wednesday, the US Attorney’s office of New Jersey announced that two Russians belonging to the hacking ring that gutted Heartland, other credit card processors, banks, retailers, and other corporate victims around the world have been sent to federal prison.
Both had pleaded guilty in 2013.
Russian national Vladimir Drinkman, 37, had previously pleaded guilty to one count of conspiracy to commit unauthorized access of protected computers and one count of conspiracy to commit wire fraud. He’s been sentenced to 12 years in prison. Dmitriy Smilianets, 34, of Moscow, had previously pleaded guilty to conspiracy to commit wire fraud against a financial institution and was sentenced to 51 months and 21 days in prison: time served.
So that makes it three down: The infamous American “superhacker” and mastermind of the mammoth hacking ring behind the breach, Albert Gonzalez, was sentenced in March 2010 to 20 years in prison.
Three down, three more to go. On the fugitive list: Alexandr Kalinin, who, along with Drinkman, allegedly specialized in penetrating network security and gaining access to the corporate victims’ systems; Roman Kotov, another Russian hacker who allegedly specialized in mining corporate networks to steal valuable data; and Mikhail Rytikov, a Ukrainian who allegedly provided the gang with anonymous web-hosting services.
The conspirators handed the ripped-off data to Smilianets to sell; it was also his job to parcel out the proceeds from selling the ill-gotten data.
The gang targeted companies including NASDAQ, 7-Eleven, Carrefour, JCP, Hannaford, Heartland, Wet Seal, Commidea, Dexia, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.
They turned the financial data – card numbers and associated data that they called “dumps” – into profit by selling it either through online forums or directly to individuals and organizations. Prosecutors said Smilianets sold the data exclusively to identity theft wholesalers.
The going rate was $10 for each stolen American credit card number and its data, $50 for each European card number and data, and about $15 a pop for Canadian credit cards and data. Repeat customers and those who bought in bulk got a discount. Then, the purchasers would encode each data dump onto the magnetic strip of a blank plastic card and cash it out by withdrawing money from ATMs or buying stuff with the cards.
To cover their tracks, Rytikov allegedly allowed his internet service provider (ISP) clients to hack away, ostensibly safe in the knowledge that he’d never keep records of what they were up to nor rat them out to police.
The conspirators pried open corporate networks by using an attack that’s as old as dirt: SQL injection.
It wasn’t only SQL injection that pierced the hide of all those companies, though SQL injection vulnerabilities exposed their tender bellies quite nicely. After penetrating networks, the attackers would avoid detection by tweaking settings on company networks so that security mechanisms couldn’t log their actions, or they managed to figure out how to slip past the protection of security software entirely.
The hackers also used sniffers – programs that identify, collect and steal network data. Once they had it, they sent it to an array of computers located around the world, storing it until they ultimately sold it.
So no, it wasn’t just SQL injection vulnerabilities that led to companies and consumers being bled for hundreds of millions of dollars. Sloppiness played its part, both on the part of those vulnerabilities but also on the part of the hackers themselves. These weren’t elite hackers, after all: They were caught thanks in no small part to having posted their holiday snaps online and letting their mobile phones broadcast their location to the cops on their trail.
But it shows how far you can go if a company exposes its soft and fleshy parts to the internet.
As Naked Security’s Mark Stockley has noted, coding a website so it’s protected from the kinds of attack it’s most likely to face (SQL injection is a perennial favorite on Akamai’s State of the Internet Security Report) is an old story. Mostly, hardening defenses to protect against them isn’t fancy work: it’s just about doing a lot of tedious work, but doing it thoroughly.
If websites are properly coded then anything anyone enters in an input field is scrubbed and cleaned until it can do no harm. If websites were properly coded then SQL injection and XSS attacks would have disappeared long ago.
SQL injection can be killed stone dead by the simple expedient of using parameterised database queries – but only if you have the discipline to use them everywhere, all the time.