When Data Processors International (DPI) revealed in February that an “unauthorized outside party” ran off with more than five million Visa and MasterCard account numbers and expiration dates, it got an instant wakeup call.
Not only were the credit card customers accounts potentially at risk, so was the companys reputation for trustworthiness.
Luckily, the accounts werent abused. “Theres nothing to tie the card numbers to personal data,” says N. Scott Jones, spokesman for DPI. “There havent been any reported incidents of misuse.”
That was the good news for DPI, a 40-employee subsidiary of Dallas-based transaction processing company TransFirst. The bad news: Analysts say fraud cases could emerge if the thief does manage to connect numbers with names. And theres more bad news: DPI in the meantime will have to fight to repair its network and to keep business with Visa and MasterCard.
“In these situations, the trust is the one thing that suffers,” says Rebecca Base, CEO of Infidel Inc., a Scotts Valley, Calif., network-security consulting firm. “In a down economy, an event like this could cost you your business.”
Its also unclear what effect the DPI incident will have on TransFirst. DPI runs on a separate network from TransFirst, which is offering DPI technology resources, says Jones, who couldnt reveal what platform the two companies use. TransFirst processes more than $8 billion in annual sales volume for more than 64,000 merchants and 520 banks.
Visa and MasterCard have security policies that processors and merchants in the network must follow. Visa calls its requirements the “dirty dozen,” which require parties to maintain firewalls, patches and antivirus software, encrypt data, track and restrict access and implement a security policy. Failure to comply with Visas requirements can result in a fine, restrictions or permanent prohibition. MasterCard has similar “best practice” requirements.
DPI, based in Omaha, typically processes catalog and other transactions where a card isnt present. Because it is privately held, DPI has said little about the intrusion. Visa and MasterCard declined to comment beyond statements, citing an ongoing investigation by the Secret Service and FBI.
Jerry Brady, chief technology officer of security consulting firm Guardent, says the volume of credit card numbers indicates an inside job—contrary to DPIs statement—or a slow network leak where a thief accumulated numbers over time.
“Id bet my bottom dollar on an insider attack due to the volume,” said Brady. “With the big numbers theres a three-to-one probability its internal.”
Regardless, the highly publicized intrusion is likely to teach technology executives some valuable lessons.
For business leaders, the first lesson is to realize that seemingly unknown targets should consider themselves targets. Analysts note that hackers regularly troll for network weak spots and target companies that are low on the food chain, but have valuable data much like DPI.
Indeed, the “attack seems fairly unremarkable to me,” says Matthew Caston, senior principal of consulting firm AMS enterprise security group. “Im not surprised because these hacks are a fairly regular occurrence.”
Simply put, you have to assume that hacking incidents occur in your industry even if you dont hear about them. “Image is everything,” says Avi Rubin, technical director of the Information Security Institute at Johns Hopkins. “Someone can steal $500,000, but the bad PR could make you lose $3 million in business.”
Security by Obscurity
Security by Obscurity
According to Caston, DPI probably benefited from “security by obscurity” until now. After the attack, its likely to have a bulls-eye on its network not long after the feds clear out.
The plans—or lack of them—that DPI had in place ahead of the attack will go a long way to determining how quickly itll recover. Executives need to prepare for a hack and map out plans and procedures before it even happens.
“Having a plan in these situations makes all the difference,” says Infidels Bace. “It helps to think these things out before youre in a crisis.”
The intrusion plan should include: creating an emergency response team either in-house or contracted out, clarifying decision-making and weighing options for various attack scenarios.
Bace also tells clients to take a “footprint” of your system with software from a vendor like Tripwire. Taken during normal operation, this footprint of the network and its applications can serve as a baseline for when things go awry. Ultimately, this snapshot helps project managers see what an attacker changed.
With the planning in place, analysts say responding to an intrusion is much like putting out a fire or working in an emergency room. Analyze the problem, contain it with a short-term fix, eliminate the issue and then ultimately fix it.
The main goal after an attack is to fix the problem and keep the business running, says Brady. That means cutting over to your disaster recovery plan or “cold” backups—offline mirror systems—to keep operations going.
But beware some short-term fixes. One big mistake is to patch the hole and move on—you could be sealing in malicious code. “Simply patching a system after its hacked is analogous to letting a burglar in your house and then locking the door—if hes in, hes in,” says Caston.
Consultants say the response depends on the situation. Typical first responses include disconnecting a compromised system from the network and changing passwords.
Even those steps, however, can be complicated without forensic analysis done either in-house or through security consultants. “Unless you have absolute knowledge of how a hacker got in, you have to analyze everything on the network,” says Caston.
More complications can depend on whether the law is involved. Conflicts in the DPI case could emerge because the law enforcement goals to preserve evidence can hold back the companys efforts to resume business.
“Law enforcement has specific procedures and rules of custody and they are picky about sharing information,” says Bace. “But they are getting better at collecting data in a way that doesnt affect operations.”
After the immediate crisis passes, business leaders may choose to rejigger network architecture to prevent future attacks. Rubin suggests installing “honey pots”—repositories of fake data—to throw hackers off the trail, reconfiguring firewalls and separating databases that hold key information.
Once a company is confident its network is ready for business, executives have to go out and mend some fences. The attack on DPI resulted in added expense for other companies in the credit-card food chain.
PNC Bank, based in Pittsburgh, decided to replace 10,000 active cards to allay customer worries, says PNC spokesman Brian Goerke.
Goerke wouldnt reveal how much the new cards cost PNC, but Gartner estimates replacement cards run $35 each.
“If youre smart and you make it, you come back up in a different environment,” says Bace. “Then you need to talk about what steps you took to make damn sure this doesnt happen again.”
What You Should Do
- Think ahead. Establish clear policies in case of an intrusion and create an emergency response team.
- Find your footprint. Create a clear map of your hardware, software and files so you know what your network looks like in a normal state. It will help you see what changed in the event of a hack.
- Contact allies. Touch base with law enforcement before an emergency as well as immediately after a hack.
- Contain the damage. If hit, disconnect the compromised system from the network.
- Rebuild, rearchitect. As you work through recovery, consider a different architecture to prevent future attacks.