When I am not indulging myself with a slice of very lemon pie, I am often dealing with issues similar to the ones raised by the recent Heartland breach. Details have been limited, of course, as the investigation works its way along. This is normal. It is the same in every incident, even outside technology.
Consider, however, the spin now coming from the Heartland CEO:
“I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber crime attacks,” [CEO Robert] Carr noted. “Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again. I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week.”
This is nice in principle, but the fact is nothing prevents institutions from sharing details of previous intrusions. The payment card brands, as well as the US Department of Commerce, release bulletins and notices of previous intrusion details. Moreover auditors are always looking for evidence of known vulnerabilities, so you might even wonder where Carr has been lately? What more information would have helped him and from whom? If he wishes for a way to protect against a zero-day or custom attack, then there’s a whole other level of information sharing that I suspect his organization is not prepared for yet.
The CEO continues:
Heartland’s goal is to turn this event into something positive for the public, the financial institutions which issue credit/debit cards and payments processors.
Carr concluded, “Just as the Tylenol(R) crisis engendered a whole new packaging standard, our aspiration is to use this recent breach incident to help the payments industry find ways to protect its data – and therefore businesses and consumers – much more effectively.”
The Tylenol crisis was based on a copy-cat attack, so it’s a really good example. Carr is smart to reference this, as well as use the same PR/recovery campaign that was used by Johnson and Johnson. I discussed this on Schneier’s blog a few years ago.
…returning to business-as-usual also was helped by a PR campaign to “communicate the message that the company is candid, contrite, and compassionate, committed to solving the murders and protecting the public” [Jerry Knight, “Tylenol’s Maker Shows How to Respond to Crisis” Washington Post, October 11, 1982].
Back to the Heartland CEO press release, I also noted how Carr tries to cast himself as an encryption advocate:
For the past year, Carr has been a strong advocate for industry adoption of end-to-end encryption – which protects data at rest as well as data in motion – as an improved and safer standard of payments security. While he believes this technology does not wholly exist on any payments platform today, Heartland has been working to develop this solution and is more committed than ever to deploying it as quickly as possible.
I searched but found no representative from Heartland at encryption presentations, nor did I find Heatland security folks “sharing knowledge”.
Carr is perhaps playing a victim card by suggesting no solution exists and that he would use one if it did. The “we’re working on it” story is a typical delay tactic given to auditors so they can’t flag an outright violation.
In any case an encryption solution does exist and he could have adopted it already had it been a more pressing priority. For example, not only did I help commission and architect an encryption system in 2005 that he wishes for today, but we just announced that the Enterprise Key Management Infrastructure (EKMI) Technical Committee has voted the Symmetric Key Services Markup Language as a Committee Specification. I even presented on this topic at the Retail Security Forum in November of 2005.
In other words there is an open standard already done. Heartland clearly is behind the security curve, although they were arguably fine on the compliance curve. Given Carr’s statements, the question really is why such a forward-looking encryption advocate has not been more involved in the security space, or had his company more open to dialogue with those who are willing to share information. Again, I can see he is doing all the right things by common protocol and that is fine. I also think it is great he is on the end-to-end encryption campaign. Let us hope this will bring all the other “we are working on it but it will take time” and the “wish we could do more” CEOs along into fixing things.