Heartland Payment Systems Network Security Breach
As investigation is still on going on the recent security breach occured at HPS, and since little data is yet available, I can only attempt to state some of the facts gleaned from the various sources and try to analyze from there.
Apparently there are two key parts to the breach, one of it involved a keylogger malware being planted in a PC. This keylogger is used to capture specific username and password and send it back to the Internet, somehow manage to bypass the firewall.
The second part involved a sniffer program planted in a few servers that are involved in processing the transactions. There is also a possibility there is an insider who assisted in making this hack successful.
The clever part of hack here is, the sniffer program must be planted in the right location where the data is unencrypted during the processing of the transactions. Otherwise, the data is gibberish and useless to the hacker.
One of the major flaw here is probably the segragation of the critical infrastructure of the payment processing network and the more general network that has direct Internet connectivity.
If this more sensitive network has direct Internet access and the firewall that safeguards the outbound traffic is not properly configured, the risk of the data being captured and sent out is much much greater.
The new security tool that is being deployed to detect this sort of network real-time anomalies will not prevent this but will be just reactive and trigger an alarm when it happens.
It seems the breached HPS disclosed involved it’s older network that handles approximately 1 billion transactions yearly. However, the other network that belongs to the company it recently bought which handles 3 billions transactions were not at risk.
Knowing all this facts now, one can raise plenty of questions further. Or even question how confident is HPS on the other network is not breached.
The company shares went south 8% when the news broke.
Additional resources:
http://www.informationweek.com/story/showArticle.jhtml?articleID=212901505
http://blog.wired.com/27bstroke6/2009/01/card-processor.html
http://www.bankinfosecurity.com/articles.php?art_id=1168
