Preparing for a PCI forensic investigation Preparing for a PCI forensic investigation

A ex-QIRA speaks outA ex-QIRA speaks out

Copyright 2010

Qualified Incident Response Assessor

They are the special investigation units of the Payment Card Industry who have PCI knowledge and forensic examination skills (supposedly)

What is a QIRA?

David BarnettDavid BarnettSr. Security Architect, Orbitz WorldWide

also - Sr. Consultant, Blue-Lava - Financial crimes forensic/fraud

Ex Forensics Investigator for a QSA (QIRA)

Consultant/Educator for US Secret Service, DHS, FBI, and DoD.

Participant HoneyNet Project

david.barnett@orbitz.com or david.barnett@blue-lava.net

Copyright 2010

Why this talkWhy this talk

Conversations with David Taylor from PCI Knowledge Base.

Provided a wealth of data from interviews and anonymous questionnaires.

Dave passed away suddenly from a heart attack on Oct 27, 2009.

Breach war stories have been done ad-nausea, poorly most of the time

Breaches effect all merchant levels

Breaches effect all merchant levels

Level 4 Merchants Level 4 Merchants

Multi-Site FranchisesMulti-Site Franchises

Big CorporationsBig Corporations

Incident Response Plans Incident Response Plans should basically the same should basically the same

for all merchant levelsfor all merchant levels

Incident Response Plans Incident Response Plans should basically the same should basically the same

for all merchant levelsfor all merchant levels

Find the right lawyer

Pick your forensics investigator*

Know how to work with your merchant bank and the card associations

Ensure your software/hardware vendors, VARs, subcontractors, etc. take responsibility for their work

Prepare for the QIRA onsite investigation

*note - forensic (QIRA) vs. other forensic entities

Lessons from 100+ CC investigationsLessons from 100+ CC investigations

How did we get here? How did we get here?

In the beginning:

US Secret Service and Card Association saw individual breaches not the wider common attack trends

Investigated them as isolated breaches

Remediated as isolated cases

No or little breach trending

Let’s talk a little about breaches

Let’s talk a little about breaches

The fundamental ways data breaches occur -

Theft or Loss of Physical Equipment: such as laptop computers or memory storage devices.

Illegal access to the systems or information: A data breach can occur through unlawful access to PII data by technological means such as hacking into existing computer systems.

Insiders: A data breach can be committed by current employees, ex-employees

Who is allowed to perform forensics

Only Qualified Incident Response Assessors

Master list at http://usa.visa.com/merchants/risk_management/cisp_if_compromised.html

The list has changed over the last few years - Last BIG update January 11, 2010 (only 3 companies when I was in the thick of it)

The process of who can be one and who can’t makes no sense at all - though looks to be improving

A credit card breach = PCI forensics onsite A credit card breach = PCI forensics onsite

How are merchants notified?or“Why are they picking on me?”

How are merchants notified?or“Why are they picking on me?”

Almost all notification is due to the merchant ID being identified by one of the card brands as a Common Point of Purchase, typically referred to as (CPP) or Point of Compromise (POC)

This is the one method of how a merchant or processor can be identified as the breach point in a payment card fraud / compromise 

In this case, the similarity is a single business where all of the stolen credit cards had been used before the cards had been involved in fraudulent activity. This could potentially be the sign of an employee skimming card numbers, or a breach in a database. There are always going to be coincidences involving data on a large scale, but because of the scale, it’s very difficult to end up with false positive fraud once a margin of error is established.

Card issuers may request that MasterCard initiate an investigation of a merchant for possible CPP activity at any time.

Acquiring banks have 5 business days to acknowledge a request from MasterCard for a CPP investigation and 30 calendar days to complete the investigation. Failure to respond may result in fines or assessments. $$$$

Only MasterCard, not a member bank, may designate a merchant location as a CPP and request that an acquiring bank conduct a CPP investigation. MasterCard will identify a merchant location as a CPP from one or more of the following sources:

Information received from law enforcement and investigative authorities

Card issuers in accordance with the established criteria

MasterCard systems, databases, and any other source deemed to be reliable

“Hello, you’ve been breached”

Now what?

“Hello, you’ve been breached”

Now what?

It is important to move swiftly It is important to move swiftly

1. Follow your completed Data Breach Incident Response Plan

2. Document all ongoing events, all people involved, and all discoveries into a timeline for evidentiary use. The following is a list of actions that are going to need to be taken when a breach occurs:

1 Works with the compromised entity to obtain all potentially compromised account numbers.

2 Disseminates "at risk" account numbers (or data) to the issuing banks.

3 Begins monitoring the activity on the affected accounts.4 Works with the appropriate law enforcement on the entity’s behalf.5 Provides guidelines to the compromised entity to assist them in

responding to the incident.6 Works with the entity to identify security deficiencies.7 Facilitates forensic investigation in a timely manner.8 Ensures the entity takes corrective action to minimize the risk of

future loss or theft of account information.9 Works with the entity to verify PCI DSS compliance in an expedited

timeframe.

Visa Fraud Investigations CISP Team has their own agenda, though they state the following:

Visa Fraud Investigations CISP Team has their own agenda, though they state the following:

Account Data Compromise Recovery (ADCR) process:Account Data Compromise Recovery (ADCR) process:

Visa validates whether validated compromise meets ADCR criteria (full track, 10,000+ US accounts, incremental magnetic stripe counterfeit fraud on accounts)

Visa calculates and advises the acquirer of its potential ADCR financial liability

If at the end of the issuer fraud reporting window Visa calculates actual fraud and operating expense liability due to each participating and impacted issuer Visa notifies acquirers and issuers of their respective liability and reimbursement

From Breach to Fraud - Typical Timeline

Merchant discovers account compromise and notifies it acquiring bank

Compromised (or suspected) accounts are uploaded into CAMS for monitoring

Visa investigates to determine if an account compromise has occurred and sends CAMS alerts to affected issuers to notify them of compromised accounts

Affected issuers monitor, block or close compromised accounts

Compromised Account Management System (CAMS):Compromised Account Management System (CAMS):

Post notification, know what your expected to do, what you need to do, and

the difference

Post notification, know what your expected to do, what you need to do, and

the difference

Visa mandated steps in event of a suspected payment card data breachVisa mandated steps in event of a suspected payment card data breach

Immediately contain and limit exposure

Alert all necessary parties immediately

Provide all compromised accounts to your merchant bank within 10 days

Provide an Incident Response Report within 3 days to your merchant bank

What your expected to do What your expected to do by the card associationsby the card associationsWhat your expected to do What your expected to do by the card associationsby the card associations

The development of an Incident Response Plan is mandated by the PCI DSS in Requirement 12.9:

12.9.1: Create an incident response plan

12.9.2: Test the plan at least annually

12.9.3: Designate specific personnel to be available on a 24/7 basis to respond to incidents

12.9.4: Provide appropriate training to staff with security breach response responsibilities

12.9.5: Include alerts from IDS, IP and file integrity monitoring systems

12.9.6: Develop processes to modify and evolve the IR plan according to lessons learned.

Focus areas during the forensic investigationFocus areas during the forensic investigation

Determine the type of cardholder information at risk

Determine the how many cardholder information is /was at risk

Perform incident validation and assessment

Check for sensitive authorization data - Track data, CVV2 and PIN block storage

Review payment gateway, VisaNet endpoint security and risk

Preserve all electronic evidence

Perform an internal and external vulnerability scan

Was the merchant PCI compliant at the time of the breach

Be sure to contact - Be sure to contact -

Your internal information security group and incident response team.

Your merchant bank.

Your local office of the United States Secret Service.

If you do not know the exact name and/or contact information for your merchant bank, notify Visa Fraud Investigations and Incident Management group immediately at (650) 432-2978.

Provide all compromised Visa, Interlink, and Plus accounts to your merchant bank within 10 business days.

All potentially compromised accounts must be provided and transmitted as instructed by your merchant bank and Visa Fraud Investigations and Incident Management group.

Visa will distribute the compromised Visa account numbers to Issuers and ensure the confidentiality of entity and non-public information.

Within 3 business days of the reported compromise, provide an Incident Report document to your merchant bank

Know the key stakeholdersKnow the key stakeholders

..and know them intimately ..and know them intimately

Merchant POSSoftware/hardware

Merchant POSSoftware/hardware Merchant BankMerchant Bank

Card AssociationCard Association

PaymentGatewayPaymentGateway

Acquiring Bank

Acquiring BankProcessorProcessor

Be Prepared to Answer the FollowingBe Prepared to Answer the Following

Initial point of entry

Timeline of events

Intruder information

Data exfiltrated and exposed

Compromised accounts

Malware

Network architecture and application overview

Logging and monitoring

Investigative methods

Regulatory review

Encryption

Containment efforts

Per Visa - Identify and establish relationshipsagreements with key vendors, including:

Per Visa - Identify and establish relationshipsagreements with key vendors, including:

Outside IT security forensics experts who can investigate if, when and how a breach occurred, and how to close and repair your system.

“Visa requires its partners to use external experts for this function, and doing so is critical to establishing credibility with the media, customers, investors and other key audiences. Also, consider using a different vendor from the one that may have done previous security assessments “

Identify how the breach happened, contain the breach, and implement a solution so it can not happen again

Notify appropriate people within the company

Notify External Agencies, within required time frames, such as:

›› Forensics Investigator

›› Law Enforcement

›› Affected vendors, suppliers

›› FTC

›› State Attorneys General (where applicable)

›› Consumers

Visa and MasterCard are not interested in forensics, they are interested in risk mitigation.

Visa and MasterCard are not interested in forensics, they are interested in risk mitigation.

Visa maintains relationships with their QSA’s for a reason

Tend to work with the same people throughout the PCI-DSS world, for example, same people move from a QSA company to the PCI SSC (PCI Security Standards Council)

Creates an echo chamber

Lack of knowledge of modern forensics

Place artificial pressure on investigators to got out a compromise time frame

Rather wind down a case on lax evidence than determine the true causal effect of compromise and compromise patterns

Saw this all the time while a QIRA

Important breach issuesImportant breach issues

Breach IssuesBreach Issues Action ItemsAction Items

Mandated Breach NotificationMedia reportingNegative customer reactionCost associated with brand damage

and lost revenue

Which States require notificationHire firm for media coverage and

creating early press releasesEarly customer communications

Breach Fines(the ugly truth)Breach Fines

(the ugly truth)

Stiff fines and penalties ranging from $10K-$500K per month for non-compliance

$500K fine per credit card data compromise incident if not PCI compliant

$100K fine if Visa is not immediately notified of as suspected data breach

If track data or other sensitive data elements was compromised, the merchant can be assessed the estimated cost of fraud under Visa’s ADCR Program as well as cost of card re-issuance (est. $7-$20 per card)

Potential termination of credit card processing privileges

Fines; according to the card associationsFines; according to the card associations

Monthly Prohibited Data Storage Violation Fines

Monthly Prohibited Data Storage Violation Fines

Months Months 1-3 Months 4-6 Months 7 and

upMerchant Level 1 $10,000 $50,000

$100,000Merchant Level 2 $5,000 $25,000 $50,000

Fines for Merchant Data Compromise

Fines for Merchant Data Compromise

Up to $600,000 for non-compliance with PCI DSS requirements.Issuer Recovery Cost of Fraud. Charges that occurred on all exposed cards from the compromised location.The cost of the forensic investigation.The cost to replace exposed credit cards.

Large discrepancies in the per incident cost between large level 1 merchants and level 4 merchants

An average fine for a single food services merchant (a local bar) was $350k not including:

lawyers costs

Forensics assessment, incident investigation and containment

Upgrading non-compliant POS software & IT and security remediation and enhancements

Identity protection for impacted individuals (~$30 per person)

Cost associated with onsite validation for 1 year - now a Level 1 merchant

Class action lawsuits and liability in the event that privacy data was compromised

In reality, fines have been handed down with no consistency

In reality, fines have been handed down with no consistency

The Heartland Data Breach Aftermath The Heartland Data Breach Aftermath

"Visa sent customized settlement information packets to the affected financial institutions on January 14, 2010. In order to accept the settlement, a financial institution was required to affirmatively complete and return the settlement paperwork to Visa by January 29, 2010," said the statement from lawyers representing some of the impacted banks. "The offers--at least those reviewed by class counsel--appeared to be less than 10 cents on the dollar for most financial institutions and some at less than 1 cent on the dollar."

Other issues to deal with

Other issues to deal with

Make sure you know a qualified lawyer and call them

immediately

Make sure you know a qualified lawyer and call them

immediatelyA good lawyer can make all the difference in the penalty phase

Does the lawyer have:

dedicated Internet law department?

In house forensics professional?

Know what PCI is?

Worked with and know key individuals at Visa/MasterCard, the banks, processors, etc.

How many digital crimes cases have they handled?

Interview your lawyerInterview your lawyer

Know your merchant bank’s Point of Contact for fraud /PCI

Call them. Get to know this person. Take them for a beer.

They will be involved early in the process, up until the very end.

They typically know their counter parts at the card associations

But wait, do you have a processor who isn’t your merchant bank? Better find out and give them a call too!

Ensure these people are your advocate.

Merchant BankMerchant Bank

Hardware/Software VendorsHardware/Software VendorsFor level 4 merchants this can be quite complicated

Where does the responsibility lay?Where does the responsibility lay?

Large MerchantsLarge MerchantsPer incident costs typically lower than level 3 or 4 merchants

IT staff

Leverage with manufacturers

Media/Marketing Dept. to control the message

The “favorites” gameThe “favorites” gameThe “favorites” gameThe “favorites” gameSeveral instances of medium to large size breaches which remain off all breach lists and in the media

Good legal representation early in the process

Tend to lay blame of the software/hardware vendors

Card Associations deathly afraid of Full Disclosure

These and other issues have lead to many complaints of the ADCR process

http://Datalossdb.org unofficial master record-keeper of breaches

In an interesting development, a handful of issuing banks impacted by the Heartland breach have filed a class action lawsuit against two acquiring banks related to Heartland Payment Systems. According to this article, the issuing banks are unhappy with Heartland's proposed settlement with Visa.  This appears and to be an attempted end-run around the proposed $60 million settlement with Visa.  It also may demonstrate that issuing banks are not satisfied with the dispute resolution mechanisms under the Visa Operating Regulations (the Account Data Compromise Recovery process estimated the loss at $140 million, yet the settlement was for only $60 million), and their ability to be made whole under those mechanisms.

From 01/21/2010 www.infolawgroup.com

Breach TrendsBreach TrendsJust as merchants shop for PCI assessors (QSA’s) merchants shop for QIRA’s

This tends to skew a specific company’s analysis

TrustWaveTrustWave

Hospitality: 38%*Financial services: 19%Retail: 14%Food and beverage:13%

Verizon Verizon CyberTrustCyberTrust

Retail: 31%Financial services: 30%Food and beverage:14%Hospitality:6% Other: 17%

SymantecSymantec

Education: 27%Government: 20%Health care:15%Financial :14% .............

Trend Analysis Trend Analysis Trend numbers from each company by themselves should not be taken all that seriously

Some basic trends can be seen when viewed outside the confines of these companies

www.datalossdb.org is a good overall source for breach data but ... several breach cases I worked on and am aware of are not on their list

Definite trends can be seen when viewed outside the confines of each of the

forensics company

Definite trends can be seen when viewed outside the confines of each of the

forensics company

Next up ..... banksNext up ..... banks(February 16, 2010) A Michigan-based manufacturing firm is suing its bank after online crooks depleted the company's account by $560,000 via a series of unauthorized wire transfers last year.

The lawsuit is one of several that have been filed over the past few months involving banks and customers victimized by online theft. In this case, the theft occurred after an employee at EMI supplied the crooks with the company's online banking credentials in response to a phishing e-mail that purported to come from the bank.