Hacking for Profit and More: Lifecycle of Credit Card Data Breaches

3 04 2012

With the recent announcement of what the financial industry describes as a “massive breach” of data security at credit processor Global Payments potentially affecting over ten million cards, it seemed prudent to take this opportunity to investigate and report something of the lifecycle and nature of activity associated with this kind of data theft.[1]  Global Payments pushed a press release on March 30th admitting to having suffered, identified, and self-reported unauthorized access into a portion of its processing system to IT forensics specialists and federal law enforcement.[2]  Author Brian Krebs, first to report on the issue, cites private alerts that VISA and MasterCard sent to card-issuing banks when describing that the Global Payments system was compromised between 21 January and 25 February, and that among the data stolen were the “Track 1” and “Track 2” schemes for these cards.[3]  There are three tracks of information stored on magnetic stripe cards such as credit cards, and ISO 7813 outlines the format for the first two.[4]  These tracks include sensitive information like the primary account number, card issuer identification, a checksum digit, the cardholder’s name, card expiration date, and so forth.  The three or four digit “PIN verification value” or “Card Verification Value” that’s printed on the card may also appear in the discretionary data section of the tracks, so capturing the track data is as good as capturing the physical card, and perhaps better because it offers the thief more flexibility.  The theft of so many cards means that any internal checksums that MasterCard or Visa use on top of ISO 7813 standards to add security are likewise compromised.  With ten million data points to choose from, the attackers will no doubt be able to deduce any unique keys that are fed into the algorithms to detect fraudulent cards.  An IBM whitepaper details the nature of how Visa and MasterCard use DES encryption of the account number, expiration date, service code, and two keys, and these keys are precisely what an attacker would desire to extract.[5]

Put yourself in the attacker’s mind for a moment: what would you do with ten million sets of credit card data?  No doubt it depends on who you are and what you value, both questions for which the FBI presently seeks answers.  Gartner Analyst Avivah Litan alleges that the breach origin involves a New York City cab company and a parking garage company, and may be connected to a Central American gang operating in that city.[6]  If that allegation proves to be true, then this event marks a significant advance in the technical prowess of groups that one would not traditionally associate with anything more impressive than the behavior of common thugs.  One possible scenario is that the attacker or attackers consider themselves independent, intellectual, “smarter than the system,” and have a common ethnic and ideological identification with the mainline members of the gang, but themselves do not fit the traditional Latin street gang member profile.  In other words, these few and relatively unique individuals might be the “IT Services Department” for the gang’s otherwise non-technically focused criminal enterprise.  Running with this (as-yet only available) hypothesis for a moment, we can profile the enemy attackers to attempt to deduce their objectives with the insight that their technical skills likely exist independently from the strategic and operational direction that they receive from the “real” (i.e.: armed, dangerous, probably wanted for a variety of organized crimes) gang leadership.  In other words, the technicians may brief the leadership about the kinds of things they can do to be of service, but the leadership interprets those options in light of their (criminal) goals for the organization.

So refine the previous paragraph’s opening question: you’re not just ambiguously “the attacker” anymore, you’re in charge of a Dominican “business” (remember: people doing extra-legal things rarely think of themselves as criminals, they’re businessmen with special talents as far as they’re concerned), and you have a few very talented computer geeks who’ve accepted your offer to join the business.  They say they can do all kinds of interesting things with credit cards and banking systems, and you’re intrigued, so what do you want them to do for you?  Cash is always nice, but cash is tricky and dangerous to acquire with credit cards.  If you have them reproduce the cards with the track data, you still have to get them to correctly extract the PIN numbers, and then you have to send a far less valuable organization member to go get relatively small cash values from ATMs.  If this individual is apprehended and realizes that you hung him out to dry, law enforcement may turn him, and even cellular organizations can be collapsed with enough members defecting in order to secure their own plea bargains with the district attorney.  You could determine the pattern of the private keys used in the CVV numbers and sell your newfound “Intellectual Property” to larger criminal organizations that would value the information, as well.  But if all of those moves require too much external coordination with people you do not trust, you have another option.  In fact, it’s a bargain for everyone in the neighborhoods in which you operate: compromise a wide number of merchants and their point-of-sale terminals… because you already have.  It’s a platform business, really, if you take one of your ten million cards to any number of the shops from which you currently extract “protection money” and tell them that they can pay the protection fees by running these cards instead of paying out of their own pockets.  You never use the same card twice, you vary your schedule and routine, and you distribute the activity among the many merchant accounts to ensure that the dollar values and frequency of fraudulent card use are well below normal thresholds.  Merchants get a discount on protection money, you keep a steady revenue going, and only an anonymous, faceless bank from well outside your neighborhood takes the hit.

That’s just a hypothetical scenario of what a determined criminal element could do with this scale of data breached, but the great thing about a blog is that you can click “Comment” and brainstorm others that you think might be even more plausible.

[1]    Sullivan, Bob. “MasterCard, Visa confirm credit card data theft described as ‘massive’.” MSNBC Red Tape Chronicles. http://redtape.msnbc.msn.com/_news/2012/03/30/10940640-mastercard-visa-confirm-credit-card-data-theft-described-as-massive (accessed March 31, 2012).

[2]    Press Release.  Global Payments Inc.  30 March 2012.  http://phx.corporate-ir.net/phoenix.zhtml?c=125339&p=irol-newsArticle&ID=1678656&highlight=.  (accessed March 31, 2012)

[3]   MasterCard, Visa Warn of Processor Breach.  http://krebsonsecurity.com/2012/03/mastercard-visa-warn-of-processor-breach/  (accessed March 31, 2012)

[4]    Padilla, L. “Track Format of Magnetic Stripe Cards.” Universidad Complutense de Madrid. http://www.gae.ucm.es/~padilla/extrawork/tracks.html (accessed March 31, 2012).

[5]    “How VISA Card Verification Values are Used.”  Cryptographic Services ICSF Application Programmer’s Guide.  IBM Corporation.  http://publib.boulder.ibm.com/infocenter/zos/v1r12/topic/com.ibm.zos.r12.csfb400/usecvv.htm.  (accessed March 31, 2012)

[6]    New Credit Card Data breach Revealed. http://blogs.gartner.com/avivah-litan/2012/03/30/new-credit-card-data-breach-revealed/  (accessed March 31, 2012)