BankInfoSecurity.com - Information Security News, Regulations, & Education

Just Released: Our Online Webinar Catalog

Bank Information Security Articles

Hannaford Data Breach: The Victims Fight Back

Credit
EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Customers, Institutions Angry Over Compromised Card Transactions, Fraud

March 24, 2008 - Linda McGlasson, Managing Editor

This article was originally created for BankInfoSecurity.com, and contains information that should interest our GovInfoSecurity.com readers.

Save

Digg

Delicious

Please login or register to save this article.

Comment on this article

Scores of financial institutions received alerts from Visa and MasterCard this past week in the wake of news from the Maine-based Hannaford Brothers grocery chain that 4.2 million customer card transactions were compromised by hackers.

More than 1,800 of those credit card numbers have already been used for fraudulent transactions. Affected by the breach were all 165 Hannaford stores in New England and New York, 106 Sweetbay stores in Florida and 24 independent stores that carry Hannaford products in the Northeast. Hannaford and Sweetbay are owned by the Belgian supermarket chain Delhaize America.

Within two days of the breach announcement, two class action lawsuits on behalf of customers were filed against the retailer. The suits charge Hannaford was negligent for failing to provide adequate security for computer data.

Although the case is among the largest security breaches on record, it is much smaller than the 45 million credit cards taken earlier from TJX, a Framingham, MA., retail chain with 2,500 stores including T.J. Maxx and Marshalls store chains. (SEE RELATED STORY:)

The Damage
At least 60 to 70 Massachusetts banks have received alerts from Visa and MasterCard about thousands of exposed credit and debit cards caught in a new data breach, says Daniel J. Forte, president and CEO of the Massachusetts Bankers Association (MBA).

"The affected accounts appear to be located in banks in Massachusetts and northern New England," Forte says. The MBA has been in discussions with the card companies, as well as pursuing legislative remedies that would change card company rules and require release of the name of the offending retailer, as well as place liability for the costs associated with a breach with the retailer. The association demanded that the credit card companies name the retailer, and later Hannaford stepped forward and acknowledged the breach (SEE HANNAFORD ANNOUNCEMENT).

Click to Get Updates on the Latest Information Security News

Company*

Title*

Email*

Subscription Type:

Healthcare Enews

General Healthcare Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Government Enews

General Government Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Banking Enews

General Banking Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Credit Union Enews

General Credit Union Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Need Help?

Maine credit unions say 100,000 credit and debit cards are expected to be reissued because of the Hannaford breach.

"Because the compromise occurred at a major Maine retailer that so many Maine people use on a regular basis, the impact and cost of this compromise will be significantly higher than the TJX compromise last year," says Rebekah Higgins, Card Services Manager at Synergent, the service subsidiary of the Maine Credit Union League, which handles card services and processing for many Maine credit unions. She says a number of credit unions have already begun reissuing their entire card base.

Vermont banks and credit unions are also carefully watching their customers' cards for fraud after the Hannaford breach. Heritage Family Credit Union in Rutland, VT posted a message on its Web site, www.hfcuvt.com. The message says it will send letters to its members that have had their cards identified by Visa as part of the breach, as soon as the card numbers are released to the credit union.

A 2007 data security breach law passed in Vermont now requires prompt notification of a data security breach. The law covers non-financial companies. It requires businesses and state agencies to notify consumers in the event of a security breach that compromises the security, confidentiality or integrity of certain personal information maintained by the state agency or business.

What Happened?
While the United States Secret Service and other forensic investigators are still unraveling exactly where and how the card data was taken, there are some known facts: * Hannaford became aware of the breach Feb. 27. * Investigators brought in to find the cause determined the data breach began on Dec. 7. * Hannaford didn't stop it until March 10.

Hannaford says the sensitive data was exposed when shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval. Hannaford doesn't store credit card information in its databases, but uses a wired network to transfer information, according to a Hannaford spokesperson.

There are many past cases where hackers broke into databases to capture card data. The Hannaford breach may be an attack on data in transit, says Gartner analyst Avivah Litan. "The PCI (Payment Card Industry) standards may need updating to say 'data in transit' - even on private networks - must be encrypted, or the network segment processing card data needs to be sufficiently segmented from the rest of the store's networks," Litan says.

1 | 2

View On 1 Page

Next Related Article:

Hannaford Breach: Federal Judge Dismisses All But One Claim

Given the latest data-breach news about Hannaford, what can an institution do to protect itself and its customers from further damaging incidents?

Here's your chance to be a part of the dialogue and engage with your peers! Just enter your comment to the right, click submit to send it to our Editor. All entries are posted anonymously.

Please login if you would like to post a comment on this question.

One-time passwords will require too much effort on the user's part to be effective. Here's a better idea: use smart cards rather than magnetic strips, and use a challenge-response authentication protocol.

Each card will contain a sealed cryptographic processor, with the account number stored inside it. When the card is swiped, it will send a "card ID", also stored on the card, to the bank. This is a random number 256 bits in length that is uniquely tied to the card but cannot be used directly for purchasing.

The bank's server will then look up the card ID and find the actual account number. It will then send a 256-bit random "salt" to the smart card. The card's processor then uses a cryptographic hash (probably SHA-256 or SHA-512) to mix the actual account number with the salt, and sends it to the bank.

The bank will then re-calculate the hash, using the account number tied to the card ID, and compare it to the hash received. If they match, the card is valid.

The card has thus been authorized, and the account number obtained by the bank, without transmission of confidential information over the wire. The only way that an attacker can obtain the card number X from a transaction, given the hash H and the salt S, is to mount a brute-force attack to by solving the equation F(S+X) = H.

One additional benefit of this technique is that even if the card reader is tampered with (for example, to log all transaction data) the data will still be secure. Since the salt changes every transaction, replay attacks are impossible.

There is a simple answer to this systemic problem, One Time Password. Once VISA and MC require OTP for all transactions the game is over for the fraudsters. The technology exists, take a look at Verisigns VIP card - no I don't work for Verisign, there are plenty of vendors in the OTP space they are just an example.

VISA and MC must imbed this technology in their cards, demand that all issuers and merchants adopt and support it.

It would work like this: swipe card => enter pin => enter one time password. Now even if a fraudster gets the track data or breaches a database it won't matter unless they can crack the OTP, which is unlikely for the foreseeable near future and if they do we simply upgrade the OTP algorithms.

Have VISA and MC impose an immediate surcharge of 25 cents per transaction that goes to the issuing banks for 2 years in addition to recovery costs of re-issued cards.

Topics of Interest

Social Media

Social Media: Risks and Rewards
Banking Malware: End Users are 'Achilles Heel'

FFIEC Handbook

BAI 2007 Retail Delivery Conference - Vendor Interviews
Business Continuity Planning: The Case for Resource Allocation

IT Audit

Five Ways to Reduce Your IT Audit Tax
Real-Time Compliance Monitoring

Bank Secrecy Act

Cross-Border Money Laundering Threats
Secure Image Transport: 'Buy, Don't Build'

Debit, Credit, Prepaid Cards

BankInfoSecurity.com Week in Review: Aug. 6, 2010
BankInfoSecurity.com Week in Review: Aug. 20, 2010

Basel II

Complying with Financial Services Regulations
Federal Deposit Insurance Corporation and the New York State Banking Department Executed an Information-Sharing Agreement

Latest Tweets & Mentions

Recent Content
Most Popular

1Heartland, Discover Settle at $5 Million
2How to Protect Consumers from ID Theft
3The Mobile Mandate
4Church Latest Victim of ACH Fraud
5Video: Why Cyber Challenge is Needed
6FDIC: 829 Troubled Banks
7ID Theft: Courts Cracking Down
810 Tips to Thwart Skimming
9Skimming: Old Crime, New Tools
10Key Elements of Risk Management

1Failed Banks and Credit Unions, 2010
22010 Data Breach Timeline
3Pay-At-The-Pump Skimming on the Rise
4Account Takeover: The New Wrinkle
5Tapping the Power of Social Media
6ATM Skimming: How Effective is Jitter?
741 Banking Breaches So far in 2010
8New Fraud Spree Investigated
9Social Media Policy - The 6 Essentials
10FDIC: Top 5 Fraud Threats

BankInfoSecurity.com Research

Podcast:Mortgage Fraud: Compliance to be a Challenge
Webinar:U.S. Dept. of Justice on Emerging Threats: Lessons from TJX, Heartland, and Other Breaches
Handbook:2010 Webinar Catalog
White Paper:Understanding Man-in-the-Browser Attacks and Addressing the Problem
Regulation:FHFA: Issues Subpoenas for PLS Documents

Recent Blog Entries

Be Mindful of Insider Fraud Against Seniors

California's Financial Abuse Reporting Act, SB 1018, which r…

Read The Agency Insider by Linda McGlasson

Vendor Solutions

MarkMonitor

Solutions For:

Anti-Phishing, Authentication, Fraud Detention Network
Bharosa

Solutions For:

Authentication, Biometrics, Fraud Detection

Marketplace

Information Security Media Group - Family of Websites

Banking

BankInfoSecurity.com
Careers
Blogs

Credit Unions

CUInfoSecurity.com
Careers
Blogs

Government

GovInfoSecurity.com
Careers
Blogs

Healthcare

HealthcareInfoSecurity.com
Careers
Blogs

About Us
Contact Us
Site Map
Terms of Service
Advertise
RSS

BankInfoSecurity NewsGet the RSS Feed
Agency ReleasesGet the RSS Feed
Latest ArticlesGet the RSS Feed
WebinarsGet the RSS Feed
BankInfoSecurity.com BlogGet the RSS Feed

Home
Training
Resources
Content Library
- Agency Releases
- Articles
- Handbooks
- Podcasts
- Surveys
- Webinars | Calendar
- White Papers
Careers
Blog

Advanced Search

Browse Topics

Agencies

Federal Deposit Insurance Corp
Federal Reserve Board
Federal Trade Commission
FFIEC
FHFA
FinCEN
Government Accountability Office
National Credit Union Admin.
NIST
Office Comptroller of Currency
Office of Thrift Supervision

Anti-Money Laundering

Banking Today

Confidence In Banking

Business Continuity & Disaster Recovery

Pandemic Preparation

Compliance

Bank Secrecy Act
Basel II
CA Bill 1386
E-SIGN Act
FACTA
Gramm-Leach-Bliley Act
Guidance
Identity Theft Red Flags Rule
NCUA Part 748
Patriot Act
PCI DSS
Sarbanes-Oxley Act

Emerging Technology

Application Security
Authentication
Cloud Computing
Data Loss
Encryption
GRC
ID Access & Management
Messaging
Mobile Banking
Network/Perimeter
Remote Capture
SIM/SEM
Social Media
Storage
Web Security

Fraud

ACH
ATM
Check
Debit, Credit, Prepaid Cards
First Party
Insider
Mortgage
Payments
Wire

Governance & Standards

BITS
Cobit
COSO
FFIEC Handbook
ISO
ITGI
ITIL
PCAOB

Identity Theft

Pharming
Phishing
Skimming

Leadership & Management

Physical Security

Biometrics

Risk Management

HR
Incident Response
Information Security Compliance
Insider Threat
IT Audit
Privacy
Risk Assessment
Social Engineering
Vendor Management

Training & Education

FHFA: Issues Subpoenas for PLS Documents..Next Topic
The Electronic Funds Transfer (EFT) Act - Regulation E..Next Topic
The Electronic Funds Transfer (EFT) Act - Regulation E..Next Topic
DoJ: Report to Congress on Implementation of Section 1001 of the USA PATRIOT Act..Next Topic
FFIEC Issues 2009 Mortgage Fraud White Paper:The Detection and Deterrence of Mortgage..Next Topic
FDIC: Fraudulent Work-at-Home Funds Transfer Agent Schemes..Next Topic
Joint Statement by Education Secretary Duncan, Homeland Security Secretary Napolitano and..Next Topic
Obama's Cyberspace Policy Review: Assuring a Trusted and Resilient Information and..Next Topic
Obama's Cyberspace Policy Review: Assuring a Trusted and Resilient Information and..Next Topic
NIST: PIV Card Application and Middleware Interface Test Guidelines, SP800-85A-1..Next Topic

A-
A
A+