SQL Injection Blamed for New Breach

Stronger App Security Could Have Prevented Online Hack
SQL Injection Blamed for New Breach
The breach of a Web server that housed payment card data for a New York tourism company's website highlights security gaps in cardholder data protection.

The online breach, which led hackers to cardholder information for 110,000 credit cards, was facilitated via SQL injection -- one of the most frequent modes of attack hackers use to illegally acquire payment-card details.

Twin America LLC (d.b.a., City Sights NY) reportedly discovered the breach in late October, after a programmer noticed unauthorized script had been loaded to the server. The company on Dec. 9 notified the New Hampshire Attorney General of the breach, after it determined that some 300 New Hampshire residents had been impacted by the attack. City Sights' attorney Theodore Augustinos would not comment on the breach, saying he was not authorized to share details beyond those included in the letter to the AG.

But Josh Corman, research director of enterprise security for analyst firm The 451 Group, says the City Sights breach raises several points, none of which is uncommon when it comes to lax security practices among online merchants. "What caught my attention was the SQL injection," he says. "It's more than 10 years old now; we should know better by now, but we don't."

SQL Injections -- Still Too Common

According to Verizon Business' 2010 Payment Card Industry Compliance Report released in October, 24 percent of payment-card breaches result from SQL injections. When it comes to card breaches, SQL injections come second only to malware, which provide fraudsters remote access by bypassing normal authentication mechanisms.

Corman says gaps in application security are a big problem in the payments space. "In this case, they noticed an unauthorized script, so that tells me custom malware was dropped in after the SQL injection," he says. "It was app attack."

A critic of the Payment Card Industry Data Security Standard, Corman says current PCI guidance regarding application security and protection from SQL injections is insufficient. "The standard for application security requires a Web app firewall or SDL (system development lifecycle), which is based on how you write the code," he says. "You have two options, but you need to do both."

A Web application firewall, or WAF, which Corman suggests most merchants do not invest in, is the best option for preventing an SQL-related breach. "An app firewall being optional is sad. We don't spend enough money on app security and we spend way too much on antivirus software, which is basically worthless," he says.

Alan Paller, director of research for the SANS Institute, says the City Sights breach points to two of most-often-overlooked security measures -- inept coding and the storage of card data. "They used a programmer who didn't know how to write security code, and they stored the CVV data," he says. "Both are against the rules that the credit card companies set for credit card processing. This shows that the auditors are not doing their job."

Tom Wills, principal consultant and secure strategies senior analyst for Javelin Strategy & Research, says the stolen credit card data should have been encrypted, and the SQL injection could have been prevented by validating data input via the Web application.

"City Sights NY was caught without a lock on their front door and their jewelry sitting on top of the dresser," Wills says. "What we have here is nothing more than sloppy security. It comes from the all-too-common mentality among merchants that breaches only happen to other people, and that implementing good security costs more than it is worth."

Wills and Corman both say a focus on stronger application security is the only solution, but no one in the payments space seems to be giving it much attention. "Everyone focuses on protecting the services and the infrastructure, but no one focuses on the software," Corman says. "Rugged software that protects the application is what we need more of."


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network