Hackers open new front in payment card data thefts

Security managers often describe their efforts to protect corporate data from being compromised as a full-fledged battle of wits against cybercrooks who are continually arming themselves with innovative tools and methods of attack.

And the security breaches disclosed last month by Hannaford Bros and Okemo Mountain Resort -- along with unconfirmed reports of dozens of similar network intrusions -- suggest that a new front may have opened up in the battle.

Furthermore, the recent incidents have prompted some to question whether the payment card industry's highly publicized data security standards are fully equipping companies to fend off attackers.

What's noteworthy about the Hannaford and Okemo breaches is that they both involved the theft of data in transit -- credit and debit card information that was being transmitted from point-of-sale systems to payment processors in order to authorize transactions.

In Hannaford's case, the US-based supermarket chain has said that malware planted on the servers at about 300 grocery stores in the Northeast and Florida intercepted up to 4.2 million credit and debit card numbers and periodically sent the data in batches to a system overseas.

Just two weeks after Hannaford disclosed its breach, Okemo reported that data from more than 46,000 payment card transactions may have been compromised during a 16-day system intrusion in February.

Some of the data that was stolen was from transactions that occurred two years ago. But data from purchases made by customers while the intrusion was taking place appears to have been stolen in real time during the authorization and card-verification process, according to a spokeswoman for the ski area.

"The information was being taken as the cards were being swiped," she said, adding that law enforcement officials have told Okemo's management that they are investigating about 50 such incidents in the Northeast alone.

If that is indeed the case, it indicates that malicious hackers are starting to focus on stealing card data while it's on the move, instead of trying to take information that's stored on systems.

Ironically, the push by attackers to get at data in transit is likely a direct response to retailers' efforts to implement the security controls mandated by the Payment Card Industry Data Security Standard, or PCI for short, said Gartner analyst Avivah Litan.

The PCI standard, which was created by the major credit card companies, prohibits retailers and other merchants from storing payment card data on their systems in most cases, and it requires them to encrypt the data that they are allowed to store. Litan said that as more companies comply with the standard, credit card thieves are being forced to turn their attention away from the databases that they previously had targeted.

And the apparent success of the intruders who broke into the systems at Hannaford and Okemo is bound to embolden other attackers to try the same kind of strategies, Litan warned.