Hackers in Camden?
So, I have been reading the information posted on social media today about the Camden IGA. It seems that the Camden police department, along with the Sherriff’s office (Bobby Schneider), has reached a conclusion. “System was hacked and a virus was installed on their server.” The hard work of our police and sheriff’s office will go a long way in solving this problem. As he mentioned, “If your credit/debit card was used at Camden Foodliner since late August(,) cancel your card and get a new one”. And, I highly recommend you do just that.
In my expert opinion, the server having malware on it is merely the “entry” point. From there, a hacker could do any number of things to capture credit card information. First, the hacker could setup what is called a “packet capturing” application on the server. These programs capture all of the electronic traffic passing over the network. Basically, it is like recording a phone conversation except you “record” the conversation between computing devices. But, this would require a non-encrypted, plain text, transition of the credit card numbers….
In the IGA’s defense, I would like to offer the following input.
I find it extremely hard to believe that the server is the sole cause of the issue. Here is why. When a card is swiped on a card reader, the transmission of the card number is encrypted. Meaning, it is not readable until it reaches its destination at the “processors” server. So, what does this mean? Well, if it enters the card reader, and is sent to the server encrypted, how was a decrypted credit card number captured on the IGA’s server? Below is an example of a 128bit encrypted credit card number. (Remember, only the sending and receiving ends have the decryption keys)
Plain Text Card Number: 0000 1111 2222 3311
Encrypted at AES 128bit: FWyCmuvTdHJKKSXUrmOHhh79RUN+Gasg9pO9eu/ht04=
Yes, with the appropriate decryption key, blowhard, you can decrypt the 128bit encrypted key back to plain text. In a nut shell, that is how encryption / decryption works. So, I ask again? How did a compromised server cause all of our credit card number to be stolen? I suppose it is possible that the credit card processing equipment at the IGA is not set to use encryption and that for some odd reason the card numbers are stored locally. However, encryption has been standard practice on card readers since 2008. And, I find it extremely hard to believe, although I suppose it would be possible, that the card readers at the IGA are setup to be store credit card information on the server. But, again, that is not on the IGA. That would be the fault of the company IGA hired to process the cards.
How is it that someone got access to the IGA’s server anyway? Does this server act as a gateway on the network? Meaning, is the server connected directly to the internet connection without going through a firewall (Public facing)? Again, I highly doubt it. If this is not the case, someone using the server either downloaded something on accident into the server, or a virus was installed through an email. From here, the virus could “call home” which would enable a hacker access to the system… But, that still doesn’t explain the credit card numbers being compromised? As mentioned above, does this server actually process the credit cards, or is it just an inventory server? Not sure, but one possibility is what happened to Target. Target’s network was compromised allowing hackers to installed malware directly on the credit card readers. To me, this type of attack makes more sense. Hackers got access to the IGA’s server. Then, installed malware on the card readers. This works because the card number is captured before it is encrypted and transmitted over the network… All the card numbers can be stored in a log file on the server and copied back to the hacker’s computer….
What about the IGA?
I know the owner of the IGA and he is a great man. He has supported our community for years. And, we have supported him. I will continue to do so. Some might ask, should they have known better? Perhaps, but shouldn’t Target, Sony Playstation, Microsoft, and more recently, Anthem, known better? Heck, these companies have CIO (Chief Information Officers), and CSO (Chief Security Officers), and they couldn’t stop it. The truth is, there is no fail safe. There is no way to protect your data 100% of the time. I believe, no matter what, that the IGA did everything they knew how to do to protect their customers against this type of attack… Unfortunately, hackers are always one step ahead of the latest and greatest security measures.
Support the IGA, support our local community, and do not let this HACKER win!
If you, or someone you know, would like more information about a compressive security analysis on your network, contact me today.