When Keys Are Default Passwords
powers-old-account 270000NC1K Visits (2405)
IBM's Smarter Planet Initiative is all about making real world things "instrumented, intelligent, and interconnected." So I'm always on the look out for security stories about the real-world things that have IT capabilities. So I was very interested to read an article in Bank
Pay at the pump skimming relies on the victim not noticing that the pumps original credit card reader has been replaced or supplemented by the attackers' reader. My first reaction to this story was, "wouldn't people notice?" I imagined that it would be very easy to recognize an additional piece of hardware sticking out from the card reader at the pump. However, it's much more difficult detect by the average customer because the attackers extra hardware actually sits inside the pump and the part that sticks out.
And why is the attacker's extra hardware inside the pump? Because the pump is not physically secure!!
Gray Taylor, a security and compliance expert with the National Association of Convenience Stores is quoted in the article:
"There are 900,000 pay-at-the-pumps out there, and, literally, I have four keys in my desk that will open up every dispenser in the United States that has not been upgraded," Taylor says. "Today, you can buy new dispensers that have unique keys. The problem is doing something with the dispensers that are out there; getting these guys to upgrade."
Say what??? So let me get this straight. The pumps have locks and keys on them, but they don't have unique keys? An attacker with 4 keys can get into most of the pumps in the US? This is as bad as shipping a software product with hard coded accounts and efault passwords. Hindsight is 20/20. Once upon a time, this single key system was probably ok. The amount of money spent at a pump and the relative difficulty in getting card readers made this a very low risk item and therefore the single key control was probably OK. But with the huge increase in card not present transactions stealing credit card numbers has changed the economics motivating the theft. It's worth a criminals time to invest in credit card skimmers and obtaining the default keys.
In any case, this is a classic example of a "smarter planet security". In the article, Mr. Taylor noted that newer pumps are available with unique keys. Upgrading to the unique-keyed pumps is probably the simplest control for this scenario. But the price isn't cheap. If a software product shipped with a default password baked in the code, it would be a relatively inexpensive feature to upgrade the software package to allow for the generation of unique passwords and stop using defaul tpasswords. But the pay at the pump skimming scenario deals with real-world stuff and upgrading real-world stuff is expensive. Gas pump owners have to either upgrade/replace the whole pump, or they have to pay to have the pumps re-keyed.
Which leads to the second interesting point in the article:
"Taylor says industry standards have diverted attention from pay-at-the-pump and instead forced merchants to focus on network security, called for by the card brands and the Payment Card Industry Data Security Standard, within their stores. "So the time cost and attention devoted to PCI-DSS takes away attention and resources away from other types of attacks. It would be interesting to look at the losses at the convenience stores and compare the losses from pay-at-the-pum skimming vs other types of losses due to IT security to see if the money spent on PCI-DSS was causing convenience store owners to focus on the right threats or not.