From Felipe Martins

Note that this post intends to show only vulnerable applications used to be exploited, not the tools used to exploit them.

Interesting that the goal is to setup an environment that is vulnerable in order to test out the web penetration tools. I guess I have become so used to things being the other way around (setting up attack tools to test vulnerabilities of an environment) that this seems like a novel idea to me.

Two security researchers have documented a serious and long-standing design flaw in Facebook:

Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information.

[…]

There is no good way to estimate how many access tokens have already been leaked since the release Facebook applications back in 2007. We fear a lot of these tokens might still be available in log files of third-party servers or still being actively used by advertisers. Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens. Changing the password invalidates these tokens and is equivalent to “changing the lock” on your Facebook profile.

I’ll let you guess why “there is no good way to estimate” unauthorised access at Facebook.

Michaels Stores, with over 1,000 locations, calls itself North America’s “largest speciality retailer”. Their website, which shows the slogan “Where Creativity Happens”, has just posted three Consumer Notices on PIN Pad tampering at their stores. Their CEO John Menzer joined in 2009 (after twelve years at WalMart) and today issued a statement:

We are confident Michaels stores are a safe place to shop.

The Chicago Tribune offers this perspective on the PIN Entry Device (PED) breach.

The crafts-store chain identified 90 keypads in 80 stores that were compromised in Colorado, Delaware, Georgia, Iowa, Massachusetts, Maryland, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, Utah, Virginia and Washington.

Michaels has removed the suspicious swipe pads and over the next two weeks plans to replace about 7,200 similar PIN keypads from its stores. Until those pads are replaced with upgraded models, the company said customers must use cash, credit cards or signature-based debit cards.

Moving to signature-based cards is a reasonable response. A survey by First Data Corporation in 2008 said only 22% prefer PIN debit while 17% prefer signature, so removing PIN probably is not disruptive to the consumer. It also is not any more secure. A signature can obviously be forged more easily than a PIN can be stolen.

Although I see some speculation about how hard it is for attackers to have coordinated an attack on 90 keypads in 80 stores (about 1%) I can’t help but compare it to the store’s plan to deploy over 7,000 keypads in just two weeks. It may be a great effort and expense, or it could beg the question of supply chain security as well as ease of replacement — where does authorisation fit in? How hard is it really, to swap the keypads?

The big clue to the story is in the Tribune phrase “replaced with upgraded models”.

There is a chance that Michaels was using old PED that the Payment Card Industry (PCI) wanted replaced anyway. Visa explains the risk in their Compromised PIN Entry Device Listing.

Although some of the recently identified devices are newer devices, many are over 10 years old and were never evaluated by an independent lab or approved by Visa or the Payment Card Industry (PCI).

[…]

Evidence indicates that these devices were physically removed from their locations and replaced with modified devices designed to skim account and PIN data. Surveillance footage shows that the suspects in most cases were able to remove and install a POS PED in less than one minute.

Thus, it’s not hard to imagine an attack on 90 devices even at 80 stores.

To prevent this attack PED are meant to be authenticated and verified regularly with three levels of security — technical, physical, and administrative. With that in mind, there are basically three PED security types in the industry:

1. Non-Approved Devices (Pre 2004)
2. VISA PED Approved Devices (2003 – 2006)
3. PCI PED Approved Devices (2006 onwards)

If all the keypads at Michaels were of the 3rd category, a technical review and the upgrade will be most interesting. Anything from the 1st category will be a “we-warned-you” moment for Visa and the PCI.

July 1, 2010 was supposed to be the last date that pre-Visa PED Approved devices were allowed. Visa originally threatened fines for violations but they caved to industry pressure and moved the enforcement deadline out two years.

Visa agreed to back off its earlier PIN pad compliance deadline originally set for July 1, 2010, to the new date of Aug. 1, 2012. […] The changes were mostly fueled by strong retail lobbying efforts, even beyond convenience retailers — including at least one major department store. Retailers threatened to abruptly cut off PIN debit at the deadline, possibly switching to signature debit to temporarily sidestep the issue, according to the report.

Was Michaels running old PEDs? And if so did they miss the July 1, 2010 deadline due to cost concerns?

Physical review is also an essential factor in this case. Investigators will pore over audit trails related to PED service technicians, shift schedules, service logs, terminal inventory, surveillance video, etc. to see if there were physical warning signs of tampering.

Above all, Michaels customer transactions were exposed from February 8 to May 6, 2011. About 100 now have reported fraud on their accounts. The PCI PED requirements include a weekly review for tampering so (even if they had PCI-compliant technical and physical security) a three month exposure will definitely generate some tough administrative questions for Michaels.