Richard Bucker

How did they do that?

Posted at — Feb 25, 2013

Warning is post is part fiction and part stream of consciousness and my intent is to take you to a happy place or give you a lot more to think about.WildCard the early days:- one of the interesting things that happened to us was the day the very first BIN went live (processing through FDR in Omaha). Even before the first card was manufactured we started receiving transactions from Nigeria. They were clearly bogus but we were not expecting anything at all.- years later I caught our first ATM bandits in Moscow. (a) they ran too many PIN transaction in such a short period of time that they could only have accomplished this with a hijacked ATM (b) somehow they knew we did some sort of load balancing so they were trying to skim a little off the top.- we did have a programmer of Russian origin that worked for WildCard; he was later laid off when WildCard downsized after it’s own first bubble burst. In retrospect he was always working odd hours; his explanation was so that he could VOIP home to Russia.- WildCard, later eFunds and now FIS; outsources a lot of it’s software development. With any luck they review each and every line of code but not likely. The thing is; a C-level executive was so focused on outsourcing that there was a swell of offshore, on site, developers. Dev went from 100 to 500 in a matter of months. It is my understanding that they were all foreign contractors.(Courtesy of Bill Gates)The FIS attack:- I’m surprised that they got in. I know the guy who designed the network and I know he was also one of the most highly certified Cisco tech there was. Even at WildCard there were layers upon layers of network infrastructure. Production was locked off from everything else. Machines inside the firewall were not supposed to be able to make connections to systems outside the firewall. And so on. It was tighter than Fort Knox.- the authorization system is even more self contained. In fact the auth system is almost a network unto itself. Therefore, the only thing they could have done was attack the backoffice system. That system was originally build with VB and then moved to coldfusion and then there was a sharepoint implementation and later MS business object or something like that. The thing is; WildCard was very aware of things like SQL injection and API permissions and such. So unless intentional or unintentional bug in the system… this was not an attach vector either.- one thing for certain. The users were not going to gain access from the network. Even if the card programs were accessible to product managers through the public internet.- the API layer was going to require passwords and some encryption if they planned to gain access through the APIs. And even then they’d need the API docs and credentials.- If they managed to log into production they’d have to make it through many layers of security in order to make it to the DB. And even with a TSQL command shell you’d need credentials. But wait there’s more.- once they logged into the DB you’d have to know which table to change… of some 300 to 500 tables.- but once they had the right table they’d need to know which card program was assigned to so they could update the velocity check.In Conclusion:(a) this was very likely an inside job and might have been a sleeper for years)(b) when you’re a small company you better trust your employees beyond the usual resume screening.(c) you might be better off hiring a real security firm for recommendations.I just watched a video segment about espionage and counter espionage. It’s interesting that spies do not always do the dirty work. They hire “cut outs” to do it for them. Sadly this could be anyone and of course the consequences are not less devastating.I read another article “what would happen if everything you knew was false” or something like that. Basically a West German police man killed a protestor in 1957. At the time he said he was threatened or some such. After a brief suspension he returned to work and was later promoted. Fast forward to present day and it turns out this guy was a spy for the Stassi (East German Secret Service).** So how do we remain secure?  Good question.- know your hardware- know your network- know your infrastructure- know your physical security- know your operating system- know your tools- know your employees- know your programmers, testers, etc- know your process- know all your 3rd partiesIt comes down to full stack awareness… the stack happens to be much bigger than once thought.