U.S. retailers are being warned that software they use at checkout counters may store too much customer information — including customer debit card PIN numbers that are supposed to be immediately erased or encrypted. And to make matters worse, researchers believe that hackers can sometimes pluck the valuable data right out of thin air, thanks to insecure wireless networks at some stores.
The warning comes as investigators try to find the origin of a data leak that has led to thousand of thefts from consumer bank accounts through fraudulent ATM withdrawals from as far away as Russia.
Special software used to diagnose potential problems with transaction processing programs is now suspected as the source of the data leak, says security expert Avivah Litan, an analyst at research firm Gartner. The software is sometimes incorrectly configured to capture and store transaction data, she said.
Litan said researchers also believe criminals were able to steal the data by eavesdropping into insecure wireless networks at retail stores.
Such eavesdropping is supposed to be useless to criminals looking for PIN codes, because the numbers are encrypted immediately after they are entered into checkout counter PIN pads. But criminals who plucked the data out of the air, probably from a laptop computer in a nearby parking lot, hit the jackpot. The encryption key needed to derive customer PIN codes from transaction data was stored in the same computer file, Litan said.
The news follows disclosure last week that Visa USA issued a warning to some banks about transaction software made by Texas-based Fujitsu Transaction Solutions Inc., saying it could incorrectly store "sensitive cardholder data" in certain configurations. Visa spokesman Jay Hopkins refused to provide additional details.
The Fujitsu software helps retailers transfer account numbers and PIN codes entered at cash registers to the shopper's bank for verification. The account data is supposed to be deleted as soon as it is passed on to the merchant’s bank, which then forwards the information to the shopper's bank.
Fujitsu Chief Operating Officer Ed Soladay said the software packages Visa mentioned in its warning — Fujitsu's RAFT and GlobalSTORE programs — don't store personal information.
But he said the company does write add-on software called "trace utility" software that is used for diagnostic purposes. These add-on programs can be configured to store transaction data, including account numbers and encrypted PIN codes, he said. The programs are not designed to be used in live environments, with real customer data, and Fujitsu frequently warns its customers not to do so, Soladay said.
"Time and time again we have told our clients they need to be very, very careful with these," he said. Companies that do use such utilities in a live environment are out of compliance with Visa and Mastercard security requirements, Soladay said.
Nevertheless, merchants sometimes do just that, he said, putting the consumer data at risk.
Wireless network tapped, encryption key stolen
Litan says researchers from financial companies now believe misused trace utility software is to blame for this latest rash of identity theft.
Researchers have backtrackedthe stolen data to transaction software running a trace utility that was used to process OfficeMax purchases, Litan said.
OfficeMax, which has repeatedly denied it has suffered a security breach, did not immediately return phone calls requesting comment for this story.
The retailer does use the Fujitsu software mentioned in Visa's recent warning. In January, Fujitsu issued a press release saying OfficeMax had deployed its GlobalSTORE software at point-of-sale terminals and mobile devices in 940 stores around the country.
Because of the presence of the trace utility program, the data was inadvertently saved, Litan said. Researchers now believe the data was stolen by a hacker who connected to OfficeMax computers over an open wireless connection, probably by someone using a laptop computer in a nearby parking lot, Litan said.
That alone would not have been enough to place customers at risk for fraudulent ATM withdrawals, because PIN codes are normally encrypted immediately as they are entered by consumers into store PIN pads. But special encryption keys for the data were stored on the same computer file that also stored the encrypted PIN data, Litan said — giving the criminals everything they needed to decode PINs, print fake ATM cards and withdraw money from anywhere in the world.
It's possible a third-party company was responsible for maintaining the computers used to process OfficeMax transactions, Litan said — the company hasn't revealed details about its transaction processes. But ultimately, the retailer that accepts the customer's personal information is responsible for keeping it safe, she said.
OfficeMax has issued several statements saying it does not believe it has suffered a security breach. The company issued a statement last week saying a third-party security expert had conducted a thorough forensic analysis and concluded that the firm did not suffer a security breach.
But Soladay said OfficeMax had not contacted Fujitsu to discuss the situation, or to discuss the Visa warning about the payment software.
Incident highlights bigger problem
Despite laws in several states mandating disclosure of data leaks to impacted consumers — disclosures that became familiar after last year's high-profile data thefts at ChoicePoint Inc. and several other firms — no company has issued a disclosure in the wake of the recent wave of debit card and PIN theft. Consumers must discover the thefts from their bank accounts on their own and request refunds from their financial institutions within 60 days. Litan says while companies involved are blaming each other, consumers are getting hurt.
"It's terrible that all this is being delayed because no company wants to accept responsibility for liability reasons," she said.
While investigations into this most recent incident focus on OfficeMax, Litan said credit card issuers are concerned that hackers have found a weakness in the PIN-debit system and will continue to attack it at retailers.
The PIN-based magnetic card systems was designed to be limited to bank-controlled ATM machines, she said. PIN-based transactions are now increasingly common at retailers, partially because they pay lower fees for PIN transactions than credit card transactions. But that's opened the system to millions of additional points of attack. Retailers are generally less security-conscious than banks, she said. There are concerns, for example, that misused trace utility programs may be common.
"(Financial institutions) have told me they're concerned this is going to keep happening," she said.