ATM theft investigators eye software flaw

Bob Sullivan Technology correspondent • Profile • E-mail

U.S. retailers are being warned that software they use at checkout counters may store too much customer information — including customer debit card PIN numbers that are supposed to be immediately erased or encrypted.  And to make matters worse, researchers believe that hackers can sometimes pluck the valuable data right out of thin air, thanks to insecure wireless networks at some stores.

The warning comes as investigators try to find the origin of a data leak that has led to thousand of thefts from consumer bank accounts through fraudulent ATM withdrawals from as far away as Russia. 

Special software used to diagnose potential problems with transaction processing programs is now suspected as the source of the data leak, says security expert Avivah Litan, an analyst at research firm Gartner. The software is sometimes incorrectly configured to capture and store transaction data, she said.

Litan said researchers also believe criminals were able to steal the data by eavesdropping into insecure wireless networks at retail stores. 

Such eavesdropping is supposed to be useless to criminals looking for PIN codes, because the numbers are encrypted immediately after they are entered into checkout counter PIN pads. But criminals who plucked the data out of the air, probably from a laptop computer in a nearby parking lot, hit the jackpot. The encryption key needed to derive customer PIN codes from transaction data was stored in the same computer file, Litan said.

The news follows disclosure last week that Visa USA issued a warning to some banks about transaction software made by Texas-based Fujitsu Transaction Solutions Inc., saying it could incorrectly store "sensitive cardholder data" in certain configurations. Visa spokesman Jay Hopkins refused to provide additional details.

The Fujitsu software helps retailers transfer account numbers and PIN codes entered at cash registers to the shopper's bank for verification. The account data is supposed to be deleted as soon as it is passed on to the merchant’s bank, which then forwards the information to the shopper's bank.

Fujitsu Chief Operating Officer Ed Soladay said the software packages Visa mentioned in its warning — Fujitsu's RAFT and GlobalSTORE programs — don't store personal information.

But he said the company does write add-on software called "trace utility" software that is used for diagnostic purposes. These add-on programs can be configured to store transaction data, including account numbers and encrypted PIN codes, he said. The programs are not designed to be used in live environments, with real customer data, and Fujitsu frequently warns its customers not to do so, Soladay said.

"Time and time again we have told our clients they need to be very, very careful with these," he said. Companies that do use such utilities in a live environment are out of compliance with Visa and Mastercard security requirements, Soladay said.

Nevertheless, merchants sometimes do just that, he said, putting the consumer data at risk.

Wireless network tapped, encryption key stolen
Litan says researchers from financial companies now believe misused trace utility software is to blame for this latest rash of identity theft.

Researchers have backtracked the stolen data to transaction software running a trace utility that was used to process OfficeMax purchases, Litan said.

OfficeMax, which has repeatedly denied it has suffered a security breach, did not immediately return phone calls requesting comment for this story.

The retailer does use the Fujitsu software mentioned in Visa's recent warning. In January, Fujitsu issued a press release saying OfficeMax had deployed its GlobalSTORE software at point-of-sale terminals and mobile devices in 940 stores around the country.

MORE FROM SECURITY

Security Section Front

The end of human customer service? EU warns against buying ring tones online Engineer accused of network tampering Man gets prison time for spamming AOL FCC chief says Comcast violated Internet rules Lawmakers to probe 'adware' practices Red Tape: Thwarting thieves with ... magic? 'Public' online spaces don't carry speech, rights Internet addressing agency loses its addresses Google in deal with Brazil to fight child porn Security Section Front   Add Security headlines to your news reader: