Hannaford breach raises new fears

In particular, the standards require companies to encrypt data that travels over computer networks "that are easy and common for a hacker to intercept." Whether certain internal networks are "easy and common" to crack is a matter of judgment, so Navetta believes Hannaford may have erroneously felt safe leaving data unencrypted in a spot that turned out to be vulnerable.

Hannaford would not discuss specifics of its security system, so it was unclear to what extent its stores encrypted payment data throughout the transmission process.

Wider use of encryption might seem an obvious answer. Because it's so difficult to detect when information is being stolen while in transit, companies "need to wake up to the fact that they need to encrypt information along every step," said Richard Gorman, CEO of Vormetric Corp., a data security firm in Santa Clara, Calif.

But in practice, encryption often goes unused at certain points in a data-processing chain because the computing power it requires can slow down transactions, especially on older hardware.

"Would you like to sit at your gas pump for five minutes to get an authorization?" said Avivah Litan, a security analyst at Gartner Inc.

Litan believes that the PCI standards are strong and clear enough, but that Hannaford's assessor failed to properly test where the stores' network was open to intrusion. Or it might have overlooked the threat from insiders such as contractors with access to key systems. Likely, she said, the auditors placed "too much focus on data at rest and not enough on who can see data in transit."

Litan argues that the biggest lesson is that the banking industry needs to make it harder for thieves to put stolen credit card data to use. Requiring PINs on credit card transactions, she said, "would remove 75 to 90 percent of the fraud in the system."

The attack on Hannaford stores in the Northeast and its affiliated Sweetbay outlets in Florida revealed 4.2 million card numbers between Dec. 7 and March 10. Apparently about 1,800 cards have been used fraudulently. The U.S. Secret Service is investigating.

In the biggest such data theft, thieves busted the central database of TJX Cos., parent of the T.J. Maxx and Marshalls retail chains. The thieves took information tied to at least 45 million credit and debit cards, and are believed to have gotten the information that gave them undetected access to TJX's database by intercepting wireless signals in two Marshalls stores.

Hannaford doesn't store credit card information in its databases and uses a wired network to transfer information, said spokeswoman Carol Eleazer. Hannaford is still trying to figure out, she said, how its thefts occurred.

Brian Bergstein reported from Boston.

MORE FROM SECURITY

Security Section Front

Web site design flaws make banking riskier Facebook redesign to weed out toxic spam The end of human customer service? EU warns against buying ring tones online Engineer accused of network tampering Man gets prison time for spamming AOL FCC chief says Comcast violated Internet rules Lawmakers to probe 'adware' practices Red Tape: Thwarting thieves with ... magic? 'Public' online spaces don't carry speech, rights Security Section Front   Add Security headlines to your news reader: