Security expert slams PCI auditing

A recent security breach highlights possible flaws in the PCI rules

A recent security breach at US supermarket chain Hannaford Bros was almost certainly the work of hackers exploiting a single code flaw on internal systems, experts say.

Hannaford Bros revealed last month that intruders had broken into its network and stolen the credit card details of some 4.2 million customers.

It is understood that the hackers managed to download card details after the cards had been swiped at the checkout and were in the process of being authorised.

Brian Chess, founder and chief scientist at security firm Fortify Software, claimed that the uniformity of the breach suggests that the attackers were taking advantage of a software weakness.

"The fact that the servers in almost all of the stores were compromised makes it much more likely that the attackers found a vulnerability in a piece of code that was common to all the servers and used malware to exploit the weakness," he said.

"My guess is that hackers first broke into the internal corporate network, then did some basic network scanning to identify all of the target servers.

"They then figured out that there was a vulnerability on some piece of code running on all of the machines. We see many organisations that are much more lax about internal systems."

Chess added that the interesting thing about the case is that Hannaford Bros is believed to be fully PCI compliant and, as such, is unlikely to have to pay fines under current PCI rules.

"The store chain had passed its PCI audit, but PCI takes a relaxed attitude towards internal machines," he said.

The security expert pointed out that PCI DSS section 6.6, for example, requires companies to "ensure that all web-facing applications are protected against known attacks by applying either of the following methods: having all custom application code reviewed for common vulnerabilities by an organisation that specialises in application security; and installing an application layer firewall in front of web-facing applications".

This means that Hannaford Bros fulfilled section 6.6 by default so long as its web applications were only for use inside the corporate network.

"PCI DSS is a lot like a fire code or a health code. It does not guarantee smooth sailing, it just helps people avoid repeating a lot of painful mistakes from the past," said Chess.