A very interesting report by the FBI together with the US Secret service outlines a scheme exploiting SQL injection to steal credit card information from financial institutes. The attack involves directly attacking HSMs, the banks key vaults in charge of verifying ATM PINs in order to brute force PIN numbers.
The report is unique in describing an attack on financial services. Such attacks are know to happen but are seldom reported, certainly not with the amount of details in this report. However, the report does not indicate which incident it is based on. Is the close proximity of the report release to the Heartland incident just a coincidence?
Getting to this report took some effort and the only non blogshpere copy we found is on the Visa web site. If you know anything about this incident, please help us complete the information by leaving a comment on contacting us.
I recieved the following remark on this post by e-mail:
"...This little old chestnut has been around for many years, and those HSMs most at risk at the IP ones. This highlights the importance of network segregation, where your IP HSMs reside in their own controlled segment and only talk to the switch.
Sadly, many firms still operate 'flat' cores, where multiple hosts (and even the desktop PC network!!) reside on the same network segment, making this attack comically easy. This is where the PCI requirements do not go far enough. They are ridiculously verbose, non-prescriptive, wishy washy motherhood statements. If one reads PCI-DSS, one could be forgiven for thinking it has been written by an auditor, as opposed to a professional who knows payment risks inside out.
I am not a consultant per se, but I am an architect with a major bank whose job it is to map out our compliance strategy for PCI-DSS. PCI-DSS has some good points, but is also misses the bleeding obvious - and HSMs sitting in a non-controlled environment is the most bleeding obvious."
http://www.ic3.gov/media/2008/081215.aspx