July 20, 2023 • 43 mins
In October 2008 Heartland Payment Systems discovered it had been breached. Albert Gonzalez and several other individuals hacked their way through an external company website using SQL injection — an attack that too often still works — to the core of Heartland’s systems. They were able to copy credit and debit card numbers and other data used in payment authorization.
At the time, that data enabled those who bought it to create new magstripe cards.
Some stats about the hack:
- Heartland’s stock price fell by 77% in the months following the attack.
- Some 130 million card numbers were exposed.
- Heartland paid $60 million in fines to Visa, over $40M to Mastercard, $5M to Discover, and $3.6M to AMEX.
- The business of signing up merchants to accept cards using Heartland’s services took a big hit.
To me, this is also something of a hero story. Because Heartland’s leadership, led by CEO Bob Carr, got angry. Yes, at the hackers. But more important they took that anger and frustration and used it to fill a gaping hole in card system security, way out in front of what the card systems themselves required.
I was fortunate enough to play a minor part in Heartland’s response. As an analyst, I got to know some key players who will tell their part of the story in this episode.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:22):
Welcome to Making Data Better, a podcast about
data quality and the impact ithas on how we protect, manage
and use the digital datacritical to our lives.
I'm George P Bidi, partner atLockstep Consulting, and thanks
for joining us.
Today we're going to tell thefirst of a series of Making Data
Better stories.
This one, like so many others,arose out of need and will point
(00:51):
to how difficult making databetter can be.
In October 2008, heartlandpayment systems discovered it
had been breached.
Albert Gonzalez and severalindividuals hacked their way
through an external companywebsite using SQL injection, an
attack that often, or rather toooften, still works into the
(01:15):
core of Heartland's paymentsystems.
They were able to copy creditand debit card numbers and other
data used in paymentauthorization.
At the time, that data enabledthose who bought it to create
new MagStrape cards.
It was disastrous.
(01:38):
Some stats about the hackHeartland's stock price fell by
77% in the months following theattack.
Some 130 million card numberswere exposed.
Heartland paid 60 million infines to Visa, over 40 million
in fines to Mastercard, 5million to Discover and 3.6 to
(02:02):
American Express.
And, of course, there was a bighit to the business of signing
up merchants to accept cardsusing Heartland services To me.
However, to me, this is alsosomething of a hero story,
(02:24):
because Heartland's leadership,led by CEO Bob Carr, got angry
yes, they got angry at thehackers.
But, more important, they tookthat anger and frustration and
used it to fill a gaping hole incard system security, way out
in front of what the cardsystems of cells required.
I was fortunate to play a veryminor part in Heartland's
(02:47):
response.
As an analyst, I got to knowsome of the key players who will
, in this episode, tell theirpart of the story.
We'll start with then CTO SteveElephant, who, as you'll hear,
joined Heartland to help leadthe recovery.
Steve, welcome.
Speaker 2 (03:08):
Thanks.
Speaker 1 (03:08):
George.
Steve, your CV is very long.
I want to ask you just to givea couple of highlights here
about your time in the paymentsindustry.
Speaker 2 (03:17):
So I've been doing payments since before Fintech
was a term.
I started a company called ICVerify which is the first
PC-based payments software inthe 1980s.
I merged that with CyberCachewhere it became a public company
, went on and did several othercompanies in the online auction
space using genetic algorithmsIn the micro payment space,
(03:37):
spent some time with some bigcompanies like Google and
Heartland and Ford AdventureCapital Company along the way
and starting a new venturecapital called Soaring Ventures.
Speaker 1 (03:46):
Right now, so you mentioned a firm called
Heartland Payment Systems, andthat's actually where this story
begins and comes together.
Heartland is a paymentprocessor serving merchants or
was it the time, servingmerchants largely in the
physical point of sale domain,had a big footprint of merchants
(04:07):
, many of them in the restaurantspace and retail, and they were
selling basically merchantservices card processing
services to those merchants.
So what happened?
Speaker 2 (04:19):
I hardly had a little problem.
Before I got there.
We had a major breach at thetime.
It was the largest breach in UShistory.
They exposed card numbersmostly through snippers.
The attackers got into thesystems through a innocuous
server that just served up webpages, but they got their
credentials to then get into thepayment servers and mapped it
(04:41):
out for 18 months and figuredout how it all worked even
better than Heartland knew, Ithink from what I was able to
look at the records.
Then they start cycling outcard numbers.
Speaker 1 (04:50):
Wow, so it was a SQL injection kind of a classic
hacker tool.
Yes exactly and what was theimpact on Heartland when the
breach happened?
Speaker 2 (05:00):
You know the company had a pretty difficult time.
It was a public company.
Heartland was one of the top 10processors in the US.
The stock went on the NASDAQfrom 30 down to 3.
The card brands werethreatening to put them out of
business.
They had to figure out how theywere going to come back from
very large breach.
Speaker 1 (05:18):
This is an existential event for the
company.
Speaker 2 (05:21):
Yes, very much so.
It had been around for 20 plusyears.
Bob Carr did a great jobstarting it from scratch and now
they had to figure out how tobring it back.
I had known Bob for a long timethrough the industry and the
industry events.
He asked me to come in as aconsultant and see what I could
figure out.
I had been a CEO, so I had aCEO's 30,000 foot view of
(05:42):
security and how to deal withthat and how to take a deep dive
into the weeds and really learna lot more about encryption and
tokenization and best practicesin security.
Because of the breach it wassuch big news.
We literally had every majorsecurity company in the world
come into us saying we have asolution for you and we can fix
it.
We had to sort through allthose and figure out what was
(06:04):
real, what we could use and whatwas practical.
That took a little bit of timebut we ultimately came up with a
solution we called end-to-endencryption.
Speaker 1 (06:14):
Back then, card numbers were encoded on
MagStripes in the clear noencryption whatsoever.
Speaker 2 (06:21):
Yeah, there were no chips on cards for validations,
so it was just MagStripes.
Speaker 1 (06:26):
So data in the clear.
When you swipe your card in theterminal, it was entered in the
clear into the terminal.
Then pass it on up the wire, ifyou will, to Harland.
Speaker 2 (06:36):
Yeah, who sort it and pass it on to the card grants
like all the other processorsdid.
What happened to Harland?
We shared a lot of the bestpractices and what we learned
with the other major processorsthrough various industry groups,
because it was bad for theindustry.
We learned a lot and they werejust as exposed as Harland was.
Speaker 1 (06:56):
We tried to help them grab solutions as well, so what
was the solution that you puttogether?
Speaker 2 (07:01):
How did you make the?
Speaker 1 (07:02):
data better.
Speaker 2 (07:03):
We looked a lot at different things.
We ultimately settled onworking with a company called
Voltage for the encryption partof the solution.
They had a very elegantsolution, brilliant Stanford
engineers, and it had alreadybeen proven.
It was used in major banks likeWells Fargo and they had a
stellar list of clients andcustomers.
We did a lot of reference,checking, a lot of validation on
(07:25):
the solution.
Then, through a contact that Ihad back in the IC Verify days
in the early 90s, a companycalled Uniform Industrial out of
Taiwan.
They had made MagStripe readersfor me when I started IC Verify
and I thought they madeterminals or they could.
It turned out they hadn't madea terminal yet.
So I went to them and theprincipals were still there and
(07:46):
they reached out to some oftheir friends in Taiwan and came
up with terminals.
We ultimately put this intoVerify and Hypercom terminals.
But we created atamper-resistant security module
at TRSM.
That was literally like amission impossible.
If you tried to open it orcrack it it would self-destruct.
That tamper-resistant securitymodule was attached to the
(08:08):
MagStripe head.
So from the time you swipe thecard all the way through the
terminal, through the operatingsystem of the terminal, when it
goes over the wires, over thephone lines.
The internet was still young inthe payments world, so a lot of
the stuff went out over phonelines, which are very easy to
tap into as well.
It went into Heartland systemsand all the way through the
Heartland networks until wepassed it off to the card brands
(08:29):
.
It stayed encrypted with a veryelegant solution that at the
time was unbreakable.
Speaker 1 (08:35):
So you had the private key, if you will, at
Heartland decrypted it justbefore you sent it on to the
card brand, so the card brandsdidn't have to make any changes
to their system Meanwhile.
You'd secured it from themoment the customer swipes the
card to pass us up throughHeartland.
Speaker 2 (08:55):
Yeah, part of the challenge was we were dealing
with these fairly antiquatedterminals that had been around
for a long time.
They didn't have a lot ofmemory, they didn't have a lot
of real estate, and so we had tofigure out how to get very
tight, complex encryption codeinto a chip on a terminal.
So that took a bit of time andthe Bolshevik people were
brilliant about how to writetight code and UIC figured out
(09:16):
how to physically get it inthere and we came up with this
e3 portal.
Speaker 1 (09:20):
Did it change how Heartland, or did the experience
change how Heartland storedcard data thereafter?
Speaker 2 (09:27):
Yeah, we used it for not only data in flight I was it
, as we call it but data that westored because we had to
provide reporting to Merchantsand on their sales and their
transactions.
So we need to store staticinformation and we need to store
the information was a flight?
How to just change how youstore the static information and
we went from everything beingin the clear to everything.
Speaker 1 (09:49):
So it was all encrypted that thereafter as
well.
Yeah, so you really had.
Unless the hacker had a tap onthe private circuit between you
and visa and you and Mastercard,there was nothing to steal
inside of the Heartland servers.
Speaker 2 (10:03):
Yeah which is very difficult.
I'm like, the card brands are,you know, pretty, pretty hard
and they've never been Reachedknock on wood and we had a
dedicated circuit, you know,from our back into their, their
finance.
So yeah, that would have beenreally, really hard.
Yeah ultimately, we got a coupleof the card brands that started
doing some tests with us andand we started passing on
encrypted data to them.
(10:24):
But they were very, veryreticent at first because, you
know, they really did want topoint out the fact that so so
much of this was out the clear.
That mode of operating with thedata that clear, has been around
since the first, first card,which is literally a piece of
cardboard and that had justgotten automated in the 1960s, I
mean when I got into theindustry, when I started getting
(10:46):
getting to retail, when I gotout of college in 1980, they
still had nothing but sirs, youknow Zips, that machine so that
you were physically taken animprint of the, of the Loray's
letters on the numbers on thecard and you had charts lips and
you took those to the bank banklike a deposit every day.
It was a very, it was not notelegant but it was functional.
Speaker 1 (11:06):
There are a lot of now a lot of folks listening to
this like trust, who have don'teven know what an embossed card
looks like.
One of the interfaces changesthat have been made along with
EMV chips which is provides abit of transaction unique,
(11:29):
encrypted data that runs alongwith the card number all the way
back to the issuing bank, sothat helps that bank know that
they're dealing with a card thatin fact they issued and put
into the hands of their accountholder.
And Another change that'shappened to make data better,
since what you did, steve, withyour you and your team, was
(11:50):
really the EMV code tokenizationSpecification.
That's the approach that Appleuses, where actually what's
Transmitted over the wire or amI saying transmitted over the
air between the iPhone and thecontactless reader in the
terminal?
That number isn't in fact thenumber that's is your funding
(12:13):
account number.
It's just a token that's beenprovisioned by your bank into
the Apple wallet.
It's the bank at the back endthat more or less figures out
the mapping between the two.
A couple of examples there ofMaking data better.
Speaker 2 (12:28):
I've had a lot of friends who have me being saying
I'm not comfortable putting mycredit card in my Apple wallet
because that's a cure, and I'msaying you know I'm really
insecure.
This is a very well designed soyou don't have to worry about
your card getting compromisedfrom your iPhone.
Speaker 1 (12:42):
I wonder to that extent that that that reticence
has been one of the reasons whyit's it's taken.
It took Apple a long time tostart reaching the hockey stick
uptick in the use of Apple pay.
Speaker 2 (12:56):
Yeah, well, the community factor of it.
I mean I rarely pull my creditcard out of my wallet anymore.
I tap with my phone and moreoften I tap with my Apple watch
and I pay, pay with NFC throughthrough my, my watch, in my
phone and I never have to pullout a card.
Speaker 1 (13:10):
Some someone, merchant doesn't have a NFC
reader, all right, and those arethe most secure car
transactions that are out therehasn't reached that.
Speaker 2 (13:17):
I'm gonna see it happen.
Speaker 1 (13:18):
Well, steve, thanks very much, appreciate you.
Setting the way back machine Tothe year was a 2007, 2008, when
2008 when the breach happenedwhich is not that long ago, 15
years ago.
Yeah, so the industry's done alot of work to Make car data
better and make it make it moreresilient in the transaction
(13:38):
contexts where card numbers areshowing up today.
Speaker 2 (13:41):
Yeah, we got a lot of pushback in the day from PCI
DSS, which was just starting outthe payment card industry data
Security standards.
They didn't like the fact thatwe called it and an encryption.
They wanted to callpoint-to-point.
Speaker 1 (13:52):
We says not point-to-point, it's from one
end of our network to the otherend of the network as a matter
of perspective, true, but toyour credit, what you did, the
design that you put in place andput into the market, that
galvanized not only the securitystandards development but it
also galvanized other terminalmanufacturers and other
(14:14):
processors in the industry toadopt.
And then encryption.
Speaker 2 (14:19):
Yeah, and you know we .
We had processors and troublemanufacturers coming to us and
though we trademarked it andpatented, we got a patent around
it.
We shared it because we thoughtit was important for the
industry to not have anotherbreach like Harlan had.
So we tried to help them outthrough through a number of
different avenues and for Harlanit was a two-part solution.
(14:42):
One part was, you know this,physical security with the TRSM
and the terminal.
The other part was thepsychological part that people
needed to have confidence in inHarlan again.
So we actually offered awarranty to the merchant that
said if you get breached willpay any fines or fees or
anything happens to you.
And that was a part of bringingthe company back.
(15:02):
And we brought the stock fromthree back in them like 40s or
50s, and it ultimately got soldto global payments for billions.
So, but it took.
It was on the break, the meother car brands were not happy,
the it was teetering.
Speaker 1 (15:16):
Okay, safe.
Well, one last question whodone it?
Speaker 2 (15:19):
bad guys in Eastern Europe, the, the three letter
agencies.
Ultimately, when I got mySecurity clearance, you know
kind of reveal a little bit morethat they were very, very
sophisticated.
Very smart Is that they havebetter.
They're just grammatics.
From what I saw, the Harlansystem then Harlan's engineers
did well.
They knew how long ran they'dhad plenty time to 18 months.
(15:41):
They said that the system justwatched and listened and waited
until the time to bust it out.
Speaker 1 (15:47):
Yeah, I think at the time the value of a credit card
number Was in the 25 to $50range.
Speaker 2 (15:53):
Yeah, same old by that time.
Just three million cards,that's a real bank.
Speaker 1 (15:57):
That was worth.
That was worth the month, ayear and a half for weight.
Speaker 2 (16:01):
The patients pays on probably pretty good pity.
Speaker 1 (16:04):
That's a value book today because of these tools and
other controls.
Speaker 2 (16:08):
Yeah, the industry's changed and you know, ultimately
I got elected to the PCI board,which I mean it was kind of a
you know a coup because we werethe bad guys in the industry and
you know, people started to see, see that really, really was a
sophisticated, robust, securesolution, and we tried to work
with a lot of different insurerorganizations.
There's there's a thing calledthe FSI sack the financial
(16:29):
services industry to treat yousome brother, and so all the
banks and all the process wasblood, that all the security
people on the CIOs and CTOs, andso we shared as much knowledge
and, you know, told the one handand try to help them avoid it.
Speaker 1 (16:45):
All right, well, thanks very much, steve, really
appreciate it.
Speaker 2 (16:47):
You're welcome, george, my pleasure.
Speaker 1 (16:50):
To be clear, getting card data encrypted before it
entered the network required newhardware support.
The old gear couldn't beupgraded because running
encryption software in theterminals operating system was
insecure.
Hacking in OS is doable.
You have to trust the datacoming into the network and the
only way to do that in this casewas to encrypt it before it
(17:11):
touched.
Software Security oftentimesrequires hardware support.
So to add some depth to thehardware side of the story,
let's bring in Tom Sigler, whoran the effort for Taiwan's
uniform industrial corporation.
Let's get right to it.
One of the things that jumpedout at me from a conversation
with Steve was About thechallenge of getting Voltages
(17:34):
code, and he was reallycomplimentary about the size and
efficiency of that software.
But I also know that a TRSM isa microcontroller, so there's
usually not a lot of space there.
What was that process like foryou as the, as the hardware
integrator?
Speaker 4 (17:54):
I still remember the first meeting with Terence spies
and the rest of the guys whenthey were talking about their
code which revolutionized remotekey management and the
encryption process, and theywere expecting megabytes of RAM
and memory to put their code,and when we told them that it
(18:15):
was going to be tens of K bytes,there was a silence in the room
and they kind of looked at eachother and we'll have to take a
look at that.
They did do it.
They got it in to our securitychip processor with Literally
(18:36):
bytes to spare there was.
There was no left over space atall.
I used to write code in myyouth and I was more impressed
with this than anything I'veever seen.
Wow, to go from something thatusually was 10 megabytes down to
a few hundred K bytes and haveit still work, that was
impressive.
Speaker 1 (18:56):
Did they rewrite in assembler or they divide and
conquer the functionality?
Speaker 4 (19:02):
They had to go low level on the code.
They were basically inassembler language, so they had
to rewrite their high levellanguage code to fit into the
specific code structure of thesesecurity chip microprocessors
that we used.
Speaker 1 (19:19):
So that's called right programming right down on
the metal.
So that's indeed indeed.
And that's not a skill.
Everybody has right and we'veno, absolutely not.
Speaker 4 (19:31):
Especially this.
10, 15 years ago people werealready starting to just reuse
code bundles.
You know, if you wanted to doencryption, you just grab a
public domain DES routine orwhatever I called it, glue where
, because you just glue stufftogether and nobody cared how
(19:52):
big it was or how inefficient interms of memory.
But that was a huge issue withthese terminals because they
were never designed to operatethat kind of code.
The microprocessor that we usedin the first terminal was
different from the subsequentchips.
That terminal was not actually aUIC original.
(20:13):
We were partnering with acompany in Hong Kong I don't
remember their full name, but itwas icon, a four man shop
including their CEO and founder,and they had a terminal that
was not even in alpha or beta.
I mean, it was basically alaboratory exercise at that
(20:35):
point and our CEO made a dealwith them because, to go back a
little bit, when Steve Elephantcalled UIC because he had done
business with them in the past,he expected someone else to
answer.
I was about six months in theVP chair and though I knew Steve
from his past, when he had beenat the forefront of POS based
(21:01):
payment systems, he came to thebank I was working at in their
credit card division and pitchedthat.
So I remembered Steve.
He's hard to forget and when wetalked, I'm not the kind of guy
who would say no, we can't dothat when I'm talking to
somebody like Cardlin Payments.
At that time I think they werethe eighth biggest processor in
(21:22):
the country and for UIC thatwould have been a huge piece of
business, which it was.
So I immediately thought ofthis icon terminal that we were
working with the Hong Kongcompany on, because he wanted a
desktop, the traditional thingwith the card, swipe and the
printer and all that.
That would either be dial up orIP.
Speaker 1 (21:42):
Classic stand beside terminal.
Speaker 4 (21:44):
Exactly that's where they wanted to start.
We ended up doing a coupleother products for them, but we
went there and after I hung up,of course, what I thought was
how the hell are we going to dothis on the timeframe that
Hartman wants it done?
They basically wanted it in sixto nine months, which nobody
was going to provide, and, alittle sidebar, the good folks
(22:09):
at Verifone and Steve talked Idon't know if he mentioned that,
but they wanted to be theexclusive provider of E3
terminals and either Steve orBob Carr probably said no, you
can have a part of the business,but not all of it.
They wanted to cut us out.
I think at that time they sawUIC as not a big threat but
(22:30):
somebody that was coming up andmight be a competitor.
More on that later.
There was an interesting littleside issue that occurred.
So we worked with ICON, paidthem a bunch of money and their
engineer worked with ourengineers and they kept
developing it and then within afew weeks we had some test units
in our shop in Fremont,california, where we did a lot
(22:54):
of testing.
They also had some in Taipei,of course, a lot of problems
early on because really thedevice was not ready for prime
time, we had to pretty muchre-engineer the boards.
The mechanical aspect of it hada lot of problems.
The printer didn't work right.
(23:16):
But with a lot of hard work andovertime the UIC engineers did
a very good job putting togethera usable terminal, though it
still did have some issues, oneof which was do you remember
AmEx came out with that blotBlack metal credit card?
Speaker 2 (23:36):
Yeah, caused us some problems.
Speaker 4 (23:39):
When someone carried a static charge and they would
swipe that through the cardreader, it was blowing up our
security chip.
So we had to spend a few weeksfiguring that one out.
So there's always issues andhiccups, but the pressure was on
.
Hartland wanted that terminal.
Though we didn't promise anexact due date, we were shooting
(24:02):
for one.
I got to say our engineers andthe voltage people and a fair
amount of help from the Hartlandengineering team.
We did get a good product tomarket.
It, I think, helped change andmake data better.
Speaker 1 (24:17):
Thanks for that.
It became the new benchmark.
It was the new model that thenwas adopted by Payment Card
Industry, data SecurityStandards and a whole new
certification process built uparound the model that you guys
pioneered.
Speaker 4 (24:35):
We did two other devices for them, also with the
voltage security softwareembedded in there.
One was a handheld pin pad thatwas an existing UIC product, so
that one we got to market injust a short time, a ruggedized,
really high quality productthat had a MagStripe reader.
And the one that I thought wasreally exciting was the
(24:59):
standalone MagStripe reader, ora wedge as a lot of people
called it.
We converted and built a wholenew hardware and software
architecture to make a littleMagStripe reader, you know, like
three inch by one inch, asecure device.
So we even sent a earlyprototype over to Infoguard to
(25:20):
have them evaluate it.
They pointed out there is noPCI standard for MagStripe
readers because nobody hadconsidered doing this.
It's something that I suggestedto Hartland that would be a good
supplement to the product line.
We had the stand-besideterminal, the pin pad that you'd
integrate into your eitherterminal or your PC, and yet
(25:40):
there were still a lot ofmerchants that wanted just a
simple MagStripe that you'dstick on the side of their
display.
Infoguard gave us some reallygood advice, helped make the
product better and we got it tothe point where I thought we
could legitimately claim thatthat little magstripe reader for
a couple hundred dollars wasequivalent to a PCI approved
(26:04):
device for security, physical,logical, et cetera.
If you opened it up it zeroeditself out, had a little micro
operating system in it thatmonitored a secure web of mesh
around it.
It was a pretty cool littleproduct.
Speaker 1 (26:19):
That's great.
And now, of course, it'smorphed into the square dongle.
Speaker 4 (26:24):
Yeah.
Speaker 1 (26:24):
Does encryption.
It's 15 bucks.
That has staples.
Of course.
Now it's orphaned, since wedon't have IOJACs anymore.
Mostly it's 45 bucks orsomething like that for the
Bluetooth one.
Speaker 4 (26:38):
Of course, all three of the products that we made had
very strong encryption of thedata and fit into the E3 and
with Voltage's key managementsystem we could keep rotating
keys as needed depending on thevolume of data or timing or
whatever.
They had a pretty slick product.
(26:58):
I was skeptical at first,having grown up, so to speak, in
the industry, but I wasimpressed when I dug into that a
little bit and read some oftheir patents and some of the
other information that theycould provide.
Speaker 1 (27:12):
Well, obviously you were the right guy for gluing
software and hardware togetherinto a product.
I suspect it must have beenreally satisfying to see that go
out the door and get used.
Speaker 4 (27:21):
Oh yeah, once we got rid of some of the issues like
the AmEx cart, esd, onceeverything was production worthy
and in the field and beingdeployed, we had several
thousand of those terminals outthere.
The feeling was tremendous.
I threw a party for our team atUIC to celebrate what they'd
(27:44):
accomplished and they worked sohard.
There were several people that,though I won't name, they know
who they are and they didphenomenal work.
Speaker 1 (27:54):
Well, Tom, thanks so much.
Great to catch up with you onthis.
Speaker 4 (27:57):
You're welcome.
Speaker 1 (28:00):
As Steve and Tom said , getting sophisticated
encryption software into theTampa-resistant security module
built into the MagStrike breederwasn't easy.
Here's Mark Bauer, now VP ofProduct Management at
Confidential Computing Leaderand Juno Security, who was one
of the leaders at the time atVoltage Security, to talk in
more detail about their makingdata better technique.
(28:23):
So, mark, could you justquickly give us a top level on
Voltage's expertise and how itfit into the overall Heartland
story about making its databetter?
Speaker 3 (28:34):
Yeah, absolutely so.
At the time, voltage was apioneer in what was called
data-centric security and thatwas essentially protecting data
by neutralizing it from risk andallowing the data to still
largely be used and to flowthrough systems.
So this was really reallyimportant in the Heartland
(28:54):
scenario, which was a breach ofpayment environments.
How did you do that?
So, if you looked at the natureof the breach, essentially
attackers had got into the backend systems of Heartland through
a front door with classical SQLinjection database compromise,
and we were talking a gooddecade or so ago now when this
(29:17):
actually happened.
And really fundamentally, whatthe attackers did was they got
into the back end systems andthen stole card data, in
particular track data, if yourecall, back then you could
manufacture own cards and thenthe rest is history in terms of
the threat to consumer cards inthat regard.
So what Heartland did, workingwith Voltage at the time, was to
(29:38):
take what is now actually kindof reemerging as an interesting
technology, but to combinehardware and software so that
you had a heartland environmentin the store where the data was
captured, so that even underduress and under compromise,
things like keys and datacouldn't be exposed after it was
read, and to keep that dataflowing in a protected form all
(30:03):
through those complicatedpayment systems that are often
put together with differentmishmashes of interfaces and IT
mess underneath.
Speaker 1 (30:13):
Given their vintage.
Some of them, no doubt, areassembled with, as we used to
say, spit and bailing wire.
Absolutely.
Speaker 3 (30:19):
A little bit like that.
Speaker 1 (30:20):
Yeah, and they're definitely intolerant of
perturbation.
What did you do to the data?
I mean there's a 16-digit cardnumbers typically Check that
data and still not perturb theintermediary systems.
Speaker 3 (30:36):
When you think about data that's coming from those
read heads, essentially in thedevice, and back at the time you
swiped your card or you did thechip, what comes out of that is
track one and track twomagnetic data or its EMV
equivalent in the case of a chipcard.
To all intents and purposesit's essentially a bunch of
characters, numbers and symbolsthat have to be in an exact
(30:58):
format to convey from thatdevice all the way to some back
end system so that you couldverify the card and so on and
essentially process it.
The problem was thattraditional encryption would
break all of that.
So if you encrypted a card or atrack, you'd get some data but
(31:19):
it wouldn't pass through thecash register, the payment
systems, the gateways, theclearing systems, everything.
So voltage came up withtechnology that sort of appears
on the market probably threeyears before Hartland, and it
was called format preservingencryption technology and this
was a way that you could encryptdata without changing the
(31:41):
appearance and the utility ofthat data.
So a credit card could beencrypted to something that
looked like a credit card,including the first digits, the
checksums.
But when you start to get intothe track data, you've got start
sentinels, you've goteverything that's encoded in
very fine-grained ways and wemanaged to create a mechanism
(32:03):
that could encrypt the data soit still flowed through all of
those ancient spit and chewinggum systems without breaking
them, so you could go from thedevice all the way through to
the Hartland system, end to end,and that was the encryption
piece.
What was on top of that was thekey management pace to make
that super easy without havingto do things like key injection
(32:26):
or persistence keys.
In the end point, which isalways a point of potential
attack, it was a hybridtechnology of encryption and key
management that solved thatproblem and changed the way the
industry behaved.
Speaker 1 (32:38):
Say a little bit more about the key management,
because the key is injected atsome point at manufacture, I
guess in the read head at theterminal.
Speaker 3 (32:50):
In the old way, yeah, and remember too, back in the
day when these kinds of breacheshappened, you didn't even have
encryption of that data.
It flowed in the clear overthings like internet channels
and modems and things like that.
So fundamentally, you had tofigure out a way to encrypt the
data without breaking it andstill retaining strength.
That was a very hard problem tosolve, but when you think about
(33:14):
how people manage terminalstoday, even today when you
handle debit cards, for instance, at a manufacturer, you have to
inject keys into that device,which is itself a very expensive
process.
It was in $1,500 per device toinject a key.
So we solved for that problem byusing a technology called
identity based encryption and,to sum it up, essentially what
(33:37):
it allowed you to do was tocreate random keys in the device
, securely, exchange them withthat secure interchange of data
along with the track up to thehost, and the host could recover
the key.
And you didn't ever have toinject a symmetric key into the
device, which is vulnerable,it's expensive and requires you
to have extra hardware in there.
(33:58):
So by combining thesetechnologies and you know
Heartland shoehorn this intotheir device when you swiped
your card in the stores wherethis was implemented like Home
Depot and other places.
Essentially, you were goingfrom that device all the way to
this backend system encrypted,and so the only point of
(34:21):
compromise was the actualphysical card itself.
Speaker 1 (34:24):
As I recall, one of the part of the magic of the
format of preservation was thatfor routing reasons we needed
the first six characters in that16 to be able to identify the
issuing bank.
That the authorization requesthas to go to that in the clear,
and I think you left the lastfour in the clear for receding.
Speaker 3 (34:47):
Correct, because you also have the check somewhere
you have to maintain to let theintervening characters, a term
numeral rather.
Speaker 1 (34:56):
That was where the encryption took place.
Speaker 3 (34:59):
Yeah Well, the thing is too, all of that data is
encoded in tracks.
So what you see on a receipt ofyour last four digits, there's
a different encoded version ofthat in the track.
And so there's all sorts ofmechanics that you had to do
mathematically to make sure thatthat track stayed looking like
a track, which is much harderthan you think about, because
track is also encoded with.
It's not asking, it's kind of a, I think it's like a 64
(35:24):
character set, so it's differentagain.
So there was much more going onunder the covers.
But at the end of the day, whatHeartland were able to do which
was powerful for the industry,was give guarantees to their
merchants to say you use us,which uses that technology,
which is our hardware, with thevoltage software and our
(35:45):
infrastructure, and we willguarantee that if you have a
breach, we will pay out all ofthe consequences of that.
And that was a game changer,because it became a technology
problem with a technologysolution but with a massive
business advantage to them.
So they went from beingbreached to being a leader,
which is a.
That's exactly the way youshould respond to a breach make
(36:06):
change, embrace things that aredifferent, disrupt industry, but
in a very positive way, and theoutcome is better security for
consumers and better securityfor merchants.
Speaker 1 (36:18):
And a 10X increase in your stock price.
Speaker 3 (36:22):
Exactly, and the rest is history.
Now They've been acquired byglobal payments who continue
using this.
And what I love about this too,George, is that I'm able to
walk into stores or gas stationsand whether it was what was
voltage did or whether the restof the industry responded I know
there are certain devices whereI know the software is going to
do its trick with good hardwareand I know my card's not going
(36:44):
to get breached.
And I have personal confidenceand a little bit of satisfaction
from seeing that transition inindustry, which is now almost a
given end to end security.
Speaker 1 (36:53):
The model that you all put into place has now
become a standard model and,underneath the payment card
industry, data securitystandards and comparatively open
ecosystem, following that modelthat you all pioneered.
Speaker 3 (37:06):
Exactly and NIST did approve that standard.
Speaker 1 (37:10):
We worked very closely with NIST on getting
format preserving encryptionthrough as a mode of AES and
it's withstood heavy, heavyscrutiny Of course, encryption
is a major tool here, but at thesame time and it was happening
both online and offlineenvironments where, at least to
protect data at rest, merchantswere using a technique called a
(37:32):
tokenization, which is simplystoring something of low value
and almost outsourcing thestorage of the high value data
to a service provider.
Did Voltage have any play inthat?
We?
Speaker 3 (37:45):
did.
We did so, obviously, gettingthe data up.
You're rotating keysautomatically so that merchants
don't have to do anything and sothat if there is a key
compromise it doesn't affect thewhole system, etc.
But merchants often did thingslike refunds, their own
analytics and so on, and theyneeded a reference value, which
in the past, they used thecredit card for that, and in
(38:07):
fact, the credit card is reallyimportant to merchants because
that's often the identifier thatyou know about who your
customer is.
It's the only thing that'sconsistent, and so being able to
replace that with somethingthat's not valuable but still
performs that function wasimportant, and the old ways of
doing that were to have thesehuge databases of tokens, and so
(38:27):
where we went with Voltage wasto disrupt that again, create a
mechanism to give you tokensthat could reduce the burden of
managing and storing creditcards, but to do that without
the burden also going back upthe chain to the payment
processors, and so, beyondHeartland, many of the payment
processors also utilized thistechnology.
(38:48):
We saw adoption across nearlyall the acquirers in the United
States and abroad of thistechnique of sometimes of their
own making, but often withVoltage and to the merchants
this became a superpower,because now you could run
analytics without having theburden of compliance.
No cards were in the system.
The only time the card ispresent is in that consumer's
(39:11):
hand, and that goes to the backend, and then a token would come
back.
So this got the merchants offthe hook of PCI compliance,
which was a really big deal.
Speaker 1 (39:22):
I'm laughing.
Here's an example of makingdata better by making data worse
, at least as far as hackersconcerned.
Speaker 3 (39:31):
Yeah, but in this world we live in today, this
technology is out there in thephysical payments world, but the
thing that's still left over isthe soft world of e-commerce
and so on.
That still is an area that isripe, I think, for additional
disruption, and I bring this toyou because I know we're going
to talk about something on afuture conversation that might
(39:53):
be related to this confidentialcomputing.
Speaker 1 (39:57):
Yes, absolutely.
We will be coming back to youand the Anjuna security story,
but we'll leave this historylesson at this point.
So, mark, thanks very much.
We really appreciate it.
Thanks, george.
(40:17):
What was the impact of all thiswork?
To make, in this case, carddata better?
Well, for Heartland, it washuge.
Within a couple of years,heartland's stock price
recovered from $3 to over $30.
In 2015, heartland was acquiredby Global Payments for $4.3
billion at $100 per share.
As we heard from Steve, someindustry cooperation among
(40:41):
competitors was begun, withHeartland helping establish the
Payments Processing InformationSharing Council, a forum for
banks and payment processors toshare information about breaches
.
Far more important, heartland'scard data encryption model was
adopted and updated by the cardsystems themselves through their
Security Standards Organization, emvco, with certification
(41:06):
developed by the Payments CardIndustry Security Standards
Council.
This made MagStripe card entryfar safer.
It took the target breach in2013, however, to kick the US
card business into adopting theEMV chip card approach, already
in wide use in other parts ofthe world.
It's another example ofhardware's role in data security
(41:27):
, and that's where our mainplayers well, bob Carr went on
to found another paymentprocessing company, getbeyond.
Steve Aliphond is a venturecapitalist.
Mark Bauer's work inconfidential computing is about
making private environmentsbuilt on public cloud
infrastructure secure, and TomSiggler spends as many days and
(41:49):
nights as he can out hiking inNorth Carolina.
Oh, albert Gonzalez.
He scheduled for releaseSeptember 9th from federal
prison.
Since the Heartland breach, muchhas changed.
We've gone, as I said, to chipcards that have their own
hardware approach to datageneration and encryption.
In an upcoming story we'll talkabout the technique employed by
(42:13):
Apple Pay to make data betterand its use of metadata that
makes finer grained transactionanalysis possible.
Well, that's it for thisepisode.
If you have ideas about topicsfor the podcast, drop me a line
at George at Making Data Better.
Until next time, I hope all iswell.
Thanks for listening and foryour work in Making Data Better.
(42:37):
My data story is I am sick todeath of buying products and
then seeing the advertisementfor the product I just bought
(42:58):
for the next month.
Really, we can't do better thanthis.
Speaker 4 (43:03):
Yeah.
Speaker 1 (43:04):
It just speaks to the low quality of ad tech.
Speaker 4 (43:08):
Well, I'm sure AI is going to fix all of that.
Speaker 1 (43:11):
Oh, absolutely yeah.
We've only got a system now toproduce bullshitted industrial
scale at zero cost.
What could go wrong?
Welcome to Making Data Better, a podcast about
data quality and the impact ithas on how we protect, manage
and use the digital datacritical to our lives.
I'm George P Bidi, partner atLockstep Consulting, and thanks
for joining us.
Today we're going to tell thefirst of a series of Making Data
Better stories.
This one, like so many others,arose out of need and will point
(00:51):
to how difficult making databetter can be.
In October 2008, heartlandpayment systems discovered it
had been breached.
Albert Gonzalez and severalindividuals hacked their way
through an external companywebsite using SQL injection, an
attack that often, or rather toooften, still works into the
(01:15):
core of Heartland's paymentsystems.
They were able to copy creditand debit card numbers and other
data used in paymentauthorization.
At the time, that data enabledthose who bought it to create
new MagStrape cards.
It was disastrous.
(01:38):
Some stats about the hackHeartland's stock price fell by
77% in the months following theattack.
Some 130 million card numberswere exposed.
Heartland paid 60 million infines to Visa, over 40 million
in fines to Mastercard, 5million to Discover and 3.6 to
(02:02):
American Express.
And, of course, there was a bighit to the business of signing
up merchants to accept cardsusing Heartland services To me.
However, to me, this is alsosomething of a hero story,
(02:24):
because Heartland's leadership,led by CEO Bob Carr, got angry
yes, they got angry at thehackers.
But, more important, they tookthat anger and frustration and
used it to fill a gaping hole incard system security, way out
in front of what the cardsystems of cells required.
I was fortunate to play a veryminor part in Heartland's
(02:47):
response.
As an analyst, I got to knowsome of the key players who will
, in this episode, tell theirpart of the story.
We'll start with then CTO SteveElephant, who, as you'll hear,
joined Heartland to help leadthe recovery.
Steve, welcome.
Speaker 2 (03:08):
Thanks.
Speaker 1 (03:08):
George.
Steve, your CV is very long.
I want to ask you just to givea couple of highlights here
about your time in the paymentsindustry.
Speaker 2 (03:17):
So I've been doing payments since before Fintech
was a term.
I started a company called ICVerify which is the first
PC-based payments software inthe 1980s.
I merged that with CyberCachewhere it became a public company
, went on and did several othercompanies in the online auction
space using genetic algorithmsIn the micro payment space,
(03:37):
spent some time with some bigcompanies like Google and
Heartland and Ford AdventureCapital Company along the way
and starting a new venturecapital called Soaring Ventures.
Speaker 1 (03:46):
Right now, so you mentioned a firm called
Heartland Payment Systems, andthat's actually where this story
begins and comes together.
Heartland is a paymentprocessor serving merchants or
was it the time, servingmerchants largely in the
physical point of sale domain,had a big footprint of merchants
(04:07):
, many of them in the restaurantspace and retail, and they were
selling basically merchantservices card processing
services to those merchants.
So what happened?
Speaker 2 (04:19):
I hardly had a little problem.
Before I got there.
We had a major breach at thetime.
It was the largest breach in UShistory.
They exposed card numbersmostly through snippers.
The attackers got into thesystems through a innocuous
server that just served up webpages, but they got their
credentials to then get into thepayment servers and mapped it
(04:41):
out for 18 months and figuredout how it all worked even
better than Heartland knew, Ithink from what I was able to
look at the records.
Then they start cycling outcard numbers.
Speaker 1 (04:50):
Wow, so it was a SQL injection kind of a classic
hacker tool.
Yes exactly and what was theimpact on Heartland when the
breach happened?
Speaker 2 (05:00):
You know the company had a pretty difficult time.
It was a public company.
Heartland was one of the top 10processors in the US.
The stock went on the NASDAQfrom 30 down to 3.
The card brands werethreatening to put them out of
business.
They had to figure out how theywere going to come back from
very large breach.
Speaker 1 (05:18):
This is an existential event for the
company.
Speaker 2 (05:21):
Yes, very much so.
It had been around for 20 plusyears.
Bob Carr did a great jobstarting it from scratch and now
they had to figure out how tobring it back.
I had known Bob for a long timethrough the industry and the
industry events.
He asked me to come in as aconsultant and see what I could
figure out.
I had been a CEO, so I had aCEO's 30,000 foot view of
(05:42):
security and how to deal withthat and how to take a deep dive
into the weeds and really learna lot more about encryption and
tokenization and best practicesin security.
Because of the breach it wassuch big news.
We literally had every majorsecurity company in the world
come into us saying we have asolution for you and we can fix
it.
We had to sort through allthose and figure out what was
(06:04):
real, what we could use and whatwas practical.
That took a little bit of timebut we ultimately came up with a
solution we called end-to-endencryption.
Speaker 1 (06:14):
Back then, card numbers were encoded on
MagStripes in the clear noencryption whatsoever.
Speaker 2 (06:21):
Yeah, there were no chips on cards for validations,
so it was just MagStripes.
Speaker 1 (06:26):
So data in the clear.
When you swipe your card in theterminal, it was entered in the
clear into the terminal.
Then pass it on up the wire, ifyou will, to Harland.
Speaker 2 (06:36):
Yeah, who sort it and pass it on to the card grants
like all the other processorsdid.
What happened to Harland?
We shared a lot of the bestpractices and what we learned
with the other major processorsthrough various industry groups,
because it was bad for theindustry.
We learned a lot and they werejust as exposed as Harland was.
Speaker 1 (06:56):
We tried to help them grab solutions as well, so what
was the solution that you puttogether?
Speaker 2 (07:01):
How did you make the?
Speaker 1 (07:02):
data better.
Speaker 2 (07:03):
We looked a lot at different things.
We ultimately settled onworking with a company called
Voltage for the encryption partof the solution.
They had a very elegantsolution, brilliant Stanford
engineers, and it had alreadybeen proven.
It was used in major banks likeWells Fargo and they had a
stellar list of clients andcustomers.
We did a lot of reference,checking, a lot of validation on
(07:25):
the solution.
Then, through a contact that Ihad back in the IC Verify days
in the early 90s, a companycalled Uniform Industrial out of
Taiwan.
They had made MagStripe readersfor me when I started IC Verify
and I thought they madeterminals or they could.
It turned out they hadn't madea terminal yet.
So I went to them and theprincipals were still there and
(07:46):
they reached out to some oftheir friends in Taiwan and came
up with terminals.
We ultimately put this intoVerify and Hypercom terminals.
But we created atamper-resistant security module
at TRSM.
That was literally like amission impossible.
If you tried to open it orcrack it it would self-destruct.
That tamper-resistant securitymodule was attached to the
(08:08):
MagStripe head.
So from the time you swipe thecard all the way through the
terminal, through the operatingsystem of the terminal, when it
goes over the wires, over thephone lines.
The internet was still young inthe payments world, so a lot of
the stuff went out over phonelines, which are very easy to
tap into as well.
It went into Heartland systemsand all the way through the
Heartland networks until wepassed it off to the card brands
(08:29):
.
It stayed encrypted with a veryelegant solution that at the
time was unbreakable.
Speaker 1 (08:35):
So you had the private key, if you will, at
Heartland decrypted it justbefore you sent it on to the
card brand, so the card brandsdidn't have to make any changes
to their system Meanwhile.
You'd secured it from themoment the customer swipes the
card to pass us up throughHeartland.
Speaker 2 (08:55):
Yeah, part of the challenge was we were dealing
with these fairly antiquatedterminals that had been around
for a long time.
They didn't have a lot ofmemory, they didn't have a lot
of real estate, and so we had tofigure out how to get very
tight, complex encryption codeinto a chip on a terminal.
So that took a bit of time andthe Bolshevik people were
brilliant about how to writetight code and UIC figured out
(09:16):
how to physically get it inthere and we came up with this
e3 portal.
Speaker 1 (09:20):
Did it change how Heartland, or did the experience
change how Heartland storedcard data thereafter?
Speaker 2 (09:27):
Yeah, we used it for not only data in flight I was it
, as we call it but data that westored because we had to
provide reporting to Merchantsand on their sales and their
transactions.
So we need to store staticinformation and we need to store
the information was a flight?
How to just change how youstore the static information and
we went from everything beingin the clear to everything.
Speaker 1 (09:49):
So it was all encrypted that thereafter as
well.
Yeah, so you really had.
Unless the hacker had a tap onthe private circuit between you
and visa and you and Mastercard,there was nothing to steal
inside of the Heartland servers.
Speaker 2 (10:03):
Yeah which is very difficult.
I'm like, the card brands are,you know, pretty, pretty hard
and they've never been Reachedknock on wood and we had a
dedicated circuit, you know,from our back into their, their
finance.
So yeah, that would have beenreally, really hard.
Yeah ultimately, we got a coupleof the card brands that started
doing some tests with us andand we started passing on
encrypted data to them.
(10:24):
But they were very, veryreticent at first because, you
know, they really did want topoint out the fact that so so
much of this was out the clear.
That mode of operating with thedata that clear, has been around
since the first, first card,which is literally a piece of
cardboard and that had justgotten automated in the 1960s, I
mean when I got into theindustry, when I started getting
(10:46):
getting to retail, when I gotout of college in 1980, they
still had nothing but sirs, youknow Zips, that machine so that
you were physically taken animprint of the, of the Loray's
letters on the numbers on thecard and you had charts lips and
you took those to the bank banklike a deposit every day.
It was a very, it was not notelegant but it was functional.
Speaker 1 (11:06):
There are a lot of now a lot of folks listening to
this like trust, who have don'teven know what an embossed card
looks like.
One of the interfaces changesthat have been made along with
EMV chips which is provides abit of transaction unique,
(11:29):
encrypted data that runs alongwith the card number all the way
back to the issuing bank, sothat helps that bank know that
they're dealing with a card thatin fact they issued and put
into the hands of their accountholder.
And Another change that'shappened to make data better,
since what you did, steve, withyour you and your team, was
(11:50):
really the EMV code tokenizationSpecification.
That's the approach that Appleuses, where actually what's
Transmitted over the wire or amI saying transmitted over the
air between the iPhone and thecontactless reader in the
terminal?
That number isn't in fact thenumber that's is your funding
(12:13):
account number.
It's just a token that's beenprovisioned by your bank into
the Apple wallet.
It's the bank at the back endthat more or less figures out
the mapping between the two.
A couple of examples there ofMaking data better.
Speaker 2 (12:28):
I've had a lot of friends who have me being saying
I'm not comfortable putting mycredit card in my Apple wallet
because that's a cure, and I'msaying you know I'm really
insecure.
This is a very well designed soyou don't have to worry about
your card getting compromisedfrom your iPhone.
Speaker 1 (12:42):
I wonder to that extent that that that reticence
has been one of the reasons whyit's it's taken.
It took Apple a long time tostart reaching the hockey stick
uptick in the use of Apple pay.
Speaker 2 (12:56):
Yeah, well, the community factor of it.
I mean I rarely pull my creditcard out of my wallet anymore.
I tap with my phone and moreoften I tap with my Apple watch
and I pay, pay with NFC throughthrough my, my watch, in my
phone and I never have to pullout a card.
Speaker 1 (13:10):
Some someone, merchant doesn't have a NFC
reader, all right, and those arethe most secure car
transactions that are out therehasn't reached that.
Speaker 2 (13:17):
I'm gonna see it happen.
Speaker 1 (13:18):
Well, steve, thanks very much, appreciate you.
Setting the way back machine Tothe year was a 2007, 2008, when
2008 when the breach happenedwhich is not that long ago, 15
years ago.
Yeah, so the industry's done alot of work to Make car data
better and make it make it moreresilient in the transaction
(13:38):
contexts where card numbers areshowing up today.
Speaker 2 (13:41):
Yeah, we got a lot of pushback in the day from PCI
DSS, which was just starting outthe payment card industry data
Security standards.
They didn't like the fact thatwe called it and an encryption.
They wanted to callpoint-to-point.
Speaker 1 (13:52):
We says not point-to-point, it's from one
end of our network to the otherend of the network as a matter
of perspective, true, but toyour credit, what you did, the
design that you put in place andput into the market, that
galvanized not only the securitystandards development but it
also galvanized other terminalmanufacturers and other
(14:14):
processors in the industry toadopt.
And then encryption.
Speaker 2 (14:19):
Yeah, and you know we .
We had processors and troublemanufacturers coming to us and
though we trademarked it andpatented, we got a patent around
it.
We shared it because we thoughtit was important for the
industry to not have anotherbreach like Harlan had.
So we tried to help them outthrough through a number of
different avenues and for Harlanit was a two-part solution.
(14:42):
One part was, you know this,physical security with the TRSM
and the terminal.
The other part was thepsychological part that people
needed to have confidence in inHarlan again.
So we actually offered awarranty to the merchant that
said if you get breached willpay any fines or fees or
anything happens to you.
And that was a part of bringingthe company back.
(15:02):
And we brought the stock fromthree back in them like 40s or
50s, and it ultimately got soldto global payments for billions.
So, but it took.
It was on the break, the meother car brands were not happy,
the it was teetering.
Speaker 1 (15:16):
Okay, safe.
Well, one last question whodone it?
Speaker 2 (15:19):
bad guys in Eastern Europe, the, the three letter
agencies.
Ultimately, when I got mySecurity clearance, you know
kind of reveal a little bit morethat they were very, very
sophisticated.
Very smart Is that they havebetter.
They're just grammatics.
From what I saw, the Harlansystem then Harlan's engineers
did well.
They knew how long ran they'dhad plenty time to 18 months.
(15:41):
They said that the system justwatched and listened and waited
until the time to bust it out.
Speaker 1 (15:47):
Yeah, I think at the time the value of a credit card
number Was in the 25 to $50range.
Speaker 2 (15:53):
Yeah, same old by that time.
Just three million cards,that's a real bank.
Speaker 1 (15:57):
That was worth.
That was worth the month, ayear and a half for weight.
Speaker 2 (16:01):
The patients pays on probably pretty good pity.
Speaker 1 (16:04):
That's a value book today because of these tools and
other controls.
Speaker 2 (16:08):
Yeah, the industry's changed and you know, ultimately
I got elected to the PCI board,which I mean it was kind of a
you know a coup because we werethe bad guys in the industry and
you know, people started to see, see that really, really was a
sophisticated, robust, securesolution, and we tried to work
with a lot of different insurerorganizations.
There's there's a thing calledthe FSI sack the financial
(16:29):
services industry to treat yousome brother, and so all the
banks and all the process wasblood, that all the security
people on the CIOs and CTOs, andso we shared as much knowledge
and, you know, told the one handand try to help them avoid it.
Speaker 1 (16:45):
All right, well, thanks very much, steve, really
appreciate it.
Speaker 2 (16:47):
You're welcome, george, my pleasure.
Speaker 1 (16:50):
To be clear, getting card data encrypted before it
entered the network required newhardware support.
The old gear couldn't beupgraded because running
encryption software in theterminals operating system was
insecure.
Hacking in OS is doable.
You have to trust the datacoming into the network and the
only way to do that in this casewas to encrypt it before it
(17:11):
touched.
Software Security oftentimesrequires hardware support.
So to add some depth to thehardware side of the story,
let's bring in Tom Sigler, whoran the effort for Taiwan's
uniform industrial corporation.
Let's get right to it.
One of the things that jumpedout at me from a conversation
with Steve was About thechallenge of getting Voltages
(17:34):
code, and he was reallycomplimentary about the size and
efficiency of that software.
But I also know that a TRSM isa microcontroller, so there's
usually not a lot of space there.
What was that process like foryou as the, as the hardware
integrator?
Speaker 4 (17:54):
I still remember the first meeting with Terence spies
and the rest of the guys whenthey were talking about their
code which revolutionized remotekey management and the
encryption process, and theywere expecting megabytes of RAM
and memory to put their code,and when we told them that it
(18:15):
was going to be tens of K bytes,there was a silence in the room
and they kind of looked at eachother and we'll have to take a
look at that.
They did do it.
They got it in to our securitychip processor with Literally
(18:36):
bytes to spare there was.
There was no left over space atall.
I used to write code in myyouth and I was more impressed
with this than anything I'veever seen.
Wow, to go from something thatusually was 10 megabytes down to
a few hundred K bytes and haveit still work, that was
impressive.
Speaker 1 (18:56):
Did they rewrite in assembler or they divide and
conquer the functionality?
Speaker 4 (19:02):
They had to go low level on the code.
They were basically inassembler language, so they had
to rewrite their high levellanguage code to fit into the
specific code structure of thesesecurity chip microprocessors
that we used.
Speaker 1 (19:19):
So that's called right programming right down on
the metal.
So that's indeed indeed.
And that's not a skill.
Everybody has right and we'veno, absolutely not.
Speaker 4 (19:31):
Especially this.
10, 15 years ago people werealready starting to just reuse
code bundles.
You know, if you wanted to doencryption, you just grab a
public domain DES routine orwhatever I called it, glue where
, because you just glue stufftogether and nobody cared how
(19:52):
big it was or how inefficient interms of memory.
But that was a huge issue withthese terminals because they
were never designed to operatethat kind of code.
The microprocessor that we usedin the first terminal was
different from the subsequentchips.
That terminal was not actually aUIC original.
(20:13):
We were partnering with acompany in Hong Kong I don't
remember their full name, but itwas icon, a four man shop
including their CEO and founder,and they had a terminal that
was not even in alpha or beta.
I mean, it was basically alaboratory exercise at that
(20:35):
point and our CEO made a dealwith them because, to go back a
little bit, when Steve Elephantcalled UIC because he had done
business with them in the past,he expected someone else to
answer.
I was about six months in theVP chair and though I knew Steve
from his past, when he had beenat the forefront of POS based
(21:01):
payment systems, he came to thebank I was working at in their
credit card division and pitchedthat.
So I remembered Steve.
He's hard to forget and when wetalked, I'm not the kind of guy
who would say no, we can't dothat when I'm talking to
somebody like Cardlin Payments.
At that time I think they werethe eighth biggest processor in
(21:22):
the country and for UIC thatwould have been a huge piece of
business, which it was.
So I immediately thought ofthis icon terminal that we were
working with the Hong Kongcompany on, because he wanted a
desktop, the traditional thingwith the card, swipe and the
printer and all that.
That would either be dial up orIP.
Speaker 1 (21:42):
Classic stand beside terminal.
Speaker 4 (21:44):
Exactly that's where they wanted to start.
We ended up doing a coupleother products for them, but we
went there and after I hung up,of course, what I thought was
how the hell are we going to dothis on the timeframe that
Hartman wants it done?
They basically wanted it in sixto nine months, which nobody
was going to provide, and, alittle sidebar, the good folks
(22:09):
at Verifone and Steve talked Idon't know if he mentioned that,
but they wanted to be theexclusive provider of E3
terminals and either Steve orBob Carr probably said no, you
can have a part of the business,but not all of it.
They wanted to cut us out.
I think at that time they sawUIC as not a big threat but
(22:30):
somebody that was coming up andmight be a competitor.
More on that later.
There was an interesting littleside issue that occurred.
So we worked with ICON, paidthem a bunch of money and their
engineer worked with ourengineers and they kept
developing it and then within afew weeks we had some test units
in our shop in Fremont,california, where we did a lot
(22:54):
of testing.
They also had some in Taipei,of course, a lot of problems
early on because really thedevice was not ready for prime
time, we had to pretty muchre-engineer the boards.
The mechanical aspect of it hada lot of problems.
The printer didn't work right.
(23:16):
But with a lot of hard work andovertime the UIC engineers did
a very good job putting togethera usable terminal, though it
still did have some issues, oneof which was do you remember
AmEx came out with that blotBlack metal credit card?
Speaker 2 (23:36):
Yeah, caused us some problems.
Speaker 4 (23:39):
When someone carried a static charge and they would
swipe that through the cardreader, it was blowing up our
security chip.
So we had to spend a few weeksfiguring that one out.
So there's always issues andhiccups, but the pressure was on
.
Hartland wanted that terminal.
Though we didn't promise anexact due date, we were shooting
(24:02):
for one.
I got to say our engineers andthe voltage people and a fair
amount of help from the Hartlandengineering team.
We did get a good product tomarket.
It, I think, helped change andmake data better.
Speaker 1 (24:17):
Thanks for that.
It became the new benchmark.
It was the new model that thenwas adopted by Payment Card
Industry, data SecurityStandards and a whole new
certification process built uparound the model that you guys
pioneered.
Speaker 4 (24:35):
We did two other devices for them, also with the
voltage security softwareembedded in there.
One was a handheld pin pad thatwas an existing UIC product, so
that one we got to market injust a short time, a ruggedized,
really high quality productthat had a MagStripe reader.
And the one that I thought wasreally exciting was the
(24:59):
standalone MagStripe reader, ora wedge as a lot of people
called it.
We converted and built a wholenew hardware and software
architecture to make a littleMagStripe reader, you know, like
three inch by one inch, asecure device.
So we even sent a earlyprototype over to Infoguard to
(25:20):
have them evaluate it.
They pointed out there is noPCI standard for MagStripe
readers because nobody hadconsidered doing this.
It's something that I suggestedto Hartland that would be a good
supplement to the product line.
We had the stand-besideterminal, the pin pad that you'd
integrate into your eitherterminal or your PC, and yet
(25:40):
there were still a lot ofmerchants that wanted just a
simple MagStripe that you'dstick on the side of their
display.
Infoguard gave us some reallygood advice, helped make the
product better and we got it tothe point where I thought we
could legitimately claim thatthat little magstripe reader for
a couple hundred dollars wasequivalent to a PCI approved
(26:04):
device for security, physical,logical, et cetera.
If you opened it up it zeroeditself out, had a little micro
operating system in it thatmonitored a secure web of mesh
around it.
It was a pretty cool littleproduct.
Speaker 1 (26:19):
That's great.
And now, of course, it'smorphed into the square dongle.
Speaker 4 (26:24):
Yeah.
Speaker 1 (26:24):
Does encryption.
It's 15 bucks.
That has staples.
Of course.
Now it's orphaned, since wedon't have IOJACs anymore.
Mostly it's 45 bucks orsomething like that for the
Bluetooth one.
Speaker 4 (26:38):
Of course, all three of the products that we made had
very strong encryption of thedata and fit into the E3 and
with Voltage's key managementsystem we could keep rotating
keys as needed depending on thevolume of data or timing or
whatever.
They had a pretty slick product.
(26:58):
I was skeptical at first,having grown up, so to speak, in
the industry, but I wasimpressed when I dug into that a
little bit and read some oftheir patents and some of the
other information that theycould provide.
Speaker 1 (27:12):
Well, obviously you were the right guy for gluing
software and hardware togetherinto a product.
I suspect it must have beenreally satisfying to see that go
out the door and get used.
Speaker 4 (27:21):
Oh yeah, once we got rid of some of the issues like
the AmEx cart, esd, onceeverything was production worthy
and in the field and beingdeployed, we had several
thousand of those terminals outthere.
The feeling was tremendous.
I threw a party for our team atUIC to celebrate what they'd
(27:44):
accomplished and they worked sohard.
There were several people that,though I won't name, they know
who they are and they didphenomenal work.
Speaker 1 (27:54):
Well, Tom, thanks so much.
Great to catch up with you onthis.
Speaker 4 (27:57):
You're welcome.
Speaker 1 (28:00):
As Steve and Tom said , getting sophisticated
encryption software into theTampa-resistant security module
built into the MagStrike breederwasn't easy.
Here's Mark Bauer, now VP ofProduct Management at
Confidential Computing Leaderand Juno Security, who was one
of the leaders at the time atVoltage Security, to talk in
more detail about their makingdata better technique.
(28:23):
So, mark, could you justquickly give us a top level on
Voltage's expertise and how itfit into the overall Heartland
story about making its databetter?
Speaker 3 (28:34):
Yeah, absolutely so.
At the time, voltage was apioneer in what was called
data-centric security and thatwas essentially protecting data
by neutralizing it from risk andallowing the data to still
largely be used and to flowthrough systems.
So this was really reallyimportant in the Heartland
(28:54):
scenario, which was a breach ofpayment environments.
How did you do that?
So, if you looked at the natureof the breach, essentially
attackers had got into the backend systems of Heartland through
a front door with classical SQLinjection database compromise,
and we were talking a gooddecade or so ago now when this
(29:17):
actually happened.
And really fundamentally, whatthe attackers did was they got
into the back end systems andthen stole card data, in
particular track data, if yourecall, back then you could
manufacture own cards and thenthe rest is history in terms of
the threat to consumer cards inthat regard.
So what Heartland did, workingwith Voltage at the time, was to
(29:38):
take what is now actually kindof reemerging as an interesting
technology, but to combinehardware and software so that
you had a heartland environmentin the store where the data was
captured, so that even underduress and under compromise,
things like keys and datacouldn't be exposed after it was
read, and to keep that dataflowing in a protected form all
(30:03):
through those complicatedpayment systems that are often
put together with differentmishmashes of interfaces and IT
mess underneath.
Speaker 1 (30:13):
Given their vintage.
Some of them, no doubt, areassembled with, as we used to
say, spit and bailing wire.
Absolutely.
Speaker 3 (30:19):
A little bit like that.
Speaker 1 (30:20):
Yeah, and they're definitely intolerant of
perturbation.
What did you do to the data?
I mean there's a 16-digit cardnumbers typically Check that
data and still not perturb theintermediary systems.
Speaker 3 (30:36):
When you think about data that's coming from those
read heads, essentially in thedevice, and back at the time you
swiped your card or you did thechip, what comes out of that is
track one and track twomagnetic data or its EMV
equivalent in the case of a chipcard.
To all intents and purposesit's essentially a bunch of
characters, numbers and symbolsthat have to be in an exact
(30:58):
format to convey from thatdevice all the way to some back
end system so that you couldverify the card and so on and
essentially process it.
The problem was thattraditional encryption would
break all of that.
So if you encrypted a card or atrack, you'd get some data but
(31:19):
it wouldn't pass through thecash register, the payment
systems, the gateways, theclearing systems, everything.
So voltage came up withtechnology that sort of appears
on the market probably threeyears before Hartland, and it
was called format preservingencryption technology and this
was a way that you could encryptdata without changing the
(31:41):
appearance and the utility ofthat data.
So a credit card could beencrypted to something that
looked like a credit card,including the first digits, the
checksums.
But when you start to get intothe track data, you've got start
sentinels, you've goteverything that's encoded in
very fine-grained ways and wemanaged to create a mechanism
(32:03):
that could encrypt the data soit still flowed through all of
those ancient spit and chewinggum systems without breaking
them, so you could go from thedevice all the way through to
the Hartland system, end to end,and that was the encryption
piece.
What was on top of that was thekey management pace to make
that super easy without havingto do things like key injection
(32:26):
or persistence keys.
In the end point, which isalways a point of potential
attack, it was a hybridtechnology of encryption and key
management that solved thatproblem and changed the way the
industry behaved.
Speaker 1 (32:38):
Say a little bit more about the key management,
because the key is injected atsome point at manufacture, I
guess in the read head at theterminal.
Speaker 3 (32:50):
In the old way, yeah, and remember too, back in the
day when these kinds of breacheshappened, you didn't even have
encryption of that data.
It flowed in the clear overthings like internet channels
and modems and things like that.
So fundamentally, you had tofigure out a way to encrypt the
data without breaking it andstill retaining strength.
That was a very hard problem tosolve, but when you think about
(33:14):
how people manage terminalstoday, even today when you
handle debit cards, for instance, at a manufacturer, you have to
inject keys into that device,which is itself a very expensive
process.
It was in $1,500 per device toinject a key.
So we solved for that problem byusing a technology called
identity based encryption and,to sum it up, essentially what
(33:37):
it allowed you to do was tocreate random keys in the device
, securely, exchange them withthat secure interchange of data
along with the track up to thehost, and the host could recover
the key.
And you didn't ever have toinject a symmetric key into the
device, which is vulnerable,it's expensive and requires you
to have extra hardware in there.
(33:58):
So by combining thesetechnologies and you know
Heartland shoehorn this intotheir device when you swiped
your card in the stores wherethis was implemented like Home
Depot and other places.
Essentially, you were goingfrom that device all the way to
this backend system encrypted,and so the only point of
(34:21):
compromise was the actualphysical card itself.
Speaker 1 (34:24):
As I recall, one of the part of the magic of the
format of preservation was thatfor routing reasons we needed
the first six characters in that16 to be able to identify the
issuing bank.
That the authorization requesthas to go to that in the clear,
and I think you left the lastfour in the clear for receding.
Speaker 3 (34:47):
Correct, because you also have the check somewhere
you have to maintain to let theintervening characters, a term
numeral rather.
Speaker 1 (34:56):
That was where the encryption took place.
Speaker 3 (34:59):
Yeah Well, the thing is too, all of that data is
encoded in tracks.
So what you see on a receipt ofyour last four digits, there's
a different encoded version ofthat in the track.
And so there's all sorts ofmechanics that you had to do
mathematically to make sure thatthat track stayed looking like
a track, which is much harderthan you think about, because
track is also encoded with.
It's not asking, it's kind of a, I think it's like a 64
(35:24):
character set, so it's differentagain.
So there was much more going onunder the covers.
But at the end of the day, whatHeartland were able to do which
was powerful for the industry,was give guarantees to their
merchants to say you use us,which uses that technology,
which is our hardware, with thevoltage software and our
(35:45):
infrastructure, and we willguarantee that if you have a
breach, we will pay out all ofthe consequences of that.
And that was a game changer,because it became a technology
problem with a technologysolution but with a massive
business advantage to them.
So they went from beingbreached to being a leader,
which is a.
That's exactly the way youshould respond to a breach make
(36:06):
change, embrace things that aredifferent, disrupt industry, but
in a very positive way, and theoutcome is better security for
consumers and better securityfor merchants.
Speaker 1 (36:18):
And a 10X increase in your stock price.
Speaker 3 (36:22):
Exactly, and the rest is history.
Now They've been acquired byglobal payments who continue
using this.
And what I love about this too,George, is that I'm able to
walk into stores or gas stationsand whether it was what was
voltage did or whether the restof the industry responded I know
there are certain devices whereI know the software is going to
do its trick with good hardwareand I know my card's not going
(36:44):
to get breached.
And I have personal confidenceand a little bit of satisfaction
from seeing that transition inindustry, which is now almost a
given end to end security.
Speaker 1 (36:53):
The model that you all put into place has now
become a standard model and,underneath the payment card
industry, data securitystandards and comparatively open
ecosystem, following that modelthat you all pioneered.
Speaker 3 (37:06):
Exactly and NIST did approve that standard.
Speaker 1 (37:10):
We worked very closely with NIST on getting
format preserving encryptionthrough as a mode of AES and
it's withstood heavy, heavyscrutiny Of course, encryption
is a major tool here, but at thesame time and it was happening
both online and offlineenvironments where, at least to
protect data at rest, merchantswere using a technique called a
(37:32):
tokenization, which is simplystoring something of low value
and almost outsourcing thestorage of the high value data
to a service provider.
Did Voltage have any play inthat?
We?
Speaker 3 (37:45):
did.
We did so, obviously, gettingthe data up.
You're rotating keysautomatically so that merchants
don't have to do anything and sothat if there is a key
compromise it doesn't affect thewhole system, etc.
But merchants often did thingslike refunds, their own
analytics and so on, and theyneeded a reference value, which
in the past, they used thecredit card for that, and in
(38:07):
fact, the credit card is reallyimportant to merchants because
that's often the identifier thatyou know about who your
customer is.
It's the only thing that'sconsistent, and so being able to
replace that with somethingthat's not valuable but still
performs that function wasimportant, and the old ways of
doing that were to have thesehuge databases of tokens, and so
(38:27):
where we went with Voltage wasto disrupt that again, create a
mechanism to give you tokensthat could reduce the burden of
managing and storing creditcards, but to do that without
the burden also going back upthe chain to the payment
processors, and so, beyondHeartland, many of the payment
processors also utilized thistechnology.
(38:48):
We saw adoption across nearlyall the acquirers in the United
States and abroad of thistechnique of sometimes of their
own making, but often withVoltage and to the merchants
this became a superpower,because now you could run
analytics without having theburden of compliance.
No cards were in the system.
The only time the card ispresent is in that consumer's
(39:11):
hand, and that goes to the backend, and then a token would come
back.
So this got the merchants offthe hook of PCI compliance,
which was a really big deal.
Speaker 1 (39:22):
I'm laughing.
Here's an example of makingdata better by making data worse
, at least as far as hackersconcerned.
Speaker 3 (39:31):
Yeah, but in this world we live in today, this
technology is out there in thephysical payments world, but the
thing that's still left over isthe soft world of e-commerce
and so on.
That still is an area that isripe, I think, for additional
disruption, and I bring this toyou because I know we're going
to talk about something on afuture conversation that might
(39:53):
be related to this confidentialcomputing.
Speaker 1 (39:57):
Yes, absolutely.
We will be coming back to youand the Anjuna security story,
but we'll leave this historylesson at this point.
So, mark, thanks very much.
We really appreciate it.
Thanks, george.
(40:17):
What was the impact of all thiswork?
To make, in this case, carddata better?
Well, for Heartland, it washuge.
Within a couple of years,heartland's stock price
recovered from $3 to over $30.
In 2015, heartland was acquiredby Global Payments for $4.3
billion at $100 per share.
As we heard from Steve, someindustry cooperation among
(40:41):
competitors was begun, withHeartland helping establish the
Payments Processing InformationSharing Council, a forum for
banks and payment processors toshare information about breaches
.
Far more important, heartland'scard data encryption model was
adopted and updated by the cardsystems themselves through their
Security Standards Organization, emvco, with certification
(41:06):
developed by the Payments CardIndustry Security Standards
Council.
This made MagStripe card entryfar safer.
It took the target breach in2013, however, to kick the US
card business into adopting theEMV chip card approach, already
in wide use in other parts ofthe world.
It's another example ofhardware's role in data security
(41:27):
, and that's where our mainplayers well, bob Carr went on
to found another paymentprocessing company, getbeyond.
Steve Aliphond is a venturecapitalist.
Mark Bauer's work inconfidential computing is about
making private environmentsbuilt on public cloud
infrastructure secure, and TomSiggler spends as many days and
(41:49):
nights as he can out hiking inNorth Carolina.
Oh, albert Gonzalez.
He scheduled for releaseSeptember 9th from federal
prison.
Since the Heartland breach, muchhas changed.
We've gone, as I said, to chipcards that have their own
hardware approach to datageneration and encryption.
In an upcoming story we'll talkabout the technique employed by
(42:13):
Apple Pay to make data betterand its use of metadata that
makes finer grained transactionanalysis possible.
Well, that's it for thisepisode.
If you have ideas about topicsfor the podcast, drop me a line
at George at Making Data Better.
Until next time, I hope all iswell.
Thanks for listening and foryour work in Making Data Better.
(42:37):
My data story is I am sick todeath of buying products and
then seeing the advertisementfor the product I just bought
(42:58):
for the next month.
Really, we can't do better thanthis.
Speaker 4 (43:03):
Yeah.
Speaker 1 (43:04):
It just speaks to the low quality of ad tech.
Speaker 4 (43:08):
Well, I'm sure AI is going to fix all of that.
Speaker 1 (43:11):
Oh, absolutely yeah.
We've only got a system now toproduce bullshitted industrial
scale at zero cost.
What could go wrong?
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com