Sticky Questions on the Hitachi AoC in the Great Indian Credit / Debit Card Security Disaster

So Hitachi Payment Systems came out with an Admission of Compromise (AoC) that they had a data breach which (possibly) led to the Great Indian Debit Card Security Disaster of October2016.

Please note that we want to avoid the use of the word “hack” because people are associating it with malicious intent (or action) whereas a hack or hacker is not to be thought of negatively. That’s why this has been termed the Security Disaster – maybe companies will be more amenable to breach disclosure if it not called a hack.

We have put out a list of questions below. While we do not expect a response because it would expose much more, in the public space, than any organization should. However, we hope that these questions will lead to enough soul searching because auditors (in India) generally do not shoot from the hip, as we are too “professionally sensitive” (if you know what I mean and just look back at the infamous auditor / auditee promiscuous relationships that have caused cancerous frauds and stakeholder grief in the country).

BTW the Great Indian Credit/Debit Card Security Disaster happened in October 2016 when a number of banks (SBI, Canara Bank, Axis Bank, Yes Bank etc) and NPCI stood up and said they were going to replace about 3.2 million cards as something had gone bad someplace. And yes, they also said that 641 cards (or was it 681) had been compromised and about Rs.13 million ( $ 195,000) was defrauded.

So here goes.. Our questions against the AoC

Dear Hitachi… you are PCI compliant which is public knowledge since you are listed on the PCI website, but, (unfortunately) you “suffered” a data breach. It can happen to anyone because everyone knows no security implementation is 100%, BUT, but there are a number of “loaded” phrases and statements in your AoC that raise suspicions about what was the state the PCI robes that you were (are) wearing.

Are these questions relevant and can you ask yourself (share with us if you can)

1. At the most basic level
   1. Did you not have a DLP?
   2. Did you not have SIEM?
   3. Do you have a SOC which is manned and operational?
   4. Did you not have PCI certification in the spirit or was it just for the sake of having it!
2. Do you monitor your network 24×7 or just one shift?
3. When was the last time you did a VAPT /AppSec test on your network infrastructure?
   1. Was it automated or manual?
   2. Did you pay more than less than or more than <wink – we all know how clients ask for just a report so that they are compliant with the requirement of PCI>
4. We are sure you have Anti-Virus but do you have anti-malware? If yes how come there was no alert until the time the problem was flagged by Yes Bank? No anomaly alerts.. <OMG – what do u use>
5. Have you ever been audited by any of the constituent banks or NPCI who are using your services? if not then please make sure you blow the whistle on them too and get them in trouble when you are being screweddd.
6. The breach / incident was announced in October and the forensic audit was ordered by RBI. The results have been announced now. During this period from October 2016 to February 2017 have you continued operations or were they been suspended?
   1. If the operations were continued then what was the “overnight” steps that were taken to ensure that nothing would go wrong (if any)?
      1. OMFG you guys were allowed to continue with ‘business as usual’ and all was hunky dory.
   2. Have any of the constituent/ client banks placed any auditor or observer on premises or taken any extreme security protection measures in this period of time?
7. When the incident was discovered, you informed RBI and NPCI but have omitted filing a police complaint. Does this mean that Hitachi, as a foreign entity, does not respect the law of the land.
   1. RBI and NPCI are regulatory bodies and have no business trying to take the role of LEA.
   2. Does Hitachi, along with RBI and NPCI realize that by not filing a police complaint they have indulged in a criminal act.
   3. And by starting a forensic investigation they have contaminated the evidence which may have held some clues for the LEA.
   4. Who is responsible for this act?
8. If Hitachi did not know that there is a certain law (IT Act) that required them to file a police compliant then can we safely assume that Hitachi does not have adequate governance in their organization.
9. Now that it is established that the problem was at Hitachi, will you be providing monetary compensation to the banks for the re-issue of cards?
10. You have stated in the press release “we assure you of our highest commitment to building a robust infrastructure in our systems” – does this mean that you DID NOT have a robust infrastructure earlier and (inspite of the same) have been accepted by all the banks, RBI, and NPCI to provide these services.
    1. If you were PCI certified (as per your website https://www.hitachi-payments.com/infrastructure.html), does one assume that this was a sham certification and needs investigation too?
    2. The website says “Our stringent compliance processes and systems ensure that cardholders can make secure transactions and are assured that their data is well protected” – and it is surprising that the malware is untraceable by you or your band of merry men.
    3. It seems that you discovered that there was a breach, on being informed by Yes Bank, and then went crying to Mamma and Papa. I am curious to know what did your Incident Response team do at that time?
       1. Did you pull the plug when the incident was flagged
       2. Did you do nothing and waited for Mamma and Papa
11. You have yet to clarify what part of the operation was compromised – Card Management & Gateway, ATM Switching, back office, Central operations etc.
    1. If all your operations and services have common data center and hosting then did the forensics cover the whole suite of operations or just the switching system?
12. I think there is much more than meets the eye – you are “supposedly” PCI compliant having about 285,000 POS devices under management, over 30 banks but you are unable to capture malicious activity on your network. Then it seems that there is no security audit done by any of your customers! Post incident, you are yet to approach the Police to lodge a formal complaints, so does one assume that you and the regulators are cronies and have something to hide.
    1. Please desist from making statements like “in the interest of internal security we cannot disclose it all” because there is nothing that cannot be ‘exposed’.
13. You have stated that the malware was sophisticated and “securely” deleted all traces of activity.
    1. In that case how can the forensic examination conclude that debit card numbers and PIN were compromised.
    2. Did you store PIN numbers along with the card information (yikes)
    3. If the malware was securely deleting data, or its tracks, do we assume that your network security monitoring systems did not detect any anomaly?
14. Assuming the malware was so sophisticated as to evade identification, do we assume that your network is not monitoring out-bound traffic. Or, did the malware send data out of your network by using one of the user IDs/email systems?

BTW this set of questions can be those which you ask your auditor and we will be really curious to know what action (if any) was taken against the QSA who has been certifying your organization. All free!

AoC – Admission of Compromise – a First

We have to give credit where it is due – so Hitachi gets a medal for being honest enough to say “it was us”. Saying sorry, or owning up to a mistake surely needs a lot of guts in the Indian psyche, and Hitachi has scored top mars here. Whether it was forced by a local stakeholder (quite possible) or the Japanese parent (very possible) is another thing all together, but we do not want to rub anyone’s nose in the dirt.

Let’s hope that this becomes the norm.

About the PCI scene in India

Ask anyone and one will know that the PCI implementation business is like bhelpuri or chana-chaat. It is strongly L-1 and someone in this business here has a terrible reputation in terms of quality of service. You have to have a chat with some folks in the consulting business and it will be easy to identify this QSA. Seems that India has the lowest cost for PCI compliance certification in the world – are we surprised.