Unauthorised copies of Card Recon in circulation

On Friday night, CSO magazine reported that a three year old version of Card Recon (version 1.14.7) surfaced in a toolkit known to be used by hackers. The Card Recon version in this toolkit was illegally modified to remove the license validation process which prevents its unauthorised use.

Card Recon was designed to help merchants and their PCI QSAs fight against cardholder data theft by empowering them to identify any rogue instance of this data and to remove it so that there’s nothing left for the bad guys to steal.

The tables have now turned with criminals using the same tools as the good guys. This proves that hackers also want access to security tools that can improve the accuracy of identifying sensitive data in the easiest possible manner.

Like all responsible software companies, Ground Labs uses the industry’s best practices in fraud screening systems and implements license authentication within our products to prevent illegitimate use. Card Recon has been actively used over the last six years across hundreds of thousands of systems to help organisations become PCI Compliant. The growth of our user base makes it hard to track and prevent unauthorised access or modification to the software binaries after they have been downloaded.

We would like to reassure all customers and QSA partners that this news does not create any impact on you and Ground Labs has not suffered any system compromise or data loss.

However, we do advise that you should only be using versions of Card Recon downloaded directly from the Ground Labs customer portal. If you are not running the tool, only allow reputable security consultants listed on the PCI Qualified Security Assessors list to provide and operate Card Recon in your IT environment.

We have provided some answers to possible questions you may have about Card Recon.

If you do have any other questions, please contact our team at any time as we would be happy to provide clarification or further advice.

I’m an existing Card Recon customer. Am I or my customers affected by this?

This situation does not affect customers who are using a genuine copy of Card Recon downloaded from Ground Labs or have acquired this through a current PCI QSA.

If you are unsure, please download the latest version of Card Recon. The current latest version is 2.0.6 and is available from: https://services.groundlabs.com/

I’m an Enterprise Recon or Data Recon customer. Am I affected?

Enterprise Recon and Data Recon was not reported to be copied or modified. However we will always recommend that you only download your product directly from Ground Labs customer portal or acquire it through a current PCI QSA.

What version of Card Recon was copied and modified? How do I find out if my copy of Card Recon is genuine?

The illegitimate copy of Card Recon for Windows 32 bit (GUI) is derived from version 1.14.7 and it is more than three years behind our current release (2.0.6). Other versions of Card Recon including modified Card Recon binaries for other operating systems and CPU architectures were not reported to be in circulation.

A legitimate version of Card Recon will be digitally signed by Ground Labs. This can be verified by right clicking on the file within Windows and selecting Properties. The newest version of Card Recon (2.0.6), will display the following under the “Digital Signatures” tab:

Valid Card Recon Signing Signature

An illegitimate copy of Card Recon will display an invalid signature. Alternatively it will not display “Ground Labs Pte Ltd” as the entity who has signed the software. According to a security analyst report, the MD5 checksums of the illegally modified software are as follows:

cardrecon_v1.14.7_cracked.exe – bbb1b9968e9136899029d9972ef26f88
cardrecon_v1.14.7_cracked_consultant_edition.exe – D72b3914e26813fb0288a701fd0dac06

What modification was made?

The modification removed any license restrictions on Card Recon that prevents its unauthorised use. It is unclear what further modifications were made.

Is Card Recon still a safe tool to use?

Yes. In fact it’s one of the most common tools used by security professionals within the Payment Card Industry and their clients.

Only a genuine copy of latest version of Card Recon (currently version 2.0.6) should ever be used and this is available from the Ground Labs Customer Portal.

Can this happen to any software?

Unfortunately yes, cybercriminals have been modifying software to circumvent license restrictions since Copy Protection was first introduced more than 30 years ago. It is common for modified copies of popular software packages from well-known software brands to be found on websites that promote software piracy and file exchange networks such as Bittorrent.

Should I try out the modified version?

If you have already acquired a modified version, you should delete this immediately as it has been modified illegally and redistributed without Ground Labs’ permission. As such, any use of these versions are in violation of Ground Labs’ license agreement and it would constitute software piracy.

Any copy of Card Recon that was not acquired from Ground Labs or a reputable PCI QSA should not be trusted under any circumstances.

I’m not a customer. How do I acquire a legitimate copy of Card Recon?

We offer a free trial of Card Recon for 21 days to genuine companies who wish to perform cardholder data discovery within their environment. Visit http://www.groundlabs.com/try to apply for a free trial.

Visa Security Summit Dubai 2011

Visa Security Summit June 2011 – Dubai

Ground Labs Sponsor Stand Demonstrating Cardholder Data Discovery at Visa Security Summit Dubai

Ground Labs displayed live cardholder data discovery demonstrations to delegates attending the Visa Security Summit event in Dubai.

Our team once again attended the second Visa Security Summit 2011 held this time in Dubai on June 14 – 16 at the Grand Hyatt.
Delegate attendance consisted of financial acquirers, issuers and Visa business partners primarily from the Middle East, Africa and European regions. This also included a large contingency from various law enforcement agencies who work closely with Visa and it’s member financial institutions to track down and convict the criminals responsible for data breaches and financial fraud.
The event outline was similar to the Jakarta summit in that it covered multiple areas related to fraud and data compromise including Payment System Security and PCI Compliance, EMV Migration, Contactless Payments and Fraud Mitigation Best Practices.
The Visa Security Summit Dubai 2011 was held at the Grand Hyatt Hotel

The Visa Security Summit Dubai 2011 was held at the Grand Hyatt Hotel. This photo of a Dubai sunrise was taken from the 14th floor in the hotel. Dubai Airport hides in the background behind the haze.

The Dubai summit attracted various senior executives within Visa including Nigel Bath (Head-Fraud Control & Investigations International) and Mike Smith (Head, Risk Management Asia Pacific, Central Europe, Middle East & Africa) who offered presentations explaining current data compromise and fraud statistics and how Visa’s data security and fraud initiatives have been instrumental in mitigating many of the threat vectors that have evolved over the past 10+ years.
Also in attendence at the event was Ground Lab’s Middle East partner, Paladion Networks who already provide QSA and IT security management services to many of the financial institutions in attendance, and Stickman Consulting who recently expanded their global presence by opening a local office in Dubai.
Visa Security Summit 2011 Dubai Desert Sunset

An afternoon sunset in Dubai taken from the Desert Dunes on the 3rd day of the Visa Security Summit 2011.

Ground Labs’ presentation at this summit targeted financial institutions undergoing internal PCI compliance projects whilst also attempting to bring their merchant customer base into compliance. There was some great questions from the audience throughout the presentation leading to some discussion highlighting the fact that cardholder data can be found almost anywhere and only through cardholder data discovery can such instances of PCI non-compliance be accurately identified and resolved in a timely manner.
Visa Security Summit 2011 Dubai Desert Dunes

The vast desert dunes 50km outside of Dubai - taken on the 3rd day of the Visa Security Summit 2011.

Throughout the conference, it was noted on multiple occasions the strong need to be prepared for a cardholder data breach. There have been many high profile cardholder data breaches where the notification time taken to advise acquirers and card schemes was unacceptable by industry standards. Visa publishes guidelines on how to handle being breached including what to do, who to contact and when. These guidelines are available at Visa’s website In Case of Compromise site (or visit theUS link) which contains the What To Do if Compromised guideline document which outlines Visa’s recommendations for handling a cardholder data breach.
Our appreciation and praise goes out to Agnes Ng, Emoke Bitter, Mike Smith, Nigel Bath and the rest of the Visa team from Singapore who executed these 2 highly successful events in Jakarta and Dubai respectively.