BreachExchange mailing list archives

Re: VISA / 1ST BANK

From: blitz <blitz () strikenet kicks-ass net>
Date: Fri, 20 Oct 2006 00:22:01 -0400

I think what we're seeing is the affected companies being told bytheir law-vultures to release as little as possible to minimizeexposure. This in its essence, limits as well, the ability ofindependent verification and investigation to assist others inprevention and bring guilty parties to justice.This is a trend that should be stopped ASAP. I believe they as wellas we understand the time to "walk the walk" is upon us, and someserious lawsuits are in the offing in lieu of actually securing ourdata. The only model they will accept is one like HIPPA where the Foxguards the hen house.

One more notable side effect I'm seeing is the taking on blind faiththat a missing data set has been recovered and has not been tampered with.Says WHO? The FBI? They're ankle deep in these cases, and in case youdon't remember recent history, they have been less than honest inevidentiary cases in the past. A company like MC or Visa certainlyhas the political and monetary clout to buy the results they're seeking.Don't make me laugh. Hasn't been accessed? Copied to another harddrive for eventual compromise, maybe yes, but not tampered with? Theprofessional thieves have access to the same tools we do.Compromising even an encrypted set of data is not an IF proposition,but merely a WHEN one. Anyone who understands distributed computingknows the power of a supercomputer is well within the budget ofalmost anyone who puts their mind to it.Does the old cops-and-robbers line "lets lay low till the heat goesdown" ring a bell?When data's gone, its GOT to be presumed compromised, period. Extendthe meager protections, mail the letters, and by all means, DO NOTallow a weak data protection statute at the Federal level preemptstronger State statutes.The bottom line is all about minimizing exposure, and the clients whowere compromised be dammed.We need some serious introspection of what we believe, and who wetrust after the fact IMHO.

Marc

At 16:43 10/19/2006, you wrote:

The way I read the notification, it didn't sound like the processorwas affiliated with 1st Bank:
"We would also like to reassure you that the compromise ofinformation occurred at a merchant card processor's location, notFirstBank and therefore your account information at FirstBank hasnot been obtained by these unauthorized indivuduals(SIC)."
Perhaps they are just notifying customers affected by anothercompany's gaff? Must be a bad day if they didn't even spell-checkthe notification before it went out..
-Dennis



----------
From: B.K. DeLong
Sent: Thu 10/19/2006 1:21 PM
To: Chris Walsh
Cc: dataloss () attrition org
Subject: Re: [Dataloss] VISA / 1ST BANK

Is it that hard to find out who did the card processing for 1st Bank?
On 10/19/06, Chris Walsh<<mailto:cwalsh () cwalsh org>cwalsh () cwalsh org > wrote:
On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. DeLong wrote:
> Well, whomever it was will probably get wacked with a HUGE fine for
> violating PCI Security standards. I'm guessing it won't take long to
> determine who falls under approved card processors for Visa.


They might get fined, but not buy Visa.  Too much butter on that bread
to throw it in the bin.

The FTC, OTOH, may do some enforcement:
<http://www.emergentchaos.com/archives/2006/06/prediction.html>http://www.emergentchaos.com/archives/2006/06/prediction.html

Visa has been zealously guarding the "privacy" of these processors since
at least December of 2005, when the Sam's Club stuff started to hit the
fan.  Even Gartner called MC and Visa out on it:
<http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html>http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html

Chris




--
B.K. DeLong (K3GRN)
<mailto:bkdelong () pobox com>bkdelong () pobox com
+1.617.797.8471

http://www.wkdelong.org/                    Son.
<http://www.ianetsec.com/>http://www.ianetsec.com/                    Work.
<http://www.bostonredcross.org/>http://www.bostonredcross.org/Volunteer.<http://www.carolingia.eastkingdom.org/>http://www.carolingia.eastkingdom.org/Service.<http://bkdelong.livejournal.com/>http://bkdelong.livejournal.com/Play.
PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
<http://foaf.brain-stream.org/>http://foaf.brain-stream.org/
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 137 million compromised records in 430 incidentsover 6 years.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 137 million compromised records in 430 incidents over 6 years.

Current thread:

VISA / 1ST BANK security curmudgeon (Oct 19)
- Re: VISA / 1ST BANK Joshua Fritsch (Oct 19)
- Re: VISA / 1ST BANK ziplock (Oct 19)
  - Re: VISA / 1ST BANK B.K. DeLong (Oct 19)
    - Re: VISA / 1ST BANK Chris Walsh (Oct 19)
    - Re: VISA / 1ST BANK B.K. DeLong (Oct 19)
    - Re: VISA / 1ST BANK Dennis Opacki (Oct 19)
    - Re: VISA / 1ST BANK blitz (Oct 20)
    - Re: VISA / 1ST BANK George Toft (Oct 20)
    - Re: VISA / 1ST BANK lyger (Oct 20)
    - Re: VISA / 1ST BANK George Toft (Oct 20)
    - Personal experiences? Was Re: VISA / 1ST BANK lyger (Oct 20)
    - Re: Personal experiences? Was Re: VISA / 1ST BANK Joshua Fritsch (Oct 20)
    - Re: Personal experiences? Was Re: VISA / 1ST BANK Al Mac (Oct 20)
    - Re: Personal experiences? Was Re: VISA / 1ST BANK Henry Brown (Oct 23)
    - Re: Personal experiences? Was Re: VISA / 1ST BANK ziplock (Oct 21)
    - Re: Personal experiences? Was Re: VISA / 1ST BANK Chris Walsh (Oct 21)
    - Re: Personal experiences? Was Re: VISA / 1ST BANK ziplock (Oct 22)

(Thread continues...)