Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Transitive Trust: 40 million credit cards hack'd

From: Vin McLellan <vin () theworld com>
Date: Sat, 18 Jun 2005 13:02:07 -0400
Marcus wrote:


40M credit cards hacked
Breach at third party payment processor affects 22 million Visa cards and 14 million MasterCards. 
http://money.cnn.com/2005/06/17/news/master_card/index.htm?cnn=yes
This sounds like (yet another) classical example of "transitive trust gone wrong." Visa/MasterCard trusted a 3rd party to hold their data and - oops - the trust was misplaced. 


<snip> <snip>
I figure Paul and I and the other "security graybeards" can let this kind of thing keep happening for a few months more and then we can start turning on the big, blinking neon lights that say "We Told You So." Transitive trust is a *HARD* problem in security. Always has been, always will be. But today's businesses convinced themselves that they could basically ignore it - mostly because the obvious stuff like patching and vulnerability management was more obvious and accessible.
Maybe the security lessons to be drawn from the dissemination of valuable data throughout the enterprise can be passed on to those who seek to do the same thing in an even larger arena?
The Department of Justice, in its eternal push for more surveillance options, has apparently just proposed regulations or legislation that would require ISPs to concentrate and retain the data generated by their customers in one place, so that it is convenient for the DoJ and other lawmen to access a complete record of online behavior.
On Dave Farber's "IP" list, Hugh-list <hugh-list () thoughtballoon com> just posted a thought-provoking note that explored one of the unexpected consequences likely if such legislation were enacted. 

Hugh wrote:
So if I understand this, the DoJ would like to set up one-stop shopping for identity thieves ( and terrorists ) who would be able to get an internet user's credit card info, a record of what they buy from and from who they buy it, any online airline ticket sales, a record of blogs, email, dating services and whatever else an ISP's customer does online. 

Sound familiar?
One of the ways the credit card companies detect fraud is by noticing new and unusual behavior. Armed with the info they get from an ISP's retained data, fraudsters can pick the identitys of people with a history consistent with the fraud they wish to perpetrate.Now in addition to old fashioned credit card fraud a crook or terrorist could even more successfully impersonate their victim.
You want to buy 8 tones of ammonium nitrate or a thousand gallons of diesel fuel and have it delivered to the corner of a field in a remote location? What better way than to have the credit card info and address of a farmer who makes these transactions on a regular basis?
Want to get on an airplane to Washington DC but you are on one of those pesky no fly lists? Just grep the convenient ISP retained records for airline ticket sales to Washington DC, match those sales to members of online dating services, find someone who has the "paperless ticket" for a flight you want and looks like you, mug them on their way to the airport, and there you are at the gate, with a ticket and a photo ID.
Does SANS, or the Computer Security Institute, or some other entity, ever try to offer the voice of the front line InfoSec troops in response to this sort of proposal? 

Suerte,
           _Vin



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: