funsec mailing list archives
Re: The PCI sky *isn't* falling!
From: nick hatch <nicholas.hatch () gmail com>
Date: Mon, 23 Mar 2009 12:46:51 -0700
On Mon, Mar 23, 2009 at 12:15 PM, Rob, grandpa of Ryan, Trevor, Devon & Hannah <rMslade () shaw ca> wrote:
"The officer added that breaches such as the ones at Heartland Payment Systems Inc. and RBS WorldPay Inc. were shaping public opinion and obscuring what otherwise has been `substantial progress' on the security front over the past year." How *dare* the news shape public opinion?
What really frustrates me about the Heartland breach is the lack of transparency in disclosure. Their original press release had statements like "Last week, we learned we were the victim of a security breach within our processing system in 2008." and ""We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," This should be read as "we finally found where the breach was, months after we were originally notified. Our CEO has been selling off stock in the meantime." (Heartland was notified of suspicious activity statistically linked to them by Visa on October 28th(!) 2008. [1]) I've heard plenty of rumors that the Heartland breach was an inside job from those a bit closer to the know. It would seem to make sense. Until the details are known in full, it seems a bit premature to debate the effectiveness of PCI and use Heartland as evidence one way or another. Even if the transactions were encrypted on the wire, a lack of internal controls could still allow a theoretical insider to run amok. -Nick [1] http://advice.cio.com/paisano1/heartland_now_under_sec_investigation
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: The PCI sky *isn't* falling!, (continued)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Justin Scott (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- security theater is useful, stop abusing it [was: PCI] Gadi Evron (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Benjamin April (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Imri Goldberg (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] nick hatch (Mar 24)
- Re: The PCI sky *isn't* falling! David Harley (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- why is certification useful anyway? [was: PCI] Gadi Evron (Mar 24)
- Re: The PCI sky *isn't* falling! Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 23)
- Re: The PCI sky *isn't* falling! Gadi Evron (Mar 24)