BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VISA / 1ST BANK

From: George Toft <george () myitaz com>
Date: Fri, 20 Oct 2006 13:35:42 -0700
The new truth of the Digital Millennium: "Your personal information 
expires when you do." ~Brian Honan / SANS

Until the lawmakers of Washington suffer ID Theft, nothing will change. 
  If I were an ID thief, I would definitely dump any high profile name 
from my database - no need to spoil the party.  And the party will 
continue until some high profile politico gets burned.

I was in Home Depot this week at the customer service counter.  A 
customer was telling the clerk about someone running around with his 
SSN.  It is becomming commonplace (at least in Arizona).

George Toft, CISSP, MSIS


blitz wrote:


I think what we're seeing is the affected companies being told by their 
law-vultures to release as little as possible to minimize exposure. This 
in its essence, limits as well, the ability of independent verification 
and investigation to assist others in prevention and bring guilty 
parties to justice.
This is a trend that should be stopped ASAP. I believe they as well as 
we understand the time to "walk the walk" is upon us, and some serious 
lawsuits are in the offing in lieu of actually securing our data. The 
only model they will accept is one like HIPPA where the Fox guards the 
hen house.

One more notable side effect I'm seeing is the taking on blind faith 
that a missing data set has been recovered and has not been tampered with.
Says WHO? The FBI? They're ankle deep in these cases, and in case you 
don't remember recent history, they have been less than honest in 
evidentiary cases in the past. A company like MC or Visa certainly has 
the political and monetary clout to buy the results they're seeking.
Don't make me laugh. Hasn't been accessed? Copied to another hard drive 
for eventual compromise, maybe yes, but not tampered with? The 
professional thieves have access to the same tools we do. Compromising 
even an encrypted set of data is not an IF proposition, but merely a 
WHEN one. Anyone who understands distributed computing knows the power 
of a supercomputer is well within the budget of almost anyone who puts 
their mind to it.
Does the old cops-and-robbers line "lets lay low till the heat goes 
down" ring a bell?
When data's gone, its GOT to be presumed compromised, period. Extend the 
meager protections, mail the letters, and by all means, DO NOT allow a 
weak data protection statute at the Federal level preempt stronger State 
statutes.
The bottom line is all about minimizing exposure, and the clients who 
were compromised be dammed.
We need some serious introspection of what we believe, and who we trust 
after the fact IMHO.
Marc

At 16:43 10/19/2006, you wrote:


The way I read the notification, it didn't sound like the processor 
was affiliated with 1st Bank:
 
"We would also like to reassure you that the compromise of information 
occurred at a merchant card processor's location, not FirstBank and 
therefore your account information at FirstBank has not been obtained 
by these unauthorized indivuduals(SIC)."
 
Perhaps they are just notifying customers affected by another 
company's gaff? Must be a bad day if they didn't even spell-check the 
notification before it went out..
 
-Dennis
 

------------------------------------------------------------------------
*From:* B.K. DeLong
*Sent:* Thu 10/19/2006 1:21 PM
*To:* Chris Walsh
*Cc:* dataloss () attrition org
*Subject:* Re: [Dataloss] VISA / 1ST BANK

Is it that hard to find out who did the card processing for 1st Bank?

On 10/19/06, *Chris Walsh* <cwalsh () cwalsh org 
<mailto:cwalsh () cwalsh org> > wrote:

    On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. DeLong wrote:
    > Well, whomever it was will probably get wacked with a HUGE fine for
    > violating PCI Security standards. I'm guessing it won't take long to
    > determine who falls under approved card processors for Visa.


    They might get fined, but not buy Visa.  Too much butter on that
    bread
    to throw it in the bin.

    The FTC, OTOH, may do some enforcement:
    http://www.emergentchaos.com/archives/2006/06/prediction.html

    Visa has been zealously guarding the "privacy" of these processors
    since
    at least December of 2005, when the Sam's Club stuff started to
    hit the
    fan.  Even Gartner called MC and Visa out on it:
    http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html

    Chris




-- 
B.K. DeLong (K3GRN)
bkdelong () pobox com <mailto:bkdelong () pobox com>
+1.617.797.8471

http://www.wkdelong.org/                    Son 
<http://www.wkdelong.org/%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0Son>.
http://www.ianetsec.com/                     Work.
http://www.bostonredcross.org/              Volunteer.
http://www.carolingia.eastkingdom.org/   Service.
http://bkdelong.livejournal.com/              Play.


PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

FOAF:
http://foaf.brain-stream.org/
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 137 million compromised records in 430 incidents 
over 6 years.



-- 
This message has been scanned for viruses and
dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
believed to be clean.


------------------------------------------------------------------------

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 137 million compromised records in 430 incidents over 6 years.



_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 137 million compromised records in 430 incidents over 6 years.
Previous By Date Next
Previous By Thread Next

Current thread: