BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Network Solutions Breach Revives PCI Debate

From: security curmudgeon <jericho () attrition org>
Date: Tue, 11 Aug 2009 07:14:00 +0000 (UTC)

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.bankinfosecurity.com/articles.php?art_id=1691

By Linda McGlasson
Managing Editor
Bank Info Security
August 10, 2009

The recent data breach at Internet domain administrator and host Network 
Solutions compromised more than 573,000 credit and debit cardholders and 
begs the question: What more can be done to secure such systems? The 
incident also raises new questions about the Payment Card Industry Data 
Security Standard (PCI).

At the time of the breach, discovered in June, Network Solutions says it 
was PCI compliant. The breach was the result of hackers planting rogue 
code on the company's web servers, intercepting financial transactions 
between the sites and their customers, which are mostly small online 
stores.

So, if Network Solutions was PCI compliant, how could it be breached? Paul 
Kocher, chief research scientist at Cryptography Research Institute, says 
the fundamental limitation with PCI is that it attempts to distill 
security down into a static set of requirements, while adversaries aren't 
restricted to a rigidly-defined set of methods. "As a result, clever 
attackers will always find holes," he says. "PCI does provide some value 
by forcing merchants to put some effort into addressing the most common 
attacks, but the objective is to reduce total risk -- not stop all 
attacks."

Changes that would increase the burden on merchants could raise the bar 
further, Kocher notes, "Although it's not clear how much impact this will 
have on actual fraud rates." At this point, he sees no sign that security 
standards are anywhere near close to putting fraudsters out of business, 
and forcing them to work a bit harder doesn't necessarily mean they'll 
actually steal less. Kocher sees the most effective anti-fraud step the 
U.S. card industry could take would be to make a real effort to adopt 
smart cards. The secrets needed to copy stay in the chip, and terminals 
for card-present transactions simply do not have access to the secrets.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php
Previous By Date Next
Previous By Thread Next

Current thread: