IP: British Visa source-code compromised -- from RISKS

[Dave Farber <farber () cis upenn edu>]

Date: Sun, 16 Jan 2000 09:44:26 -0500
From: "Frank Markus" <fmarkus () pipeline com>
Subject: British Visa source-code compromised

According to an article by Jon Ungoed-Thomas and Stan Arnaud in the *Sunday
Times* of London for 16 Jan 2000, British hackers have compromised the
source code for the Visa card system and have sought ransom for it.
Excerpts from the story which I found online under the headline ``Hacker
gang blackmails firms with stolen files'' follow:
Visa confirmed last week that it had received a ransom demand last month,
believed to have been for 10M pounds. "We were hacked into in mid-July
last year" [despite layers of firewalls], said Russ Yarrow, a company
spokesman. It is understood the hackers stole critical source code, and
threatened to crash the entire system. Visa's system handles nearly 1
trillion pounds of business a year from customers holding 800M Visa cards.
No further incursions were detected. [PGN-ed]
But this begs the question of what they should have done -- if anything --
after receiving notification that their system had been penetrated. After
CD Universe's credit-card database was compromised by a hacker/blackmailer,
their system was (apparently) shut down temporarily and its customers
notified (of which I, alas, was one.) Visa seems to have had no fall back
plan for this crisis except to call in the police and hope for the best. If
the hackers have not disseminated the code more widely, Visa has been very
lucky and the damage has been controlled. But how certain can anyone be of
that? And how certain can they be that there was only one penetration?