Interesting People mailing list archives
Lessons learned from the MasterCard/Visa heist
From: David Farber <dave () farber net>
Date: Thu, 30 Jun 2005 04:14:28 -0400
Begin forwarded message: From: Ted Kircher <tkircher () comcast net> Date: June 29, 2005 8:29:45 PM EDT To: Dave Farber <dave () farber net> Cc: Ephraim Schwartz <ephraim_schwartz () infoworld com> Subject: Lessons learned from the MasterCard/Visa heist Reply-To: Ted Kircher <tkircher () comcast net> ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Dave,According to this article, there is no financial down side to a company making these kinds of mistakes. Hence we can expect more such mistakes; some of which might be coordinated between the person making a 'mistake' and someone waiting to quickly exploit the information.
Ted ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Reality Check, By Ephraim Schwartz June 28, 2005 http://newsletter.infoworld.com/t?ctl=E0B398:205E1D6How could MasterCard and Visa allow 40 million customer credit card numbers to be sucked out of their systems and into the hands of criminals? Last week I called them both to find out.
In response, Visa sent me a prepared statement. One sentence from the statement, in particular, is worth quoting: “We are actively monitoring the situation on a real-time basis using our state-of-the- art fraud-fighting technologies.”
Other than expecting to see VisaMan rip open his shirt to reveal his true identity as a state-of-the-art fraud-fighting superhero, something is wrong with this. Visa’s statement seems more concerned with covering the company’s collective behinds than facing the real issues.
At least, that’s what Avivah Litan, vice president and research director at Gartner, says. And she’s not alone. John Pescatore, a Gartner colleague and one of the most widely respected security analysts in the country, told me that the payment card industry has security rules in place but hasn’t been pushing hard enough and fast enough to enforce them.
CardSystems, the third-party service provider that let Visa/ MasterCard down, made a simple and humble apology, explaining that it had put information it was not supposed to keep into the wrong file. A more meaningless explanation I have rarely heard.
Improper filing or otherwise, someone unauthorized was still able to get behind CardSystems’ firewall, insert code into the system that found the file, and download the data to his or her own system. If nothing else, I would like to ask that person how big a hard drive you need to hold 40 million records.
Fearful that additional layers of security would slow down credit card transactions and scare off customers, the industry has been dragging its feet, but Pescatore says that attitude has backfired. “Consumer confidence is now dropping faster than more security would ever have done,” he says.
After speaking to four security analysts, surprisingly I came away with the same answer from each.
Frank Smith, vice president of the technology strategy group at Capgemini, said, “They don’t supply due diligence to the whole system.” Gartner’s Litan said, “They have everything in place; they just don’t enforce it.” Paul Stamp, security analyst at Forrester Research, said “The processes were not properly enforced.” Pescatore said that the standards “have been pure eyewash. No enforcement.”
Such a security breach is usually brought about by a combination of factors, according to Stamp. There could be a breakdown in the process, or the process isn’t being enforced. A human could be doing something he or she shouldn’t — for instance, an authorized person performing a task they were not authorized to do. Finally, there could be a technical system problem.
The fact that CardSystems, an authorized third-party service provider, was trusted with customer information and did something that was not authorized leads me to ask why the auditors from MasterCard and Visa didn’t know that. Maybe it’s time to re-examine the whole system.
Beyond the current scandal is the reality that enterprises rely more and more on outsourcing providers and business partners. Your company is going to have to trust that someone beyond your own four walls is as diligent as you are.
That’s a tall order. If we’re to learn anything from this latest example, it’s that we need a little less trust and a lot more due diligence to protect our companies’ -- and our customers’ -- information.
------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Lessons learned from the MasterCard/Visa heist David Farber (Jun 30)