Saturday, June 18, 2005

CardSystems Solutions Intrusion Exposes 40 Million Credit Cards

I am stunned by the scale of this story, and I expect to hear it get worse. Yesterday MasterCard International issued a statement that said

"MasterCard International reported today that it is notifying its member financial institutions of a breach of payment card data, which potentially exposed more than 40 million cards of all brands to fraud, of which approximately 13.9 million are MasterCard-branded cards.

MasterCard International's team of security experts identified that the breach occurred at Tuscon-based CardSystems Solutions, Inc., a third-party processor of payment card data."

This AP story mentions "the security breach involves a computer virus that captured customer data for the purpose of fraud" and MasterCard "did not know how a virus-like computer script that captured customer data got into CardSystems' network, which MasterCard said was infiltrated by an unauthorized individual."

The same AP story reports that CardSystems did not expect MasterCard to report the news:

"'We were absolutely blindsided by a press release by the association,' CardSystems' chief financial officer, Michael A. Brady, told The Associated Press when reached on his cell phone."

CardSystems own press release implies they identified the fraud by saying the following:

"CardSystems Solutions, Inc., identified a potential security incident on Sunday, May 22nd. On Monday, May 23rd, CardSystems contacted the Federal Bureau of Investigation. Subsequently, the VISA and MasterCard Card Associations were notified to alert them of a possible security incident."

While researching this event, I found a story from over two years ago that sounds very similar:

"Information was stolen from more than 2.2 million MasterCard International accounts and approximately 3.4 million Visa USA cardholder accounts, according to those companies.

The theft occurred when the system of a company that processes credit card transactions for merchants was broken into.

Neither Visa nor MasterCard would identify the company that was hacked, nor would they provide information on how the theft occurred, citing security concerns."

I imagine MasterCard learned from that event and decided to go public now as a form of damage control.

I agree with this comment in the latter part of the MasterCard press release:

"While Congress continues to consider data breach notification standards, MasterCard urges them to enact wider application of Gramm-Leach-Bliley, the act that includes provisions to protect consumers' personal financial information held by financial institutions.

Currently, GLBA only applies to financial institutions providing services to consumers, including MasterCard. MasterCard urges Congress to extend that application to also include any entity, such as third party processors, that stores consumer financial information, regardless of whether or not they interact directly with consumers."

1 comment:

Keydet89 said...

"While Congress continues to consider data breach notification standards, MasterCard urges them to enact wider application of Gramm-Leach-Bliley, the act that includes provisions to protect consumers' personal financial information held by financial institutions.

Up until a little over a year ago, I worked in an FTE position for a company that would fall under the expanded GLBA, if it were expanded. Given that I was assigned to address and respond to questionnaires from our customers, I can say that the expansion will be a pretty pointless exercise, and a complete waste of time and money.

These "provisions" usually amount to questionnaires, and little more.

These questionnaires come down from auditors, be they members of our customer's organizations, outside third parties hired by our customers, or simply independent auditors. Some questionnaires are more thorough than others, and some simply have more thought put into them. However, in many cases, the questions simply do not fit the infrastructure, b/c many of them do not apply at all to the way the audited company does business. To those who put these questionnaires together...one size does not fit all.

More often than not, the auditors themselves have no expertise in the area(s) covered by the questionnaire. If a section covers HR or IT, most times the auditor has no background in either area, and is simply a recent college grad who is sent on-site, and has no experience to dig deeper.

Questions, particularly in IT, are not followed up on. For example, one question was, "Do you require the use of strong passwords?" The response from the IT dept was "yes", even though I was fully aware that passfilt.dll was not implemented on any of the domain controllers. So "require" is open to interpretation now? There were no technical requirements in place, nor were there any written policies...it was just something the IT dept liked to encourage. However, the auditor did not have the technical experience to question the response, or to simply say "show me".

In my experience, many of the responses that left the company I worked for were based not on reality, but on what senior management felt the auditor wanted to hear, knowing full well that the auditor would not dig any further.

So...in a nutshell...I have to really wonder what these "provisions" would be. These laws and acts can use words like "requirements" and "audit", but without any real teeth, they're simply pointless and a waste of time. And as long as infrastructures and processes within these financial processing companies are designed with security as an afterthought, or simply without security, such incidents will continue to occur.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com