Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

3 security – data theft: the failures in the U.S.

August 28th, 2007 · No Comments ·

Recently we presented:

1 security – what every programmer needs to know

2 security – what every programmer needs to know – bookreview

Posting by an expert
From time-to-time we may have guest contributions about important security issues.
Today we have a contribution from Neil Daswani
es macht Ihnen Spass diese Beitraege zu lesen. Auf Kommentare welche Sie uns auf dem Blog hinterlassen (unten gleich reintippen bitte) freuen wir uns besonders.

Recently we posted:

1 Data security breach regulation – does it matter?

Over the past few years, there has been a couple spectacular data theft incidents in the United States. In 2005, a credit card payment processor called CardSystems suffered a data breach in which over 43 million credit card numbers were exposed to attack and over 263,000 were stolen. The data theft was conducted when the attackers launched a SQL Injection attack– an attack in which the bad guys entered database commands into forms on web pages, and were able to “tickle” the web application server just right so that the database commands would actually get executed. Once they had confirmed that CardSystems’ web site was vulnerable to SQL injection, the attackers dropped a script on the company’s database back-end which would email the attackers a few thousand emails once a day.

CardSystems did not even notice this was going on for about six months. Once the attack was discovered, Visa and Mastercard canceled their contacts with the company, and a Federal Trade Commission (FTC) investigation was launched. The investigation concluded that CardSystems was negligent for being vulnerable to SQL Injection and weak password handling. CardSystems went out of business, and their assets were acquired by another company.

In a more recent, spectacular data breach announced in March 2007, the TJ Maxx and Marshalls department stores (owned by holding company TJX) had: – over 45.7 million credit card numbers stolen – get details Click on link – Login as guest – click on this link again and you get defintion – fast and easy

Part of the vulnerability was TJX using 802.11 WiFi to transmit credit card numbers from their point-of-sale (POS) terminals to their back-end servers. Unfortunately, they were using the Wired Equivalency Protocol (WEP) to attempt to protect the data while in transit. WEP has been known to be vulnerable by the security community at least since 2002 (if not earlier) due to some flaws in how it seeds the state table used in the RC4 stream cipher it uses as part of the protocol. Attackers can (and in this case did) simply gather enough packets transmitted over the network to determine the encryption key used to protect the data. In addition, the attackers may also have gained possession to some of the decryption tools used at the company. The cybercriminals that conducted the attack parked cars outside retail branches which had laptops that gathered data packets, and then transmitted the card numbers to colleagues.

An FTC investigation of TJX’s data security processes is taking place, and over 300 banks have started a class-action lawsuit against TJX because the banks are the ones that have had to incur much of the costs of dealing with the stolen credit card numbers.We know about these data breaches in the US because there exist laws (that originated in California – California Security Breach Information Act (SB-1386) Click on link – Login as guest – click on this link again and you get defintion – fast and easy)) that require businesses to inform customers when there are data breaches. While we have covered two of the most spectacular of these data breaches, there exists a more comprehensive list at the Privacy Rights Clearinghouse that sums up to over 153 million customer records compromised over the past few years. However, there are currently no corresponding laws or directives in the EU, and such data theft breaches could be occurring without customers or the public even being alerted to it.

Visa and Mastercard have also put more emphasis on requiring that merchants pass Payment Card Industry (PCI) compliance requirements, which are based on the international standard ISO/IEC 17799:2005

PCI requirements for vendors that process large numbers of credit card numbers are required to go through a detailed audit, while vendors that process fewer credit card numbers may simply have to fill-out an online questionnaire and be subject to a remote vulnerability scan. The credit card companies hope that they can lock down the largest vendors first to make them less viable targets. Of course, the attackers may then turn to the smaller vendors as targets, and it is unclear as to whether or not a simple questionnaire and remote vulnerability scan will be sufficient to mitigate the risk for most vendors. There is also an accountability requirement in which a vendor may be subject to a fine of up to USD $500,000 if they are not compliant and a security breach occurs.

Compliance does not ensure security, however, and vendors that are truly not interested in getting hacked may have to invest more in security than just passing PCI compliance. If you are a vendor, and your business depends on taking credit cards from customers, I would look at PCI compliance as only a first step. Ensuring “real” security may take additional ongoing investment, especially if you really care about your customers, and you do not want to get hacked. To do so, having your entire IT staff learn more about security is a good direction, and you may also want to consider working with a security consultant to best leverage your time. Hopefully, if we can make security part of every information technology (IT) person’s job, we will be a step ahead of the attackers, and your business and your customers will be safer from data theft and other types of attacks.

See also

European Commission – data security breach regulation is COMING your way SOON


The seven deadly sins of web application security became the top ten

ChoicePoint and other mishaps – chronology of data security breaches


Why not get the updates and improvements for this checklist that will appear in the upcoming months mailed to you. Just register with your e-mail address below to receive such information and important regulatory changes via e-mail.


→ No CommentsTags: cardsystems