[IP] Lessons learned from the MasterCard/Visa heist
Begin forwarded message:
From: Ted Kircher <tkircher@xxxxxxxxxxx>
Date: June 29, 2005 8:29:45 PM EDT
To: Dave Farber <dave@xxxxxxxxxx>
Cc: Ephraim Schwartz <ephraim_schwartz@xxxxxxxxxxxxx>
Subject: Lessons learned from the MasterCard/Visa heist
Reply-To: Ted Kircher <tkircher@xxxxxxxxxxx>
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/
Dave,
According to this article, there is no financial down side to a
company making these kinds of mistakes. Hence we can expect more
such mistakes;
some of which might be coordinated between the person making a
'mistake' and someone waiting to quickly exploit the information.
Ted
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/
Lessons learned from the MasterCard/Visa heistIn business, blind
trust is a luxury you can't afford
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/
Reality Check, By Ephraim Schwartz
June 28, 2005
http://newsletter.infoworld.com/t?ctl=E0B398:205E1D6
How could MasterCard and Visa allow 40 million customer credit card
numbers to be sucked out of their systems and into the hands of
criminals? Last week I called them both to find out.
In response, Visa sent me a prepared statement. One sentence from the
statement, in particular, is worth quoting: “We are actively
monitoring the situation on a real-time basis using our state-of-the-
art fraud-fighting technologies.”
Other than expecting to see VisaMan rip open his shirt to reveal his
true identity as a state-of-the-art fraud-fighting superhero,
something is wrong with this. Visa’s statement seems more concerned
with covering the company’s collective behinds than facing the real
issues.
At least, that’s what Avivah Litan, vice president and research
director at Gartner, says. And she’s not alone. John Pescatore, a
Gartner colleague and one of the most widely respected security
analysts in the country, told me that the payment card industry has
security rules in place but hasn’t been pushing hard enough and fast
enough to enforce them.
CardSystems, the third-party service provider that let Visa/
MasterCard down, made a simple and humble apology, explaining that it
had put information it was not supposed to keep into the wrong file.
A more meaningless explanation I have rarely heard.
Improper filing or otherwise, someone unauthorized was still able to
get behind CardSystems’ firewall, insert code into the system that
found the file, and download the data to his or her own system. If
nothing else, I would like to ask that person how big a hard drive
you need to hold 40 million records.
Fearful that additional layers of security would slow down credit
card transactions and scare off customers, the industry has been
dragging its feet, but Pescatore says that attitude has backfired.
“Consumer confidence is now dropping faster than more security would
ever have done,” he says.
After speaking to four security analysts, surprisingly I came away
with the same answer from each.
Frank Smith, vice president of the technology strategy group at
Capgemini, said, “They don’t supply due diligence to the whole
system.” Gartner’s Litan said, “They have everything in place; they
just don’t enforce it.” Paul Stamp, security analyst at Forrester
Research, said “The processes were not properly enforced.” Pescatore
said that the standards “have been pure eyewash. No enforcement.”
Such a security breach is usually brought about by a combination of
factors, according to Stamp. There could be a breakdown in the
process, or the process isn’t being enforced. A human could be doing
something he or she shouldn’t — for instance, an authorized person
performing a task they were not authorized to do. Finally, there
could be a technical system problem.
The fact that CardSystems, an authorized third-party service
provider, was trusted with customer information and did something
that was not authorized leads me to ask why the auditors from
MasterCard and Visa didn’t know that. Maybe it’s time to re-examine
the whole system.
Beyond the current scandal is the reality that enterprises rely more
and more on outsourcing providers and business partners. Your company
is going to have to trust that someone beyond your own four walls is
as diligent as you are.
That’s a tall order. If we’re to learn anything from this latest
example, it’s that we need a little less trust and a lot more due
diligence to protect our companies’ -- and our customers’ --
information.
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/