Posted on 06/21/2005 8:59:47 PM PDT by HAL9000
More details emerged on Monday about the cyber break-in at a payment processing company that exposed more than 40 million credit card accounts to fraud.The data security breach, possibly the largest to date, happened because intruders were able to exploit software security vulnerabilities to install a rogue program on the network of CardSystems Solutions, a MasterCard International spokeswoman said. The program captured credit card data, she said.
The malicious code was discovered after a probe into the security of CardSystems' network. That investigation, by security experts from Cybertrust, was triggered by a MasterCard inquiry into atypical reports of fraud by several banks. The trail led to CardSystems, said the spokeswoman.
The probe also found that the Atlanta-based payment processor did not meet MasterCard's security regulations. CardSystems held onto records that it should have discarded, and it stored transaction data in unencrypted form, she said.
MasterCard declined to disclose more information on the breach, citing an ongoing investigation by the FBI. CardSystems did not respond to email messages and phone calls seeking comment. A Cybertrust representative declined to comment on the case.
Online discussion boards, meanwhile, are abuzz about which vulnerable software CardSystems may have been running. The data processor's website runs on Microsoft's Windows 2000 operating system and IIS Server 5.0, which has fuelled speculation that its other set-ups may also be Microsoft-based.
CardSystems said in a statement on Friday that it had identified a "potential security incident" on Sunday, 22 May, and called in the FBI the next day. Visa and MasterCard were also contacted, the company said. MasterCard went public with the CardSystems' breach on Friday after it had identified all the affected accounts, the spokeswoman said.
More than 40 million credit card accounts were exposed by the breach. About 22 million of those are Visa cards and 13.9 million are MasterCard, the companies have said. The remaining accounts were linked to other brands, including American Express and Discover.
While millions of accounts were potentially accessed by the attackers, the investigation into the theft has found that records covering about 200,000 cards were transferred outside the CardSystems network, the spokeswoman said. Of those records, 68,000 are for MasterCards, she said.
The thieves got access to names, account numbers and verification codes that could be used to commit fraud. However, the information did not include social security numbers, addresses or dates of birth, which would be needed for identity theft.
CardSystems is one of many companies that process electronic payments. The company handles more than $15bn in card transactions annually for more than 105,000 small and medium-sized businesses, according to its website.
All the major credit card companies protect their customers against unauthorised transactions on their accounts. Fraudulent transactions are typically reversed. Cardholders should monitor their accounts online and contact the credit card company or card-issuing bank when fraud is suspected, experts said.
MBNA, one of the largest US credit card issuers, said it has received information from CardSystems about exposed customer accounts. The company won't contact the individuals affected but is keeping a close eye on the compromised accounts, said an MBNA spokesman. In a case of fraud, an account would be closed and a new card issued, he said.
American Express is still deciding whether to contact its customers. A company spokeswoman said accounts were exposed but she did not disclose how many. In a case of fraud, she said, American Express would bear the financial burden, assuming the merchant has followed all standard card acceptance procedures.
MBNA would also not disclose how many of its customer accounts were compromised.
The CardSystems breach follows several high-profile data loss incidents that potentially exposed American consumers to identity theft, including the loss two weeks ago of CitiFinancial tapes containing unencrypted information on 3.9 million customers.
In past months, data leaks have been reported by Bank of America and Wachovia, data brokers ChoicePoint and LexisNexis, and the University of California at Berkeley and Stanford University.
Two recent surveys have highlighted growing worries about data protection. Last Wednesday, the Cyber Security Industry Alliance reported that 97 per cent of the American voters it polled said identity theft was a problem that needs addressing, and 64 per cent wanted the government to do more to protect computer security.
In addition, a study commissioned by Adobe Systems and RSA Security found that eight out of 10 "senior-level professionals" in Washington, DC, thought that lawmakers weren't doing enough to keep consumer data safe.
" That seems to be the case. The CardSystems employees were negligent and incompetent in choosing to deploy Microsoft products in their data center."
I disagree.
I'm not a big fan of Microsoft, but it's not any worse than anything else.
What I do for a living is to fly around, visit my customers, break into their applications, systems, and networks, and systems. The operating system it's self is only a small part of the total attackable surface area.
My understanding is that they knew where the problems were for a long time, knew how to fix them, and just plain old didn't apply the patches or make the configuration changes that they knew needed to be made.
"What I do for a living is to fly around, visit my customers, break into their applications, systems, and networks, and systems. The operating system it's self is only a small part of the total attackable surface area."
Left out the part 'tell them what to fix to keep the bad guys out' :)
Okay...so if you don't write 'em down, how do you store the passwords for use? And don't tell me you remember dozens of randomly-generated passwords....
We'll have to disagree about whether Microsoft is the worst, but good luck to you white hat folks!
The reason I say that is because the OS is a tiny part of an enterprise security posture.
Then why did they have the business? In other words, they outsourced the work and had absolutely zero control over how the transactions were being processed and how the data for same were stored. This mishap is just the tip, tip, tip of the iceberg, just the tip.
Like I said in my previous message, I have a program that keeps track of all that stuff for me. I have a master passphrase that is used to unlock the datafile used for this program. My passphrase for this program is around 30 or so characters in length, with letters, numbers, and punctuation. You can think of it as one big lock to guard lots of little secrets. You'd be amazed at how fast you can type a phrase that you use regularly.
There are a number of programs that you can use for this, that will keep track of the website, username, password, and comments for any number of sites. One of the best for Windows users is Password Safe". On my Linux boxes, I use gpasman.
These programs will let you copy/paste passwords in such a way that you never actually see the password you are using. Pretty cool IMO.
NOTE: If you use one of these programs, DO NOT LOSE YOUR DATAFILE or the PASSPHRASE to unlock it or you are really screwed.
Still doesn't answer my question...how can these programs "handle" your passwords when they are as hackable as anything else?
NOTE: If you use one of these programs, DO NOT LOSE YOUR DATAFILE or the PASSPHRASE to unlock it or you are really screwed.
So...what do you do...WRITE IT DOWN???
I could send you a copy of my password database and it wouldn't do you any good at all. Now, if someone were to hack my system and install a keylogger, they could capture my passphrase and my data, but that is something that you can do nothing about. Sure, you run a hardware firewall, and don't open unneccesary ports, and check for trojans and the like, but someone could come up with a zero-day exploit that allows them to root your box and you are toast no matter what you do.
The most important thing IMO is to backup as often as you can, and be as careful as is reasonable. Don't log in as root or a user with "administrator" privileges. And never ever use IE to browse the internet. Windows users have a lot more stuff they need to have a box be reasonably safe like an additional software firewall, virus scanners and stuff.
My advise, if you're concerned about safety and security is to use Linux or get a MAC. You can never be completely safe and secure, but nothing else is either, so why should computers be any different?
Many people actually do suggest that you write it down and put it in your wallet. Personally, I wouldn't do that. It's an important bit of information. Think about it and come up with something that is both memorable to you, and as hard as possible for someone else to guess. Wait a couple of days. If you can still remember it, use it. If not, come up with something else. Once you've got a good key, you can start using it. :-)
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.