cardsystems : Credit card breach
derz...@gmail.com
Hi guys,
Just to tell you... !
No wonder a few friends of mine using authorize.net as processor told
me that thoses last few days (last month more exactly) they changed
their whole software and security "protocol". Because if you check up
cardsystems.com website, you will see that they provide the solution
authorize (one of the biggest?) , and Go Software (which is dont know
of) ...
But from what i read in that article, cardsystems valuable data + info
cards server was running on windows 2000 IIS 5.0, could this explain
that ? :-)
Here most of the servers i used to see having vital informations on are
mostly first of all, very strongly firewalled (router + software), and
run on openbsd/apache.. not that i love openBSD, but from what i heard
and noticed the openbsd team is far more concerned by security than a
lot of other projects teams :http://www.openbsd.com/security.html
Well also, i guess a lots of the security is made by the people working
for the company (administrators, programmers etc..) - again we could go
back to PHP or C to illustrate how good thoses language are, but how
bad programmers get sometimes... a good language allow you to do
anything, also to make vulnerabilities (sorry) - it is always good to
run a good audit on softwares, because really i mean it security looks
like the bigger issue on our programming work nowodays since everything
is kind of multi-user now.
As rudy might gonna write on later, before the good audit, have a
strong algorythm and study of your program on all its aspects, right ?
I will let you detail on this poin ;-)
FROM CNN:
http://news.com.com/Details+emerge+on+credit+card+breach/2100-7349_3-5754661.html?tag=cd.lede
More details emerged Monday on the cyberbreak-in at a payment
processing company that exposed more than 40 million credit card
accounts to fraud.
The data security breach, possibly the largest to date, happened
because intruders were able to exploit software security
vulnerabilities to install a rogue program on the network of
CardSystems Solutions, MasterCard International spokeswoman Jessica
Antle said. The program captured credit card data, she said.
The malicious code was discovered after a probe into the security of
CardSystems' network. That investigation, by security experts from
Cybertrust, was triggered by a MasterCard inquiry into atypical reports
of fraud by several banks. The trail led to CardSystems, Antle said.
The probe also found that the Atlanta-based payment processor did not
meet MasterCard's security regulations. CardSystems held onto records
that it should have discarded, and it stored transaction data in
unencrypted form, Antle said.
MasterCard declined to disclose more information on the breach, citing
an ongoing investigation by the FBI. CardSystems did not respond to
e-mail messages and phone calls seeking comment. A Cybertrust
representative declined to comment on the case.
Online discussion boards, meanwhile, are abuzz about which vulnerable
software CardSystems may have been running. The data processor's Web
site runs on Microsoft's Windows 2000 operating system and IIS Server
5.0, which has fueled speculation that its other set-ups may also be
Microsoft-based.
Into the breach
CardSystems said in a statement Friday that it had identified a
"potential security incident" on Sunday, May 22, and called in the FBI
the next day. Visa and MasterCard were also contacted, the company
said. MasterCard went public with the CardSystems' breach on Friday
after it had identified all the affected accounts, Antle said.
More than 40 million credit card accounts were exposed by the breach.
About 22 million of those are Visa cards and 13.9 million are
MasterCard, the companies have said. The remaining accounts were linked
to other brands, including American Express and Discover.
While millions of accounts were potentially accessed by the attackers,
the investigation into the theft has found that records covering about
200,000 cards were transferred outside the CardSystems network, Antle
said. Of those records, 68,000 are for MasterCards, she said.
Previous Next The thieves got access to names, account numbers and
verification codes that could be used to commit fraud. However, the
information did not include social security numbers, addresses or birth
dates, which would be needed for identity theft.
CardSystems is one of many companies that process electronic payments.
The company handles more than $15 billion in card transactions annually
for more than 105,000 small and medium-size businesses, according to
its Web site.
All the major credit card companies protect their customers against
unauthorized transactions on their accounts. Fraudulent transactions
are typically reversed. Cardholders should monitor their accounts
online and contact the credit card company or card-issuing bank when
fraud is suspected, experts said.
Staying mum
MBNA, one of the largest U.S. credit card issuers, said it has received
information from CardSystems about exposed customer accounts. The
company won't contact the individuals affected but is keeping a close
eye on the compromised accounts, said Jim Donahue, an MBNA spokesman.
In a case of fraud, an account would be closed and a new card issued,
he said.
American Express is still deciding whether to contact its customers.
Christine Elliott, a company spokeswoman, said accounts were exposed,
but she did not disclose how many. In a case of fraud, she said,
American Express would bear the financial burden, assuming the merchant
has followed all standard card acceptance procedures.
MBNA would also not disclose how many of its customer accounts were
compromised.
The CardSystems breach follows several high-profile data loss incidents
that potentially exposed American consumers to identity theft. Two
weeks ago, CitiFinancial said tapes containing unencrypted information
on 3.9 million customers were lost by the United Parcel Service while
in transit to a credit bureau. CitiFinancial is the consumer finance
subsidiary of Citigroup.
In past months, data leaks have been reported by Bank of America and
Wachovia, data brokers ChoicePoint and LexisNexis, and the University
of California at Berkeley and Stanford University.
Two recent surveys have highlighted growing worries about data
protection. Last Wednesday, the Cyber Security Industry Alliance
reported that 97 percent of the American voters it polled said identity
theft was a problem that needs addressing, and 64 percent wanted the
government to do more to protect computer security.
In addition, a study commissioned by Adobe Systems and RSA Security
found that eight out of 10 "senior-level professionals" in Washington,
D.C., thought that lawmakers weren't doing enough to keep consumer data
safe.