CardSystems Exposes 40 Million Identities

The personal information of over 40 million people has been hacked. The hack occurred at CardSystems Solutions, a company that processes credit card transactions. The details are still unclear. The New York Times reports that "data from roughly 200,000 accounts from MasterCard, Visa and other card issuers are known to have been stolen in the breach," although 40 million were vulnerable. The theft was an intentional malicious computer hacking activity: the first in all these recent personal-information breaches, I think. The rest were accidental -- backup tapes gone walkabout, for example -- or social engineering hacks. Someone was after this data, which implies that's more likely to result in fraud than those peripatetic backup tapes.

CardSystems says that they found the problem, while MasterCard maintains that they did; the New York Times agrees with MasterCard. Microsoft software may be to blame. And in a weird twist, CardSystems admitted they weren't supposed to keep the data in the first place.

The official, John M. Perry, chief executive of CardSystems Solutions...said the data was in a file being stored for "research purposes" to determine why certain transactions had registered as unauthorized or uncompleted.

Yeah, right. Research = marketing, I'll bet.

This is exactly the sort of thing that Visa and MasterCard are trying very hard to prevent. They have imposed their own security requirements on companies -- merchants, processors, whoever -- that deal with credit card data. Visa has instituted a Cardholder Information Security Program (CISP). MasterCard calls its program Site Data Protection (SDP). These have been combined into a single joint security standard, PCI, which also includes Discover, American Express, JCB, and Diners Club. (More on Visa's PCI program.)

PCI requirements encompass network security, password management, stored-data encryption, access control, monitoring, testing, policies, etc. And the credit-card companies are backing these requirements up with stiff penalties: cash fines of up to $100,000, increased transaction fees, orand termination of the account. For a retailer that does most of its business via credit cards, this is an enormous incentive to comply.

These aren't laws, they're contractual business requirements. They're not imposed by government; the credit card companies are mandating them to protect their brand.

Every credit card company is terrified that people will reduce their credit card usage. They're worried that all of this press about stolen personal data, as well as actual identity theft and other types of credit card fraud, will scare shoppers off the Internet. They're worried about how their brands are perceived by the public. And they don't want some idiot company ruining their reputations by exposing 40 million cardholders to the risk of fraud. (Or, at least, by giving reporters the opportunity to write headlines like "CardSystems Solutions hands over 40M credit cards to hackers.")

So independent of any laws or government regulations, the credit card companies are forcing companies that process credit card data to increase their security. Companies have to comply with PCI or face serious consequences.

Was CardSystems in compliance? They should have been in compliance with Visa's CISP by 30 September 2004, and certainly they were in the highest service level. (PCI compliance isn't required until 30 June 2005 -- about a week from now.) The reality is more murky.

After the disclosure of the security breach at CardSystems, varying accounts were offered about the company's compliance with card association standards.

Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said.

It is not clear whether or when MasterCard intervened with the company in the past to insure compliance, but MasterCard said Friday that it had now given CardSystems "a limited amount of time" to do so.

Asked about compliance with Visa's standards, a Visa spokeswoman, Rosetta Jones, said, "This particular processor was not following Visa's security requirements when we found out there was a potential data compromise."

Earlier, Mr. Perry of CardSystems said his company had been audited in December 2003 by an unspecified independent assessor and had received a seal of approval from the Visa payment associations in June 2004.

All of this demonstrates some limitations of any certification system. One, companies can take advantage of interpersonal and intercompany politics to get themselves special treatment with respect to the policies. And two, all audits rely to a great extent on self-assessment and self-disclosure. If a company is willing to lie to an auditor, it's unlikely that it will get caught.

Unless they get really caught, like this incident.

Self-reporting only works if the punishment exceeds the crime. The reason people accurately declare what they bring into the country on their customs forms, for example, is because the penalties for lying are far more expensive than paying any duty owed.

If the credit card industry wants their PCI requirements taken seriously, they need to make an example out of CardSystems. They need to revoke whatever credit card processing license CardSystems has, to the maximum extent possible by whatever contracts they have in place. Only by making CardSystems a demonstration of what happens to someone who doesn't comply will everyone else realize that they had better comply.

(CardSystems should also face criminal prosecution, but that's unlikely in today's business-friendly political environment.)

I have great hopes for PCI. I like security solutions that involve contracts between companies more than I like government intervention. Often the latter is required, but the former is more effective. Here's PCI's chance to demonstrate their effectiveness.

Posted on June 23, 2005 at 8:55 AM • 22 Comments

Comments

Chris WalshJune 23, 2005 10:22 AM

@Bruce:

When I heard this was "research" I didn't think "marketing", I thought "troubleshooting". They apparently were getting more failed authorizations than they thought they should have. I figured they were keeping the extra data around to determine what was correlated with (and therefore, causing ;^)) the declines. It sure would be nice to know some of the details on this. One tanatalizing clue about the technical facts was provided by a Visa spokesperson quoted in Wired:

when asked if it would be fair to say that the evidence indicated a failure to apply a firewall or maintain virus definitions -- two basic steps in securing a network -- she said, "That would be fair."
No firewall or up-to-data antivirus on a Win2K financial network? Hmm.

Clive RobinsonJune 23, 2005 10:43 AM

"Every credit card company is terrified that people will reduce their credit card usage."

It's not just them, various Governments and their Agencies (Police etc) are also scared witless that cash will become popular again. To many crimes are solved by "following the money".

In the UK the use of Pre-Pay Mobile phones, that where bought for cash, has scared the living daylights out of the Police and Intelegance communities.

Basically untracable communications which can be untracably purchased (Pre-Pay for Cash) that is used just a couple of times is absolutly ideal for terorists, drug dealers, kidnapers etc. If properly used (and disposed of) they are effectivly traceless and therfore unusable in any investigation.



Mike D.June 23, 2005 11:41 AM

Actually, the PCI requirements are just Visa and MasterCard. Discover has their own program called DISC and AmericanExpress is totally out of the game so far. Also, the stiff fines can be upwards of $500,000 not the $100k you mentioned.

If you want more info feel free to email me.

PCI Info can be found at: http://www.visa.com/cisp/
This page also has info on "if compromised" and "compliance penalties"

Discover's DISC program:
http://www.discoverbiz.com/resources/data/...
(*cough* I co-authored *cough*)

AmEx DSOP http://www125.americanexpress.com/merchant/oam/...

SimonJune 23, 2005 11:48 AM

I'm going through the PCI audit process right now (the process doesn't have to be complete by next week, just underway)
It sucks to be a small company with no 'juice' with VISA and Mastercard and be stuck with extremely high compliance costs, many of which are inappropriate for a firm of

Yes at the end of the day the auditors are dependant on what you pass on to them, the audit is an expensive and time consuming process already though - I hate to think how long it would take if they were actually going though our systems it detail personally.

@Phil, I agree with most of your comments, we certainly see most of the requirements as just a basline to be exceeded.
Don't agree that patches need to be deployed within 6 days though. These are financial systems, and extensive testing in dev. and staging environments has to take place before production is updated.

Simon

Ari HeikkinenJune 23, 2005 12:40 PM

It simply amazes me over and over again that people keep using microsoft's products (without even considering alternatives) no matter how many times their security fail. At my former job there was this workgroup software for staff running with windows and IIS. The whole system was hacked atleast three times over a few years period and no one even considered replacing the software or the operating system with anything else (and I don't even want to go to the stability issues here).

It turns out the reason to this is simple. People are simply trying to keep their jobs. They stick to microsoft's products because they can't use anything else (remember that most windows admins out there are limited to about double-clicking "setup.exe").

Anonymous CowardJune 23, 2005 12:41 PM

Bruce is absolutely correct from a philosophical standpoint. But you all know that even if Visa/MC or whomever actually tries to put some teeth in the PCI and levy fines etc., it'll be in court for years..."Who? Me? No, I was fully compliant...my auditor said so. Sue them. And, by the way, we'll appeal anything for several more years. Business as usual.

Also, Mike D. is correct: PCI is just the underlying standard. Both Visa and MasterCard still have their own programs, as do Discover, Diner's Club, Amex, etc. The only thing they have in common is that they've all agreed to base their own programs on the underlying PCI.

Phil HollowsJune 23, 2005 1:41 PM

@Simon:

My point isn't that a patch should be deployed in 6 days (besides that's Symantec's data and they have their own agenda, right?). My point is that allowing 30 days feels very wrong in this day and age, especially with a 90 day permitted VA scan schedule. Testing is vital, which is part of the risk judgement: security risk vs performance / availability / functional correctness risk. It's bad in this standard because this standard seems to assume 100% trust inside the perimeter, so there are no apparent outbound containment requirements. Once infected, the machines were at liberty to send the data out.

Anyway, since CardSystems apparently weren't keeping their AV / ACLs up to date, regardless of platform, the point's moot in this instance. One has to wonder what was going on in there for something that basic to be neglected.

David AdamsJune 23, 2005 2:11 PM

I think it's silly and misleading to pin much if any blame on Microsoft. Do we blame Cisco for their apparent lack of proper network security, as well?

No system is secure in the hands of poor administrators.

Anon E MouseJune 23, 2005 2:29 PM

We do start blaming Cisco when the vulnerability is in IOS or CatOS...

There's only so much one can do to make the system secure if the vulnerability is in the underlying software you've got limited control over.

M.H.June 23, 2005 5:31 PM

Apparently, Australia's largest bank raised an alarm about this last September! They say they notified the FBI, too. If true, this means this was going on for a lot longer than we have been lead to believe.

Peter KJune 23, 2005 9:31 PM

You comment that "Microsoft software may be to blame" and link to an article stating that the site used Windows 2000???

Microsoft certainly has it's issues, but who in their right mind would expose 40million cards to 5 year old software: Windows, Linux or whatever.

Thomas SprinkmeierJune 23, 2005 10:53 PM

@peter,

Windows 2000 is still actively supported by Microsoft. As long as the servers were patched there should be no problems using an'old' operating system.

According to the linked article the systems were running IIS 5. The breach may have been in an application hosted by IIS rather than IIS itself.

While blaming Microsoft may be unfair, so is blaming people who still use Windows 2000.

AnonymousJune 24, 2005 9:04 AM

@Simon & Phil Hollows

You are both right and wrong, it depends on your business drivers and your resources...

If you are very security focused then you are doing workarounds before the patches, and then applying the patches the moment they are released. If your business apps break irespective of if they are mission critical you stop them untill you can get them securly working again on a test network. You then apply the changes and start the apps up again.

If you are very business focused but your apps are not mission critical you might decide to take a risk, and do nothing untill an attack appears in the wild (this happens way more frequently than we would like and why worms are so succesful).

If you have mission critical apps that are internal or not directly connected to the internet you would go for prototyping changes on a test system then if all proves ok moving the changes across to the mission critical platform.

If however you are also resource limited (and whos not in these days of budget cuts) you might not do anything for quite a while based on the percieved risk -v- calculated losses. Again this is not ideal from the security perspective.

The worst case is mission critical primary revenue generating apps which are directly connected to the Internet in small and medium sized businesses. Unfortunatly in these cases business requirments usually override security concerns 99 times out of 100. It's not ideal but the risk of attack when viewed against the certainty of business loss makes most senior managers into gamblers.

George PaciJune 24, 2005 1:22 PM

Sounds like it's getting very expensive to keep shared secrets. I have to believe a protocol that doesn't rely on shared secrets is cheaper (and more secure) than all this rigmarole.

How tough could it be to make a smart card that signs a transaction record (merchant + amount + date + nonce) with a private key? Then the card issuer, which knows the associated public key, can use it to decrypt the transaction record signature and validate/invalidate it.

A bad guy gets hold of my transaction record? No problem: he can ask the issuer to validate it, but that's all he can do with it. Without the private key (which only I have), he can't generate any new transaction records.

<sarcasm>For extra security, we can add a few digits to the back of the card, and have everybody ask for them, too.</sarcasm>

another_bruceJune 26, 2005 11:28 AM

i think we need to gang up on the credit card companies one at a time and put them out of business by cancelling our cards with that company. it's like being in a dark alley facing a pack of vicious dogs. unless you have something like a firehose, you don't generalize your measures over the entire pack, you take them out one dog at a time. since we apparently don't have a firehose, let's start with mastercard.

Dave HarmonJune 26, 2005 3:45 PM

"...my auditor said so. Sue them. And, by the way, we'll appeal anything for several more years. "

That would be a problem for most *other* companies trying to enforce this. With MC and Visa showing a united front, they can afford to push the cases through. If certain offenders give them enough trouble, they might well start blacklisting corporate officers.

SylvainJune 27, 2005 8:00 AM

'Today's business-friendly political environment' ?

How many companies does Eliot Spitzer have to shake down ?

JimJune 28, 2005 1:41 PM

Remember the companies that are paid to break in are generally successful 100% of the time (whether they come in by the network or via the people). Back in the 80's, phone company hacker gangs claimed to have every unencrypted password (even over phone lines) ever used more than 30 times (service modem even today often still don't have passwords). Also, don't forget that the number one firewall in America has a back door to the Israel government and that Germany and China have formally discussed banning Windows from their countries due to the common knowledge that every copy that leaves the US has a NSA back door (but both decided the impact on their economies would be too great). How does even the best SysAdmin block these access issues? Only buy products made by countrymen (BTW, SUN develops all of their security products in Russia) and use open source otherwise.

Aleta BaudersJune 30, 2005 10:21 AM

This article is helpful to us poor debit/credit card users who were unpleasantly surprised yesterday trying to use our card for an everyday purchase like gasoline ---- lo and behold the card was DENIED. The banks do not call and make sure you are informed--they write letters--duh--what is a person to do waiting for a new card? Why are these card companies dragging their feet on security? They are so far behind the 21st century--why not use thumb prints for ID?--all those numbers just invite hackers to have some fun--I am outraged--PCI had better get on the stick.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..