TraceSecurity

CardSystems Breach Highlights Best-Practice Security Measures

Top Tech News, 06/21/2005

By Jason Lopez

There are several ways hackers can access systems like the one operated by CardSystems, but the critical weakness was the company's inability to thwart malicious break-ins, regardless of the data it stored.

The fallout over the exposure of as many as 40 million credit card accounts to fraud has financial firms rethinking consumer data security -- once again. But improvements to security software might not be as urgent an issue as the way the systems themselves are handled by the firms responsible for the data.

The exposure of the credit-card numbers can be fixed and the security software can be improved. But when the dust settles and the facts come in, chances are, experts say, the problem will come down to dumb human mistakes that allowed hackers to walk in the virtual front door.

Weakest Link

With millions of credit-card numbers exposed to hackers, the nightmare to consumers will become strange charges on their bills and the headaches associated with getting those charges reversed.

Although consumers are indemnified from such losses, the question remains as to why credit cards -- in contrast to ATM bank cards -- are not protected by passwords.

Credit-card companies have balked at the process and expense of using passwords -- or PINs -- and customers have balked at eliminating the convenience of not having to punch in the extra numbers at the checkout line.

"For point of sale, that would work pretty easily," said TraceSecurity CTO Jim Stickley. "But where it would start to fall apart is a Web purchase."

Once a password is entered online, the owner of the Web site, as well as anyone intercepting the transaction, would have access to it. The password simply would become an accompanying piece of data that hackers would be able to exploit.

So, in the case of the CardSystems breach, Stickley said that "all that data [the thieves accessed] would have included passwords" anyway.

His prescription for better security measures does not begin with encryption or passwords, but with features that defend against cracks in systems caused by lapses in human judgment.

Too Easy

There are several ways hackers can access systems like the one operated by CardSystems. For starters, the company should not have been holding onto credit-card information in the first place. But the critical weakness was the company's inability to thwart malicious break-ins, regardless of the data it stored.

Stickley intrudes into systems for a living, testing the weaknesses of financial companies like CardSystems. One lesson his company has learned is that weaknesses generally are not found within security technologies, but in the social element that allows hackers to acquire authorized access to walk through the digital front door.

"I'll start out by calling at night to the voice mail system," he offered. Stickley goes through the company directory and writes down all the names. Then, by trial and error, he deduces the correct e-mail format for the firm's employees and sends an e-mail with a Hallmark card-like greeting, "generally something like a dancing dog," Stickley said, which induces a click to his Web site.

Once there, he loads software onto the employee's machine, which ultimately gives him the ability to establish a command prompt on their network.

It is almost too easy -- all because an employee believed the digital greeting card.

Certainly, the 40 million accounts compromised by the CardSystems breach can be fixed, and new, fancy security technologies can be deployed. But the only thing standing between consumer financial data and the data thieves might very well be a dancing dog.

http://www.toptechnews.com/story.xhtml?story_id=11100002F6EL