Phlogiston Blue - Data Theft: Them Rules are Made for Breakin'

Data Theft: Them Rules are Made for Breakin'

In my piece on Data Theft last week I mentioned the security breach at credit card transaction processing company CardSystems Solutions, which put something like 40 million card details at risk. Well, over the last week more information has emerged about this case, with the company admitting the data was kept improperly.

Let me explain a bit more of the background.

When you use your credit card online, it's unlikely that the company you are using has a direct line to the credit card company to check that the card is OK and take the payment.

What usually happens is that your browser is redirected to a third party processing company, which does have a link to the credit card company. The processing company collects your details, checks them with the credit card company and processes the payment (assuming your other half hasn't already maxed out the card!). The processing company then notifies the company you are purchasing from that the transaction has completed. Each month the processing company tallies up the payments it collected on behalf of other companies and makes a single payment, less a fee for the transactions, to each of the companies.

CardSystems Solutions is one of these processing companies. Now the credit card companies, like Mastercard and Visa have fairly stringent rules about what processing companies are allowed to do. For instance there are rules about what transaction information they should keep, what they are not allowed to keep, and where they should keep it. And, of course, they are not supposed to keep the information in a place accessible from the web site. Can't say that I would disagree with any of those stipulations!

Our friends, CardSystems Solutions, though, obviously thought they knew better. Not only did they keep information they weren't supposed to for 'research purposes', it was also unencrypted, and the information included the three or four digit card security code for each transaction. As the chief executive of CardSystems Solutions, John M Perry put it, 'We should not have been doing that.'

When you consider that CardSystems Solutions processes something in the region of US$15 bn (yes -billion-) each year and the problem potentially compromised 40 million cards, it becomes obvious that they should definitely not have been doing that!

One of the more interesting aspects of this case is that it wasn't CardSystems Solutions that realised its security was wide open. It was Mastercard who spotted a statistically high level of fraud on cards processed by CardSystems Solutions, and jointly with Visa sent in the heavies to audit CardSystems Solutions security systems. This team found the rogue program inserted by the thieves. Presumable they also uncovered the breaches of the rules while they were looking.

I don't know exactly what the credit card company rules are, and I confess that I haven't been involved in anything like that for nearly 20 years. But even then - when 1200 baud dial up modems were cutting edge technology, and we sent in our subscription direct debits on 5 1/4 inch floppies - the rules were pretty stringent and the banks we were dealing with took security very seriously. I doubt that the rules have got sloppy since then. Quite to the contrary, I'm sure they have been tightened up, so it's not the rules that were at fault.

This is a classic example of security only being as strong as the weakest link. It didn't matter whether all the other processing companies obeyed the rules to the letter, it only needed one company to falter and the whole system was blown wide open. My guess is that the credit card companies are now in the process of seriously beefing up their compliance departments to minimise the risk of this happening again. And CardSystems Solutions? No one is saying what it's going to cost them in fines from the credit card companies, not to mention the possibility of law suits from the various aggrieved parties. The whole thing could prove to be an extremely expensive bit of 'research' for them...

Coda: You've got to hand it to the phishers. The very next day after Mastercard announced that 14 million of its credit cards were at risk the following started to appear in people's e-mail in boxes:

From: Master Bank [master@masterbank.com]
To:
Subject: **Your Mastercard online Confirmation**

Dear User, During our regular update and verification of the accounts, we couldn't verify your current information. Either your information has changed or it is incomplete. If the account information is not updated to current information within 5 days then, your access will be restricted.
go to this link below or copy and paste it on your addresse tool bar.
[URL deleted for safety reasons - AL]
***Please Do Not Reply To This E-Mail As You Will Not Receive A Response***
Thank you Accounts Managent

Needless to say you shouldn't go to the URL given in the e-mail, should you get a copy!

Alan Lenton
26 June 2005

Read other articles about computers and society

Back to the Phlogiston Blue top page