John Perry, the CEO of CardSystems, Inc. flasher of potentially 40 million credit card numbers had his day in the sun (er, time under the spotlight in the dark, smoky room?) today to testify before the House Committee on Financial Services (thanks to Richard Bejtlich for the tip). It turns out, this story is nowhere near over. Here are some juicy details:
Someone placed a script on a server via an "Internet-facing application that is used by our customers to access data." The script was written to run every four days and search certain file types for track data (the stuff on the magnetic strip) then extract the data, zip it into a file, and transfer it via FTP to another site.
One of the more interesting tidbits in this testimony is that there appear to be only 239,000 credit card numbers stolen, as opposed to the 40 million initially reported. Hmm, if my math is right, that is a bit over 0.5% of the original estimate. No matter, 40 million sounds a lot better (though not to CardSystems, I suppose). (Btw, it is likely BETTER from the standpoint of a single victim to have the 40 million lost cc numbers than the measley 239,000, but that is not the point.)
This incident has all the markings of an inside job (custom app, specific file types and data, etc.). Contrary to many of the other incidents that appear to be random un-serendipitous events, like the "attacks" at universities, there appears to be definite motive here and I am going to go out on a limb and predict that they catch this person within the next six months (what the heck, it’s the summertime ).
This is a useful case study for any of the (multiplying) bills and regulations cropping up around identity and credit card theft that have a notification requirement. First, we have the question of whether 40 million cardholders should be notified or 239,000. If the testimony provided was accurate, I would guess 239,000. Second, we have the question of whether the disclosure of this information is in violation of the law. For example, I don’t believe this exposure would violate California’s SB 1386, since the information stolen didn’t include a "required security code, access code, or password that would permit access to an individual’s financial account" as far as I can tell. Third, we have the problem of notification – CardSystems, Inc. doesn’t have any notification information available, so presumably the issuing banks would have to perform notification, and they are relatively innocent bystanders in all of this – almost certain to draw the fire of irate consumers.
One final comment: It is not clear to me why everyone in the security community immediately jumps all over these folks (as they have done with ChoicePoint and others) since there is no evidence of "bad security practices" except, of course, for the incidents themselves (it could be their practices were poor, but it also could be they had better security than most other processors). Seriously, I think security vendors are near euphoric over the incident and many other security professionals are either playing holier-than-thou or I-told-you-so games.
But that is our problem – we claim that nobody is ever completely secure and yet we crucify any entity that gets compromised based on the evidence of a single incident. Disheartening, to say the least, given that WE ARE ALL IN THE SAME BOAT. You’d think we would try a bit harder to come up with ways to tell whether these companies are negligent or not. CardSystems claims to have been certified VISA CISP compliant by Cable and Wireless. I don’t expect them (CardSystems) to go down without a fight.
You write:
“One final comment: It is not clear to me why everyone in the security community immediately jumps all over these folks (as they have done with ChoicePoint and others) since there is no evidence of “bad security practices” except, of course, for the incidents themselves (it could be their practices were poor, but it also could be they had better security than most other processors).”
It’s established that CardSystems kept data they were required by CISP compliance not to keep. This is a clear breach of policy and rules so in my eyes, this is not a single incident but a general lack of understanding. That they are flamed to Kingdom Come is very justified in my eyes.