RealTime IT News

Fronting a Fix on Data Breaches

As details unfold about a massive security crack that exposed more than 40 million credit card accounts, security experts, legislators and corporate IT administrators are jockeying about ways to plug leaky data problems.

The data breach at CardSystems Solutions, the latest in a growing list of data leaks involving scams and absent-minded workers, is believed to be the largest to date. It happened when intruders exploited software security vulnerabilities, MasterCard International spokeswoman Jessica Antle told internetnews.com.

In addition to an FBI criminal investigation into the case, the Federal Financial Institutions Examination Council (FFIEC), a group composed of five federal banking regulators, has launched an probe into the CardSystems Solutions incident.

A spokesperson for the FFIEC said the investigation is expected to last two weeks.

Nearly 70,000 MasterCard account numbers were especially at risk because they were kept in a file exported from CardSystems' database, Antle said.

MasterCard's security team discovered abnormal usage patterns on certain cards after fraud monitoring systems received picked up on the clues.

CardSystems said in a statement that it alerted the FBI to the possibility of a security hole in May.

"We understand and fully appreciate the seriousness of the situation. Our goal is to cooperate fully with the FBI to complete the investigation and ensure that we do nothing that might compromise the investigation."

The probe also found that the Atlanta-based payment processor did not meet MasterCard's security regulations. CardSystems should not have held onto MasterCard's records, and later compounded the problem by storing the transaction data in unencrypted form, Antle said.

The FBI declined to comment on the investigation.

John Pescatore, a vice president and research fellow at Gartner, said tighter security measures must be a priority in the fight against data loss and identity fraud.

"It is very clear there are more targeted attacks going after financial information," he said. "These attacks are happening more and more because the institutions have been getting away sloppy with sloppy security practices for a long time.

"It is important to note that these companies are not following standard practices. There are plenty of known ways to protect this data. It is security 101."

'Carder' Culture

The make-up of hackers now focusing on financial intuitions such as MasterCard are more likely to be part of organized crime syndicates in Eastern Europe and Asia then teenagers hacking for sport, if recent history is any indication.

Thieves who take part in swiping legally obtained credit card account numbers, also known as "carders," often operate international members-only Web sites with names like carderplanet.com, shadowcrew.com detailing these exploits.

In October 2004 The U.S. Secret Service busted up such a ring and made arrests in eight states and worked with local law enforcement in six countries stemming from the investigation of these bulletin boards that were the focal point of talk about identity theft schemes. Among the crews pinched were carderplanet.com and shadowcrew.com.

The investigation was a joint operation of the Secret Service, the U.S. Department of Justice, foreign law enforcement agencies and investigators from the financial services industry.

Avivah Litan, an analyst at Gartner, said Visa and MasterCard both have sound security policies and rules in place. But they are not doing enough to ensure credit card processors are doing the same.

"This wouldn't have happened if CardSystems was obeying the association rules. It's not necessarily just CardSystems problem. It's really Visa and MasterCard's problem because they put out these rules but they don't enforce them," she said.

According to Litan, the card associations don't make it clear what the penalties are and don't audit compliance.

"It's meaningless, in a sense, to have a good program on paper if it doesn't translate into implementation," she added. "All these breaches are exacting a steep toll on consumer confidence and trust, and something's got to change."

The headlines haven't slowed since data broker ChoicePoint's admission in February that it was duped into turning customer data over to thieves.

Next came Bank of America'sdata loss, then LexisNexis's own admission that it lost some customer data, as well as several educational institutions including the University of California at Berkeley, Boston College and Harvard University.

Congress is keen to address the issue. Several bills are building momentum for a national law requiring data breach disclosure by companies who lose their customer's data. As it stands now, only California has a law in place requiring such measures though other states are pursuing similar legislation.

Dianne Feinstein, a California Democrat, is pushing a bill to fine companies up to $50,000 a day for every day they don't notify customers about data breaches. Most companies, however, are behind a national disclosure law. Indeed, the savvy ones are scrambling to get ahead of the law by notifying customers before any law tells them to.

But Gartner's Litan doesn't expect Congress to advance anything with much teeth behind it.

"Most companies respond to sticks and regulation and if you don't put penalties in place then they're not going to pay any attention to it, that's really the bottom line; because if you look at what drives compliance and security spending, it's regulations," Litan said. "I expect [Congress] to ratchet up the noise but don't expect them to do anything meaningful because the financial services lobby is too strong."

A May 2005 survey of 8,200 consumers conducted by Lightspeed Research showed that over 80 percent of respondents felt threatened by online identity theft and online fraud.

The survey also indicated that 80 percent of respondents would have more trust in their account provider -- and greater confidence in transacting online -- if their provider offered a hardware-based strong authentication solution.

In addition, 44.5 percent of those surveyed said they would be more likely to switch account providers if a competitor offered hardware-based two-factor authenticators.

The sentiment has analysts bracing for a "solution revolution" from companies that specialize in identity management.

Take the new product launched by credit information management company Intersections. Called Privacy Protect, the service will keep tabs on credit information as well as public information like DMV, criminal, and mortgage and real estate records. In addition to tracking a person's credit information, such as who makes queries against it, it tracks how other unique information, which can be used for fraudulent activities, is accessed.

RSA Security is another company rolling out new security features. The software security company now offers their online banking customers RSA SecurID two-factor authentication technology in order to deliver a more secure online user experience.

"We can't underestimate the impact of people's concerns," John Worrall, vice president of worldwide marketing at RSA Security, said. "They are recognizing that the data loss problem is getting worse."

RSA clients include America Online , Banco de Credito e Inversiones (Chile), Credit Suisse, E*TRADE Financial and Volkswagen Bank in offering consumer identity protection based on RSA SecurID two-factor authentication technology.

Gartner's Pescatore said the credit card industry would be wise to jump ahead of the problem too. "They left this open for legislation by not cleaning up their industry themselves."

Jim Wagner contributed to this report