Top Five Causes of Data Compromise 106
Steve writes, "In a key step to help businesses better understand and protect themselves against the risks of fraud, Visa USA and the U.S. Chamber of Commerce announced the five leading causes of data breaches and offered specific prevention strategies. The report states that the most common cause of data compromise is a merchant's or a service provider's encoding of sensitive information on the card's magnetic stripe in violation of the PCI Data Security Standard. The other four are related to IT security, which can be improved simply by following common-sense guidelines." Here is the report on the U.S. Chamber of Commerce site (PDF).
Re: (Score:2)
1. Storage of Magnetic Stripe Data
Once you know it, it's obvious. I bet you wouldn't guess it before. My bet was social engineering. What a surprise, it's not even on the list.
2. Missing or Outdated Security patches
This one is pretty obvious, although I bet 50% of you would bet on 0-day exploits instead.
3. Use of Vendor Supplied Default Settings and Passwords
I personally thought this one died around the end of the last century, and the v
Ballmer responce: (Score:5, Funny)
Wait, five reasons? Add a 'Users! Users!' to the end of that.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Argh! a chair!
Re: (Score:1)
Re: (Score:1)
Wow (Score:2, Insightful)
Re: (Score:1)
Re: (Score:3, Insightful)
And I thought... (Score:4, Funny)
Re: (Score:1)
Re:Wow (Score:4, Interesting)
When I mentioned to a trainer who works for our vendor that I would of course be changing all the passwords away from the (incredibly insecure) defaults, the response I got was, "Why? What are you afraid of?" Later, _a technician_ working for the vendor asked, "You didn't change the Administrator password, did you?" I wanted to say, "Of course, what kind of fool do you take me for," but all I said was, "Yes, I did." They didn't make me change it back, but they also didn't seem to understand why I considered it important to change it.
Worse, when I asked what ports I needed to open on the firewall between the staff workstations and the mission-critical production server, I was told that we _cannot_ put a firewall there; they must be directly on the same subnet.
This was all _after_ we bought the software, to the tune of tens of thousands of dollars. Before we bought it, the official line was that the only thing that could possibly make the system vulnerable would be if we neglected to keep up-to-date antivirus software. My boss (at the time, now retired) actually signed (against my advice) a contract agreeing that if there's any security incident, it's automatically our fault and _we_ pay the _vendor_ for any time required to fix it.
Needless to say I am personally rather at odds with this vendor's view of security. Their name is Polaris Library Systems.
Re: (Score:1)
Translation: "We're 100% confident the system is completely secure - so confident, that we won't even put a penny on ow
Re: (Score:1)
> put a penny on own reliability! We'll let you spend tens of thousands of dollars at your own risk!"
Indeed.
> Of course since he's retired, your former boss probably isn't liable, either. Maybe he was a little
> smarter than he seemed.
I'm pretty sure she just trusted the vendor. When the salesperson said, "That's just there because we had some problems with customers not wanting to keep their a
Re: (Score:2)
top 5 (Score:5, Informative)
2. Missing or Outdated Security patches
3. Use of Vendor Supplied Default Settings and Passwords
4. SQL Injection
5. Unncessary and Vulnerable Services on Server
Honestly, could my post be any more useful?
Re: (Score:3, Insightful)
Yes, but a more interesting question is could your karma whoring be any more obvious?
Re: (Score:3, Funny)
Re:top 5 (Score:4, Funny)
Well, you know we all love you. In fact, just the other day, I heard CmdrTaco and the new guy, kdawson, talking and they were saying "Gosh, I really love that neonprimetime. Yeah. neonprimetime is great, huh?"
There. Feel better?
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
(1) The mod system is designed to make useful posts appear more prominently
(2) The karma system is designed to reward authors of useful posts
(3) GP's post was really useful, as TFA is
So...
thank you GP for your useful post and enjoy your new karma
[And parent: don't be jealous!
Re:top 5 (Score:5, Informative)
I'm surprised, but not too much. It's interesting that this is the only one on the top five list that has anything to do with the programming. This puts it right up there with social engineering - SQL injection is that easy.
The take-home lesson for us programmers? Never, ever, EVER use any DB API that doesn't let you bind parameters.
Re: (Score:1)
Re: (Score:3, Informative)
Re: (Score:3, Informative)
You mean: (Score:3, Funny)
Nah. Couldn't be.
Re: (Score:3, Interesting)
Re: (Score:1)
Frameworks suck (Score:1)
Hey, I bill by the hour, so why not?
SQL Parameter Binding [was: Re:top 5] (Score:2)
Re: (Score:2)
I disagree. #2 and #5 also refer to software vulnerabilities (indirectly). If software didn't have vulnerabilities, #2 and #5 wouldn't be issues.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Intriguing what's missing (Score:2)
BTW the PCI/DSS is much more practical than, say, HIPAA. They talk in straight lines instead of circles and give you directly actionable advice.
Re: (Score:1)
Re: (Score:2)
sheesh (Score:1, Offtopic)
Re:sheesh (Score:5, Funny)
Re: (Score:1)
Didn't the waiter do it?! (Score:5, Insightful)
Re: (Score:2)
The thing about doing it on the internet is that it's much easier to 'steal' thousands of numbers with minimal effort (compared to the effort required to do it a non-internet way).
Could have been. (Score:2)
Whatever happened to the old saying that your credit card would more likely be ripped off by a waiter than someone off of the internet? Or are waiters taking hacking jobs these days?
That would be part of number 1, putting all the information on the magnetic stripe. Waiters might know how to do this too.
Then again, this is a paper about data security not fraud in general. If you want advice about that, visit the FTC site [ftc.gov] where crooked clerks are front and center.
Re: (Score:2, Interesting)
Re: (Score:3, Insightful)
Thieves steal what's easiest to steal and get away with.
Re: (Score:1)
Pitty we live in a world where people need to theive to get by, that morality of fucking over somone else is a misnomer thanks to the reality of the world many people actually live in.
Re:Didn't the waiter do it?! (Score:4, Insightful)
Spending online (Score:2)
My grandmother recently had her Mastercard number ripped off. Somebody was using it to buy diet items and a few other things at online stores. With a little hackery to hide one's IP, and a fake dropbox for delivery, it's pretty hard to trace. In a lot of cases I doubt even that much is needed depend
Chip & PIN (Score:5, Interesting)
I think one of the greatest mistakes the credit/debit card companies/banks (certainly here in the UK) made was the compulsary PIN entering (as opposed to a signature) at point-of-sale. Now all you need to do is stand behind me and see my PIN, or if you work at the store - have the security camera trained at the keypad then either lift my wallet or clone my card. All you need is that four digit number, and you've pretty much got my bank account.
My point is, companies make fundamental security errors, and will continue to do so.
Re:Chip & PIN (Score:1, Funny)
Re:Chip & PIN (Score:3, Insightful)
In Oz and New Zealand, people buy beer in the pub and pay like that (EFTPOS IIRC) and I don't think they are having a huge problem. They started a good while before us too.
Also, having your PIN doesn't give them your account. They would be limited to whatever your bank has set for the cash limit for th
Re:Chip & PIN (Score:2)
Re:Chip & PIN (Score:4, Insightful)
> would be a 3 stage process, and pretty hard to circumvent in a store
> situation.
Clerks rarely check pictures[1].
> Even ATMs have CCTV these days, so they could use some image recognition
> software to match your image against the registered image before giving you
> cash.
And the software would screw up about 10% of the time, keeping your card and your money.
[1] I knew a guy who spent part of his stint in the Navy sneaking on board warships with an ID card bearing the likeness of a gorilla.
Re:Chip & PIN (Score:2)
Anyway, the move to chip and pin has certainly caused a drop in the cost of fraud to VISA/Mastercard - during the switch they moved the liability for fraud onto retailers!
This was clearly the main reason for the move to chip and pin - it had nothing to do with protecting consumers, they weren't liable for fraud under the old system anyway.
Re:Chip & PIN (Score:2)
So cover the keypad when typing in the PIN. Duh! Even the only-slightly paranoid should do that.
But this brings up another point: how hard is it to clone one of those chip-and-PIN cards anyway? I'd hope that it would be at least somewhat difficult, ideally with an on-chip crypto engine that doesn't let its private key go "off chip". Such a system would be really hard to use in an
Re:Chip & PIN (Score:2)
Re:Chip & PIN (Score:2, Insightful)
the chip & pin approach in the UK introduces a smartcard chip into the mix. the chip makes the card difficult to clone. the chip is a mini computer that will only give up the account identifier when given the PIN sign
Re:Chip & PIN (Score:3, Insightful)
Sorry, that's bollocks - there has already been a student that has been able to 'crack' the encryption (I can't cite any references, and it was a month or two ago) But I did find this http://www.hebdos.net/lsc/edition352006/articles.a sp?article_id=140973 [hebdos.net]
Despite this, that there is a simple bit flag on the mag stripe that determines "this card is chip and pin" which can be turned o
Re:Chip & PIN (Score:2)
As opposed to before, when all they had to do was lift your wallet and spend a couple of minutes practicing the signature helpfully provided on the reverse? (Not that anyone ever checked them in my experience anyway - I actually managed to buy something on my gf's card once when I grabbed the wrong one on my way out of the house, a
Re:Chip & PIN (Score:3, Interesting)
Re:Chip & PIN (Score:1)
Re:Chip & PIN (Score:1)
but then again having your PIN doesn't give them your account.
The debit card may be subject to a daily limit, as well as a maximum limit equal to the amount currently deposited in the current/checking account from which it draws funds. Transactions conducted with offline debit cards usually require 2-3 days to be reflected on users' account balances. This type of debit card is similar to a secured credit card.
In many countries, the use of
Clueless Users.... (Score:1)
Reasons? How about: (Score:2, Interesting)
That's it.
Really, there's no such thing as perfect security. If you have any information that you want to keep secure and you tell it to even one other person, it will eventually be accessible to anyone who has enough interest in it.
Hell, if we don't rule out torture, you yourself aren't a reliable repository for your own sensitive information.
But you have to share certain information with others if you want to do business, don't you? Well, it se
Re: (Score:2)
'Nuff said.
Re: (Score:3, Funny)
Re: (Score:1)
We should go back to bartering goats, loaves of bread and weasel pelts.
Frankly, we should have never left the trees.
Re: (Score:1)
Microsoft is working on this problem -- a way to computerize the release of authentication information but not identification information (and vice versa). See the "Laws of Identity" over at http://www.identityblog.com/ [identityblog.com].
In particular, they are discussing a way to build an 'identity wallet' into the OS that will allow you to choose what identifying or authenticating bits of information to give to whom. And the wallet will be kept in a hardened UI that only humans can access.
It's about damn time, too. Th
It's sad... (Score:2)
Public key infrastructure (Score:2)
With the appropriate public key infrastructure, the necessary amount of information associated with a key pair can be made public, while the rest remains private so that it can be applied in cryptographically secure ways, for example to certify a transaction, without exposing the information itself.
Not many people understand how this works, so it's been historically hard to deploy, but it can be done.
Either that or minibar keys (Score:3, Funny)
Re:Sale of information by company officials (Score:5, Interesting)
PDF (Score:3, Funny)
"PDF documents with readable text under the black rectangles."
A bit more about #1 (Score:2, Informative)
For those who don't know, the magnetic track on a credit card actually has three tracks worth of data. Tracks 1 and 2 both have the account number; track 1 also has your name and perhaps some other stuff. I'm more familiar with track 2.
Track 2 has the card number, the expiration date, and something called "discretionary data." The discretionary data, so far as I can ascertain, is defined by
Re: (Score:1)
Re: (Score:1)
Re:Avoid Magnetic-Stripe Data Storage Violations (Score:1)
Re: (Score:1)
Re: (Score:1)
You make a good point. Visa standards say that SHA-1 in this fashion is OK, but they want companies to move to a later version. Our next version of the software will be SHA-512.
By the way, credit card numbers are not strictly 16 digit numbers.
It occurs to me that the seemingly random discretionary da
Standards? What's that? (Score:2)
Now, ISO specification for track-2 on a magnetic stripe card is: the card number, then a delimiter, then an expiry date in YYMM format, and then freeform data to a maximum of 37 characters. There are tens of thousands of installed systems that read these cards and parse the expiry date.
But
I worked for one of these POS companies (Score:1)
CC #s were stored in DB and logs using clear text. Client information could be attached to Orders so one could retrieve enough information to impersonate. One client yelled at the boss for printing the full CC # on the receipt, which was against the client's state law.
I yelled at the boss for numerous such transgressions. But he didn't care enough to use Foreign Keys in a 100+ table database; so why would he care that CCs were unencrypted? What could I really do? I left (for a long list of reasons).
T
top 5 causes of data compromise (Score:1)
Techniques for Handling Large Data (Score:1)
Data Compromise-Site Business (Score:1)
Solution?? New problem arise? (Score:1)
1) Strong password (length 100++) => Off course the user cannot open it because too long to remember.
2) Use new and secure swap device => the irresponsible merchant will modified it soon or the merchant will put a camera from every angle and record the password.
3) Use a sql injection proof script => the web server will still faced
more serius problem... (Score:1)
"The most likely threat to information security is not the typical hacker, virus or worm, but rather the malicious or careless corporate insider."
A study reveals that sixty-nine percent of companies reporting serious data leaks responded that their data security breaches were the result of either malicious employee activities or non-malicious employee error. In fact, the number one leading cause of data security breaches resulted from non-malicious employee
to be alert (Score:1)
Guess I'm the only one.... (Score:2)
stripes (Score:1)
set a new standard (Score:1)