Three Indicted In Huge Identity/Data Breach 101
ScentCone and other readers let us know about an indictment just unsealed in federal court for stealing 130 million credit cards and other data useful in identity theft, or just plain money theft. The breaches were at payment processor Heartland (accounting for the bulk of the 130M), Hannaford, 7-11, and two unnamed "national retailers." Interestingly, the focus of the indictment, Albert "Segvec" Gonzalez, is currently awaiting trial for masterminding the TJX break-in, which until Heartland counted as the largest credit-card theft ever. The indictment cites SQL injection attacks as the entry vector. Two unnamed Russia-based conspirators were also indicted. Securosis has analysis of the security implications of the breach ("These appear to be preventable attacks using common security controls. It's possible some advanced techniques were used, but I doubt it") and the attackers' methodology.
Losing faith in the system (Score:5, Insightful)
These credit card processing companies had better get their acts together fast, or they'll be sunk by so many lawsuits that they won't be able to stay in business.
Insurance companies will see this sort of business as a radioactive risk. They'll let existing contracts expire and quietly back out --UNLESS these companies get serious about their data security.
There is a huge opportunity for someone to make some real coin doing this sort of thing, but it will take a mindset that these people have been loath to accept: People really are out to get them.
Hate to say it... (Score:5, Insightful)
Re:Losing faith in the system--Don't Lose Faith! (Score:3, Insightful)
Don't lose faith. The banks never lose. Both the Democrats and the Republicans see to that!
The losses always get pushed away from the stockholder and onto the consumer! That's what capitalism is! Capital dominates government!
Re:Losing faith in the system (Score:4, Insightful)
I agree.
And the downside for their company is-- WHAT? Why should they make the extra effort to avoid such flaws? Whose responsibility is it?
The problem is that the liability isn't all theirs. This is the same reason that so many software firms can sell steaming piles of insecure garbage, and there is very little practical consequence.
This is the same feature that led to the downfall of the housing market. If you spread the risk around too thinly, nobody will know who to assign blame to. That's how we got in to the mess we're in. When people start demanding accountability and liability, this nonsense will end.
SQL Injection? Really? (Score:4, Insightful)
new business model (Score:3, Insightful)
1. Credit Card Industry fails to secure servers
2. Massive Identity Theft Occurs
3. Offer Credit Report and Identity Theft Services to mitigate steps 1 & 2
4. Profit!!!
-I'm just sayin'
Re:Losing faith in the system--Don't Lose Faith! (Score:2, Insightful)
Why should this be modded down? It's the logical conclusion to the system. We know the credit card system is insecure, we can fill the message boards with comments going back and forth about it... but that isn't the larger problem. Discussion centering around only the credit card system is bound to revolve around band-aid approaches to fixing the system. In order to truly avoid this sort of problem again we need to understand underlying flaws.
So, logically, you wonder why people need credit cards, and then you wonder why people need credit, and then you wonder why debt accumulates, and then you wonder who debt is important to, and then you wonder who the major players are in the system of debt and, eventually you come to understand that, yes indeed, it is a system of governments and big businesses exploiting capital. Once you reach that conclusion then, really and truly, all discussion around the credit card system becomes "offtopic" and the only topical discussion related to identity theft arising from financial systems concerns the security vulnerabilities in a capitalist system dominated by government and financial behemoths.
Of course, that wouldn't generate very much discussion, because acknowledging that everyone is trapped within an inherently flawed system is just depressing, and everyone leaves their computers to go find an ice cream sundae for comfort. Americans should be happy they live in a capitalist system. Under communism only the rich and powerful could afford a decent ice cream sundae. OTOH, under communism, your identity wasn't important in the first place.
So you can have one or the other: ice cream sundaes to comfort your stolen sense of identity, or no ice cream sundaes and no identity at all to steal.
Next Credit Application (Score:2, Insightful)
Re:Losing faith in the system--Don't Lose Faith! (Score:4, Insightful)
The best system is a swiss cheese if the patches are not applied...
Seriously. I've seen far more serious security holes due to negligence on the side of the administrators and beancounters than on the side of the supplyer of hard- and software. For many companies, security is still seen as a product. It's something you buy, some box you put in front of your machines, and you consider yourself safe and secure, never to touch it again.
That's not how it works. Security is a process. Security is something you have to establish and audit. Preferably constantly, but that's not economically feasible for most companies. But you have to audit your security system against current, modern threats, you have to audit it against everything that has happened and is a known exploit or a known procedure employed by criminals. Today, tomorrow, for the rest of your company's existance. It's nothing you do today and then you're done with it.
Security is an evolving process. A race between attacker and defender. You can't "win" and then be over with it.
And as soon as companies realize that, we'll see some progress in this field. Not a second earlier.