Monday, June 20, 2005

More CardSystems Tidbits Emerge

Picture credit:
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueInteresting information on the CardSystems' security breach... carefully gleaned from multiple reports:

Item 1: MasterCard announced the breach, which had been detected in May, probably to the consternation of CardSystems. What were the reasons for MasterCard's disclosure? Displeasure with CardSystems in general? A requirement to disclose the breach in a timely fashion, since CardSystems had had over a month? Or was it simply MasterCard demonstrating that it -- not CardSystems -- had discovered the intrusion?

MasterCard traced the breach to CardSystems based on an unusual pattern of fraudulent transactions...

"I don't have the detail on what type of fraud it was," Antle said. "It wasn't a large amount of fraud, just an abnormal pattern that triggered our system. ... We have tracking systems in place to find the common point of interaction."

FBI spokeswoman Deb McCarley would not confirm the intrusion was the result of Internet hacking.

Sketchy reports indicate that, indeed, a trojan was placed on at least one of CardSystems' computers.

Item 2: CardSystems said that the FBI asked them not to disclose the breach... but the FBI denies that claim, according to this report. What the... ?

Item 3: According to the New York Times, CardSystems wasn't even supposed to have this data  ! While CardSystems processes the transactions, it isn't supposed to retain any records, per its agreements with MasterCard and Visa. It appears that CardSystems somehow kept all of the data, perhaps for its own "research purposes":

The chief of the credit card processing company... acknowledged yesterday that the company should not have been retaining those records... He said the data was in a file being stored for "research purposes" to determine why certain transactions had registered as unauthorized or uncompleted.

...Under rules established by Visa and MasterCard, processors are not allowed to retain cardholder information including names, account numbers, expiration dates and security codes after a transaction is handled.

"CardSystems provides services and is supposed to pass that information on to the banks and not keep it," said Joshua Peirez, a MasterCard senior vice president who has been involved with the investigation. "They were keeping it."

...Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said.

It is not clear whether or when MasterCard intervened with the company in the past to insure compliance, but MasterCard said Friday that it had now given CardSystems "a limited amount of time" to do so.

...MasterCard said that it had detected atypical levels of fraudulent charges on its cards as early as mid-April and, joined by Visa and an unspecified bank in mid-May, had requested that CardSystems allow its independent forensics team, Ubizen, to investigate. It was not until May 22 that the security specialists identified the rogue computer program as the source, MasterCard said.

CardSystems said it contacted the F.B.I. offices in Tucson and Atlanta on May 23. The F.B.I. said Friday that its investigation was continuing.

How did the intruders enter the system? Perhaps a processors' web application for merchants:

"They typically have a Web site where merchants sign on with and then the merchants can look at the daily transactions, the balance in their account," Edward Lawrence, a managing associate at the Auriemma Consulting Group in Westbury, N.Y., which advises credit card merchants and processors. "My guess is that a hacker would get into the Web site and somehow find their way past a firewall and through the passwords and encroach onto the programming system."

Mr. Peirez of MasterCard said that the data inappropriately retained by CardSystems was particularly sensitive because it included cardholders' three- and four-digit security codes, making it more attractive to potential thieves because it can double or triple the black-market value of a cardholder's account. Ms. Litan of Gartner said there was no reason for a processor to store security codes... In addition, the data lost in the CardSystems case was apparently not encrypted. "If it was encrypted, the hacker would have gotten data but would not have known how to read it," said Mr. Lawrence...


No comments: