So only “68,000 customers are at high risk“

As pretty much everyone knows by now, Cardsystems, a credit card processor, has had a security breach which exposed up to 40 million credit card numbers. MasterCard is now saying that 68,000 customers are at “high risk”.

Ok, so check your bank statements (and why isn’t there a website where you can put in your CC number and see if you’re at “high risk”?).

What was the cause? Apparently a “virus” that captured customer data (probably a misnomer on their part, more likely a simple keylogger).

At Tech.Ed a couple of weeks ago, Microsoft showed a hardened Windows network being completely compromised in a matter of minutes. So no surprise on our part.

In the US, we have strict laws like HIPAA providing statutory requirements on the protection of health care data. But credit card companies apparently don’t have these types of protections. Heck, a UPS shipment with almost 4 million unencrypted credit card numbers was lost recently.

MasterCard had some system in place to detect this. They did see the breach through their fraud analysis, which assumes that some of these cards may have been used already…

Interesting posts on Slashdot. As can be expected on Slashdot, there are posts about the front end to Cardsystems being Microsoft . Points are also made that the major credit card companies may have great security in place, but they have a large amount of data going to other partners, like credit card processing companies, creating multiple points of entry.

We can have all the protections in place. But the way to run security is not only to create a moat around the castle, but to insure that if an attacker gets in, sensitive data is not compromised. Assume the worst.

My observation is that securing this type of private information is a multi-pronged approach:

Make the data useless — If the information is stolen, it shouldn’t matter in the end. You could, for example, split up a credit card number with the attendant customer data into multiple parts, each stored in their own secure database, concatenated for ultimate use. A hacker gets in, he sees only gibberish. He only sees one part of the picture.

Storage – This one is obvious but, well, obviously it wasn’t followed by Cardsystems. And you have to harden the data through multi-layered security the systems where the data is stored at all points of the supply chain. Card processors, merchants, member banks, etc.

Transport – Harden the methods of data transportation to 3rd party providers. There are multiple points of entry in the world of consumer privacy. Data is shared between many providers. The methods of sharing the data have to be rock-solid. I’m not talking only about electronic transport. Let’s not ship, for example, sensitive credit card information by UPS in unencrypted form. Treat your own customer data as carefully and as conscientiously as you would treat your own.

End use – Another critical point of entry is the actual use of the data. There’s some multiple validation points in place already, which help against fraud. Credit card companies have instituted address checking and the use of Card Identification Numbers, which are multi-pronged security techniques (you have to a) have the card in possession and b) know the address of the person it was stolen from in order to use it). But this probably needs to go further, without making it unnecessary painful for customers to actually buy things. If you make a credit card useless to a thief, there’s not much incentive to steal it. (And there are still online merchants who don’t use Card Identification Numbers. Credit card company to merchant: You want to accept MasterCard and Visa? You better have these systems in place. )

Fight back – In the end, make it so that the mistakes of others don’t affect you. Use only one credit card, and pay if off every month (ok, I know paying off the card every month is hard for many, but at least try to keep only one card in active use). Fight intrusive government legislation like Real ID, which will make it easier for personal information to be exposed to criminals (and is highly intrusive on your own privacy to boot). Support legislation like HR 25, the Fair Tax, which gets rid of the Income Tax and makes every taxpayer anonymous. Support groups like EPIC, which are fighting very hard for electronic privacy rights.

One other thing: Credit card companies are incredibly profitable. So theft might simply become a risk-management issue. They plug in an assumed 2% fraud rate and up the APR on the card. Ok, that’s incredibly cynical on my part, and not entirely fair. But we just need to make sure that our lives don’t become risk management statistics.

I hope this gets cleaned up fast so we don’t have more legislation on the matter.

Alex Eckelberry