Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Another Company Falls Victim - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Another Company Falls Victim

Stratfor Global Intelligence has released information regarding a breach to there data.  The reports indicate that ANONYMOUS has once again struck and has managed to get a large amount of personal data (reportedly including credit card numbers) from their client data file.  The mind boggling thing is that the data including the CC #'s were in plain text. Information, including the letter from the company can be reviewed at:

http://www.zerohedge.com/news/stratfor-hacked-200gb-emails-credit-cards-stolen-client-list-released-includes-mf-global-rockef

Deb Hale

Deborah

278 Posts
ISC Handler
If by "falls", you actually mean to say "deliberately engineered a situation in which this outcome was entirely predictable", and if by "victim" you actually mean, "will claim no responsibility since the cost of their risk is paid by everyone else", then yes, they've fallen victim.
Steven

42 Posts
I was just recently reading stuff on PCI and it would seem this company was completely non-compliant. I am no expert on this, but assuming I am right what is the penalty for non-compliance? And were they ever audited by PCI? Given how strict PCI states their requirements this is confusing me quite a bit.
BGC

23 Posts
This is shameful! It is amazing that these companies think they can get away with being non-compliant and then act suprised when this happens. We are constantly shouting to these type of people the importance of security and they do not want to listen. Then a criminal group like this comes and does damage.
They should have been more prepared. CC #’s in plain text, I mean come on….

BGC
1 Posts
I can't argue, Solinus. Not in the slightest.
Frankly, it'll serve them right when they are facing litigation by their injured clients, whose PII and credit card information was compromised as thoroughly as if they posted it on the open internet themselves.
BGC, not a LOT of criminal law would impact Strafor, but plenty of CIVIL law will most certainly come to bear. Think of it in this way: You take your significant other's diamond ring to a jeweler for cleaning and repair. The jeweler fails to lock up the jewelry or even to close the door when closing for the evening.
That is essentially what happened here, a contemptible failure of due care and due diligence.
Fortunately, I've changed credit cards since my subscription with them lapsed!
Wzrd1

8 Posts
PCI is pretty much a farce except for the largest merchants. Unless you process over six million cards a year per card brand (generally), you do not have to PROVE you're compliant. You just have to fill out a form saying you're compliant, if even that.

And if you do 5.9 million of Visa and 5.9 million of MasterCard annually, you still do not have to prove you're compliant; you just have to fill out the form. And that's only if your card processor even asks you for it.

The processors are the ones who get fined and they have contracts saying they can pass the fines on to the merchant. So unless the merchant goes out of business, the processor might not even care.
Anonymous
The bar got raised here in an interesting way. Almost every court case has ruled against the person whose card number or identity was compromised because there usually was no proof of actual damages or because the bank reimbursed the fraudulent charges.

A recent court case may change that because it ruled that their loss of time in remediating the issue was an actual injury.

Because the criminals allegedly actually used the stolen card numbers to make charitable donations, there are going to be a lot more people who have to take action to get their funds recovered.

Hmmm, based on the timing of the "contribution" I wonder if a victim can claim it on their 2011 tax return even if they later get reimbursed?
Anonymous
Having been through the full PCI audit, and passing it, I must say, that PCI is crap. It is not related to risk or the real world as it is. We have chip terminals / PinPads that are certified secure, even comms inside the terminal is encrypted, it is certified tamper resistant, and it can't deliver a PAN number to us in any way. Yet it is considered a major risk, and we need to have lots of security in place, need to change contracts with thousands of employees, train the people at the cash register in IT Security every year etc.

The only reason we have PCI is because of big bad companies storing credit card numbers, and the fact that credit card numbers are re-useable. Just make all CC numbers one-time use only, or require that they are used together with a onetime key. And do away with the magstipe. Scandinavia is 98% chip based cards now.

As it is, we need to spend lots of money, and as it looks, we need to replace every one of our thousands of terminals/pinpads every 3 years.

Make the standard good, and do away with 3DES (they can't, banks can't afford to upgrade to strong encryption, and they don't care about retailers).
Povl H.

71 Posts
Having also been through Qualified Security Assessor (QSA) audits, I'll have to disagree a bit. If someone swaps out the point-of-sale terminals on your self-checkout aisles it doesn't matter how secure your other ones are. BTW, Michael's Crafts is now looking for a new CSO and I'm guessing the fact that this happened to them is one of the reasons.

Personally I don't like risk-based standards very much because way too often it comes down to some manager thinking "I don't understand this, it won't help my sales, it will hurt my expenses and I am not going to deal with this." and saying out loud "We think this is a low risk and we accept that risk." This thinking prevails in large and small companies.

Chip-based cards still need a way to work over the Internet. And no ATM that I know of accepts chip-and-PIN even in Europe. Sp they still have mag stripes for ATMs.

Personally I use Discover Card's "online secure account" numbers every chance I get. A unique number is generated and once it's used at a particular vendor it cannot be used at another vendor. If some criminal can figure out how to steal my online card number and get that vendor to process the charge, well, Merry Christmas to them.

But until losses are no longer be a cost of doing business, this problem will continue. I work for a regional bank and when we contact some of the major banks on fraud issues, they won't even talk to us about investigating it unless the one-time-loss is over $15,000. They just reimburse us.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!