Fraud linked to US payment processor breach
US credit unions are reporting a security breach affecting credit and debit card numbers involving a payment processor firm. Neither the name of the company at the centre of the snafu nor how many records might be involved has been disclosed. Official word of the breach came when the Community Bankers Association reported that …
Pentagon Federal Credit Union was also hit.
...they always state with great certainty what was and what wasn't disclosed in the breach. How the hell do they know? Their servers have been pwned for god knows how long, have they been running a packet capture on their whole network's TCP/IP traffic that entire time?
If not then how might they explain these precise facts and figures?...
A) Err, we just made them up out of thin air
B) We paid v.expensive security consultants to look clever and then guess at them for us
C) We're just reporting attacks since we started looking, there may well be a boatload more
D) We had no idea it was even happening til the CIA called us an an explained on of their agents had been sold X number of our customer records
E) We had noticed but we're going to sweep it under the carpet, until the CIA turned up and ruined our plans...
When these larger corporations do stuff like this everyone suffers. Wheres your PCI compliance, how'd that work out for you. Everytime these corporate fools screw up small business suffers and will continue to suffer. Everyone up to Visa should be sued when this stuff happens, theres absolutely no cause for it in 2009.
...all the data is encrypted. On the disc, in the database, over the wire. Only on the screen (or at the printer, i.e. point of consumption) does it need to be decrypted.
Given that must be the case, as they are so hot on security, what does it matte - all the data is encrypted and thus worthless.
Unless of course it's not encrypted.....
There is a problem with the PCI requirements.
Yes, the data must be encrypted in transit,
Yes it must be encrypted when stored
But, these two points are in two different sections of the standard and so are often applied in two ways
for example if you use HTTPS to encrypt the data in transit and hard drive encryption to encrypt the data while it is stored; you’re fully PCI compliant, but all of that is not worth a damn if your server is owned.
you should also read voltage's luther martin's blog post on this - http://superconductor.voltage.com/2009/02/another-big-data-breach.html
Sign up, sign up for The Register's weekly IT security newsletter - click here
