Slashdot Mirror

← Back to Stories (view on slashdot.org)

Top Five Causes of Data Compromise

Posted by ryuzaki0 on from the it's-the-data-stripe-stupid dept.

Steve writes, "In a key step to help businesses better understand and protect themselves against the risks of fraud, Visa USA and the U.S. Chamber of Commerce announced the five leading causes of data breaches and offered specific prevention strategies. The report states that the most common cause of data compromise is a merchant's or a service provider's encoding of sensitive information on the card's magnetic stripe in violation of the PCI Data Security Standard. The other four are related to IT security, which can be improved simply by following common-sense guidelines." Here is the report on the U.S. Chamber of Commerce site (PDF).

16 of 106 comments (clear)

  1. Ballmer responce: by Volante3192 · · Score: 5, Funny

    Users! Users! Users!

    Wait, five reasons? Add a 'Users! Users!' to the end of that.

  2. top 5 by neonprimetime · · Score: 5, Informative

    1. Storage of Magnetic Stripe Data
    2. Missing or Outdated Security patches
    3. Use of Vendor Supplied Default Settings and Passwords
    4. SQL Injection
    5. Unncessary and Vulnerable Services on Server


    Honestly, could my post be any more useful?

    1. Re:top 5 by Anonymous Coward · · Score: 3, Insightful

      Honestly, could my post be any more useful?
      Yes, but a more interesting question is could your karma whoring be any more obvious?

    2. Re:top 5 by grammar+fascist · · Score: 5, Informative

      4. SQL Injection

      I'm surprised, but not too much. It's interesting that this is the only one on the top five list that has anything to do with the programming. This puts it right up there with social engineering - SQL injection is that easy.

      The take-home lesson for us programmers? Never, ever, EVER use any DB API that doesn't let you bind parameters.

      --
      I got my Linux laptop at System76.
    3. Re:top 5 by morgan_greywolf · · Score: 3, Funny
      I don't do it for the karma. I don't need the karma. I just want to feel loved.


      Well, you know we all love you. In fact, just the other day, I heard CmdrTaco and the new guy, kdawson, talking and they were saying "Gosh, I really love that neonprimetime. Yeah. neonprimetime is great, huh?"

      There. Feel better?

      --
      My blog
    4. Re:top 5 by Rogerio+Gatto · · Score: 3, Interesting

      I only have knowledge on Javas's JDBC API, which allows it both ways. The interesting thing is that it's generally easier to use bind parameters than to build sql by hand, but I still see some people that do it. Not that many people code to JDBC these days, it's considered very low level in Javaland. We like levels and levels of frameworks above our JVM, which is already levels and levels above the SO, which is... you get the picture.

    5. Re:top 5 by DavidWide · · Score: 3, Informative
      php.net/mysqli has prepared statements, or you can use PEAR's MDB2:
      * Prepare/execute (bind) named and unnamed placeholder emulation
  3. Re:sheesh by AP2k · · Score: 5, Funny

    Maybe their data got compromised? D:

  4. Didn't the waiter do it?! by __aaclcg7560 · · Score: 4, Insightful

    Whatever happened to the old saying that your credit card would more likely be ripped off by a waiter than someone off of the internet? Or are waiters taking hacking jobs these days?

    1. Re:Didn't the waiter do it?! by mennucc1 · · Score: 4, Insightful
      You did not RTFA: waiters are number one in the list. Here it is, in the original form: 1. Storage of Magnetic Stripe Data - The most common cause of data breaches occurs when a merchant or service provider stores sensitive information encoded on the card's magnetic stripe in violation of the PCI Data Security Standard. This can occur because a number of point-of-sale systems improperly store this data, and the merchant may not be aware of it. Then translate from market-speak:
      • service provider -> waiter (indeed, it does serve)
      • merchant -> owner of the restaurant
      • "point-of-sale systems" -> gadget that you stripe your card in
      • to store sensitive info -> pwn
      After proper translation, it reads: 1. Storage of Magnetic Stripe Data - The most common cause of data breaches occurs when a waiter pwns your card's magnetic stripe in violation of law. This can occur because a number of gadgets are available around that will store this data; and the restaurant owner may not be aware of it. See?
  5. Chip & PIN by celardore · · Score: 5, Interesting

    Perhaps slightly OT, but the article is slashdotted and the header mentioned VISA and breaches.

    I think one of the greatest mistakes the credit/debit card companies/banks (certainly here in the UK) made was the compulsary PIN entering (as opposed to a signature) at point-of-sale. Now all you need to do is stand behind me and see my PIN, or if you work at the store - have the security camera trained at the keypad then either lift my wallet or clone my card. All you need is that four digit number, and you've pretty much got my bank account.

    My point is, companies make fundamental security errors, and will continue to do so.

    1. Re:Chip & PIN by John+Hasler · · Score: 3, Insightful

      > If they had thought to require a photo for the front of the card then it
      > would be a 3 stage process, and pretty hard to circumvent in a store
      > situation.

      Clerks rarely check pictures[1].

      > Even ATMs have CCTV these days, so they could use some image recognition
      > software to match your image against the registered image before giving you
      > cash.

      And the software would screw up about 10% of the time, keeping your card and your money.

      [1] I knew a guy who spent part of his stint in the Navy sneaking on board warships with an ID card bearing the likeness of a gorilla.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  6. Either that or minibar keys by Plutonite · · Score: 3, Funny

    Or something :)

  7. And I thought... by SpectralDesign · · Score: 4, Funny

    POS meant point-of-sale... guess I was mistaken.

    --
    Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seuss
  8. Re:Wow by jonadab · · Score: 4, Interesting

    Some vendors who develop industry-specific software actively encourage this.

    When I mentioned to a trainer who works for our vendor that I would of course be changing all the passwords away from the (incredibly insecure) defaults, the response I got was, "Why? What are you afraid of?" Later, _a technician_ working for the vendor asked, "You didn't change the Administrator password, did you?" I wanted to say, "Of course, what kind of fool do you take me for," but all I said was, "Yes, I did." They didn't make me change it back, but they also didn't seem to understand why I considered it important to change it.

    Worse, when I asked what ports I needed to open on the firewall between the staff workstations and the mission-critical production server, I was told that we _cannot_ put a firewall there; they must be directly on the same subnet.

    This was all _after_ we bought the software, to the tune of tens of thousands of dollars. Before we bought it, the official line was that the only thing that could possibly make the system vulnerable would be if we neglected to keep up-to-date antivirus software. My boss (at the time, now retired) actually signed (against my advice) a contract agreeing that if there's any security incident, it's automatically our fault and _we_ pay the _vendor_ for any time required to fix it.

    Needless to say I am personally rather at odds with this vendor's view of security. Their name is Polaris Library Systems.

    --
    Cut that out, or I will ship you to Norilsk in a box.
  9. Re:Sale of information by company officials by Nintendork · · Score: 4, Interesting

    I'm in the IT department for a large ISO and give the security lecture during new hire orientations. We have to follow PCI compliancy and are aware of the dangers on the Internet. Insider jobs are a threat, but not yet. Right now, most of the crime is organized out of European countries and the most they use outsiders for is as a mule. The list they gave along with social engineering is actually quite acurate. CardSystems, an ISO with some 119k merchants was compromised last year due to a SQL injection attack and the storing of track 2 data of failed transactions on their processing hosts in plain text. Part of PCI compliancy is to only store that data in a strongly encrypted form (They give examples) and it's common practice to only store it during standin (When the upstream processor is down) and after standin until all the transactions run through successfully. They really f*ed up! The debit card fraud that happened earlier this year is still under investigation, but rumors have it that the POS system that Sams Club and/or OfficeMax use to send all the transactions to their processor was compromised. Of course, we won't know the story until the feds either give up or find the criminals.