[fw-wiz] Re: Transitive Trust: 40 million credit cards hack'd

From: Vin McLellan (vin_at_theworld.com)
Date: 06/18/05

  • Next message: Martin Mačok: "Re: [fw-wiz] Strange Pix behavior."
    To: firewall-wizards@honor.icsalabs.com
    Date: Sat, 18 Jun 2005 13:02:07 -0400
    
    

    Marcus wrote:

    >40M credit cards hacked
    >Breach at third party payment processor affects 22 million Visa cards and
    >14 million MasterCards.
    >http://money.cnn.com/2005/06/17/news/master_card/index.htm?cnn=yes
    >
    >This sounds like (yet another) classical example of "transitive trust gone
    >wrong." Visa/MasterCard trusted a 3rd party to hold their data and - oops
    >- the trust was misplaced.

    ><snip> <snip>

    >I figure Paul and I and the other "security graybeards" can let this kind
    >of thing keep happening for a few months more and then we can start
    >turning on the big, blinking neon lights that say "We Told You
    >So." Transitive trust is a *HARD* problem in security. Always has
    >been, always will be. But today's businesses convinced themselves that
    >they could basically ignore it - mostly because the obvious stuff like
    >patching and vulnerability management was more obvious and accessible.

    Maybe the security lessons to be drawn from the dissemination of valuable
    data throughout the enterprise can be passed on to those who seek to do the
    same thing in an even larger arena?

    The Department of Justice, in its eternal push for more surveillance
    options, has apparently just proposed regulations or legislation that would
    require ISPs to concentrate and retain the data generated by their
    customers in one place, so that it is convenient for the DoJ and other
    lawmen to access a complete record of online behavior.

    On Dave Farber's "IP" list, Hugh-list <hugh-list@thoughtballoon.com> just
    posted a thought-provoking note that explored one of the unexpected
    consequences likely if such legislation were enacted.

    Hugh wrote:

    >>So if I understand this, the DoJ would like to set up one-stop shopping
    >>for identity thieves ( and terrorists ) who would be able to get an
    >>internet user's credit card info, a record of what they buy from and from
    >>who they buy it, any online airline ticket sales, a record of blogs,
    >>email, dating services and whatever else an ISP's customer does online.

    Sound familiar?

    >>One of the ways the credit card companies detect fraud is by noticing new
    >>and unusual behavior. Armed with the info they get from an ISP's retained
    >>data, fraudsters can pick the identitys of people with a history
    >>consistent with the fraud they wish to perpetrate.Now in addition to old
    >>fashioned credit card fraud a crook or terrorist could even more
    >>successfully impersonate their victim.
    >>
    >>You want to buy 8 tones of ammonium nitrate or a thousand gallons of
    >>diesel fuel and have it delivered to the corner of a field in a remote
    >>location? What better way than to have the credit card info and address
    >>of a farmer who makes these transactions on a regular basis?
    >>
    >>Want to get on an airplane to Washington DC but you are on one of those
    >>pesky no fly lists? Just grep the convenient ISP retained records for
    >>airline ticket sales to Washington DC, match those sales to members of
    >>online dating services, find someone who has the "paperless ticket" for a
    >>flight you want and looks like you, mug them on their way to the airport,
    >>and there you are at the gate, with a ticket and a photo ID.

    Does SANS, or the Computer Security Institute, or some other entity, ever
    try to offer the voice of the front line InfoSec troops in response to this
    sort of proposal?

    Suerte,
                _Vin

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Martin Mačok: "Re: [fw-wiz] Strange Pix behavior."

    Relevant Pages

    • Re: Being prevented from using my credit card for online purchases
      ... cousin tom wrote: ... out the credit card info page but it is always coming back to me as ... req fields missing the numbr sec code on back of card etc even ...
      (microsoft.public.windowsxp.security_admin)
    • Re: How to disable automatic form filling on website
      ... In the Internet Options clear out the AutoComplete ... had to enter my email address and the credit card info I had used ... card, ... computer and to delete cookies and temporary files. ...
      (microsoft.public.security)
    • Re: OT: Bastards
      ... I forget who owns it now one of the big Internet companies I think, ... But you are giving PayPal your credit card info, ... Some spammers try to guess addresses to send the spam to, ...
      (alt.support.diabetes)
    • Re: OT: Bastards
      ... I forget who owns it now one of the big Internet companies I think, ... But you are giving PayPal your credit card info, ... We must realize that a talented computer ...
      (alt.support.diabetes)
    • Re: Microsoft $35.00 Paid Support Experience
      ... First tech support said that installing the card would automatically ... that the credit card company would not find in HP's favor. ... So I went through he same story again and he suggested a REPAIR. ... material that is already on the Microsoft web site. ...
      (microsoft.public.windowsxp.general)