[fw-wiz] Re: Transitive Trust: 40 million credit cards hack'd
From: Vin McLellan (vin_at_theworld.com)
To: firstname.lastname@example.org Date: Sat, 18 Jun 2005 13:02:07 -0400
>40M credit cards hacked
>Breach at third party payment processor affects 22 million Visa cards and
>14 million MasterCards.
>This sounds like (yet another) classical example of "transitive trust gone
>wrong." Visa/MasterCard trusted a 3rd party to hold their data and - oops
>- the trust was misplaced.
>I figure Paul and I and the other "security graybeards" can let this kind
>of thing keep happening for a few months more and then we can start
>turning on the big, blinking neon lights that say "We Told You
>So." Transitive trust is a *HARD* problem in security. Always has
>been, always will be. But today's businesses convinced themselves that
>they could basically ignore it - mostly because the obvious stuff like
>patching and vulnerability management was more obvious and accessible.
Maybe the security lessons to be drawn from the dissemination of valuable
data throughout the enterprise can be passed on to those who seek to do the
same thing in an even larger arena?
The Department of Justice, in its eternal push for more surveillance
options, has apparently just proposed regulations or legislation that would
require ISPs to concentrate and retain the data generated by their
customers in one place, so that it is convenient for the DoJ and other
lawmen to access a complete record of online behavior.
On Dave Farber's "IP" list, Hugh-list <email@example.com> just
posted a thought-provoking note that explored one of the unexpected
consequences likely if such legislation were enacted.
>>So if I understand this, the DoJ would like to set up one-stop shopping
>>for identity thieves ( and terrorists ) who would be able to get an
>>internet user's credit card info, a record of what they buy from and from
>>who they buy it, any online airline ticket sales, a record of blogs,
>>email, dating services and whatever else an ISP's customer does online.
>>One of the ways the credit card companies detect fraud is by noticing new
>>and unusual behavior. Armed with the info they get from an ISP's retained
>>data, fraudsters can pick the identitys of people with a history
>>consistent with the fraud they wish to perpetrate.Now in addition to old
>>fashioned credit card fraud a crook or terrorist could even more
>>successfully impersonate their victim.
>>You want to buy 8 tones of ammonium nitrate or a thousand gallons of
>>diesel fuel and have it delivered to the corner of a field in a remote
>>location? What better way than to have the credit card info and address
>>of a farmer who makes these transactions on a regular basis?
>>Want to get on an airplane to Washington DC but you are on one of those
>>pesky no fly lists? Just grep the convenient ISP retained records for
>>airline ticket sales to Washington DC, match those sales to members of
>>online dating services, find someone who has the "paperless ticket" for a
>>flight you want and looks like you, mug them on their way to the airport,
>>and there you are at the gate, with a ticket and a photo ID.
Does SANS, or the Computer Security Institute, or some other entity, ever
try to offer the voice of the front line InfoSec troops in response to this
sort of proposal?
firewall-wizards mailing list