Risk
6/19/2005
08:54 PM
Patricia Keefe
Patricia Keefe
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Data Security Requires A Group Effort

Forty ... million ... credit cards. MasterCard, Visa, Discover, and American Express. That's enough accounts to represent roughly one card each for 19% of the U.S. population that is 18 and over.

Forty ... million ... credit cards. MasterCard, Visa, Discover, and American Express. That's enough accounts to represent roughly one card each for 19% of the U.S. population that is 18 and over.In the last four months we have had at least 14 episodes of exposed data--be it by loss, theft, or hacking. Four of these incidents involved more than a million accounts, but the hacking of CardSystems Solutions last week is the hands-down winner, multiplying by a factor of 10 the number of affected accounts from the next biggest breach from two weeks ago--Citifinancial's 3.9 million accounts.

In this latest incident, roughly 13.9 million of the accessed accounts are MasterCards and about 20 million are Visa cards; Discover and American Express cards account for the remaining 6 million or so accounts.

In most of the 14 data breaches, common sense and or the application of basic security measures appeared to have been lacking. In many of these cases, the victimized companies moved to change their security procedures following the often belated revelations of the breaches.

And so it is with CardSystems. MasterCard's Data Protection policy requires most third-party processors to build and maintain a secure network and implement certain security processes, but whatever CardSystems had in place, it wasn't enough. Following a security audit, the credit processor apparently is changing its security procedures.

But there's no sense getting your knickers in a twist over this one, assures MasterCard. Social Security numbers and other identifying information are not stored on its credit cards, so our identities are safe. And the company claims that only about 68,000 of its affected card holders are at a high level of risk. The other three card issuers haven't had much to say publicly.

So I guess we're all supposed to relax now. Except that we won't. A recent survey by the Cyber Security Industry Alliance found that consumers want something done about the myriad of computer assaults peppering their systems--phishing, viruses and spam--but they don't trust the federal agencies most in a position to legislate protections--Congress and the Federal Trade Commission - to do the right thing. According to another recent survey by Javelin Strategy & Research, consumers think financial institutions focus too much on ID theft resolution, rather than prevention and detection.

Those survey respondents probably won't have to wait long to see some action. My guess is we will now see Congress rush to quell consumer outrage by hastily passing some laws. After all, there are at least four identity-theft-related bills floating around Congress right now, with more on the way.

The thing is, we need a lot more than a federal mandate ordering holders of our data to inform us when it is lost or stolen. That's closing the barn door after all the horses have left. We obviously need to mandate some level of security, and penalties for failing to provide it, since on their own, the data aggregators don't seem able to learn from, or react to, recent history. But thanks to this latest theft, we may have missed the window for some well-thought-out legislation. There is nothing like front-page headlines, angry voters, and the chance the legislators themselves may be victimized to fuel a rush to legislation.

You would think that after the first round of publicized breaches--if not the first round of blustering politicians--a light would have clicked on throughout the tiers of companies involved in collecting and aggregating sensitive consumer data. You would have thought they'd have scrambled to ensure the most basic level of security for this data: Firewalls. Antivirus measures. Encryption. Authentication. New protocols. Overnight shipping and notification for computer tapes. You can doubtless think of more. Some of this will take time to implement, some can be done quickly, and some steps are being taken now, notably at two victims, Bank of America and Visa.

This would be good, but it's not good enough. We don't need a piecemeal approach, every aggregator scrambling for themselves. It's clear the holders of our data are intertwined with one another. And if the industry is smart, they'll lay the groundwork themselves, instead of waiting for Congress to step in.

Last week, we saw the first rustlings of a collective consciousness on this issue. The Liberty Alliance, whose members include vendors, government agencies, and businesses, announced the Identity Theft Protection Group, which will try to provide a group effort toward fighting identity theft. The working group will be headed up by Michael Barrett, VP of security and architecture for American Express.

While it's early yet to divine any specifics, such as target areas or a timetable for something concrete, this is a good sign that someone is paying attention.

More immediately, industry-specific group efforts can pay off. We did it with EDI, we did it with ERP, and we're doing it with RFID right now. What am I talking about? Market-leading companies using their leadership positions like a club and insisting that anyone who wants to do business with them must install and use certain technologies and procedures. It's simple, it works, and it's an opportunity for IT to showcase its leadership, vision, and business acumen. In the case of EDI, vendors pushed by the largest customers speaking as one responded, first by meeting the standard insisted upon, and then by creating PC-based versions of their technology to ensure that companies further down the food chain of suppliers and manufacturers could afford to get on the train. That's what made EDI work. And it will be a big part of making RFID ubiquitous.

We need to do this with data aggregation. We need the credit-card issuers, processors, and reporting bureaus to put aside competitive issues and get together, figure out some security standards, procedures, and protocols, and then to lay down the law throughout the data chain.

We need the enormous political energy and attention that has gone into something silly, such as a small group of overpaid athletes doping themselves, instead diverted into the protection of sensitive personal and financial data.

Just imagine if the regulators and the government announced Monday that no more corporate mergers would be approved until this mess is cleaned up. You can bet the banks would have their acts together in no time. But still, it wouldn't be enough.

This is a cross-industry issue, and it can only be addressed with cross-industry cooperation. IT must help lead the way. We have the know-how. But if it takes legislation to make it so, let's get on with it, before every credit card out there becomes worthless and we start seeing ourselves coming and going.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.