Risk // Compliance
7/2/2012
04:57 PM
Connect Directly
RSS
E-Mail
50%
50%

FBI Credit Card Ring Bust Exposes PCI Challenges

Some experts say existence of complex credit card fraud black market a sign that PCI isn't effective

The publicity around the FBI sting that nabbed dozens of criminals in an international credit card fraud ring provides a good opportunity to reflect on the sophistication of today's data theft black market and the importance of organizations to look beyond the baseline security levels set by compliance regulations such as PCI, security experts say.

[What do auditors really want? See The Secret World of Compliance Auditors. ]

Announced by the U.S. Attorney's office in the Southern District of New York, the criminal investigation was a two-year effort by the FBI into a carding operation that netted 11 arrests in the U.S. and 13 more in other countries. The action uncovered stolen credit card numbers taken from 47 breached organizations. The documents made public with the announcements showed how complex such a previously successful carding operation had matured to, offering everything from sales of credit card numbers to fraudsters by the thousands to peddling of a large variety of malware to would-be thieves looking to acquire numbers on their own.

"It's always been exciting when we see such a strong law enforcement action when we see this kind of fraud because we know that its very different to actually track down the individuals who are involved in this kind of scheme and it doesn't happen very often," says Ben Knieff, director of fraud product marketing at NICE Actimize. "It brings to light for people who aren't so intimately involved in fighting this sort of fraud how complex and how many different parties are actually involved."

Some within the security industry say the sting offers yet another piece of evidence of how important it is to move beyond check-the-box compliance.

"The prevalence of credit card theft that this sting clearly demonstrates is a call for security to move beyond check-the-box regulatory compliance and focus on effective security measures," says Gretchen Hellman, director of product marketing at McAfee. "Regulations can only provide general requirements for security practices, but given the unique nature of every IT environment and the subsequent environmental risk, it is up to enterprises to ensure those practices are effective in protecting customer data."

Still others go so far as to say this is evidence of PCI's ineffectiveness as a regulation, charging that the existence of such unchecked commerce in stolen credit card numbers cast a shadow on PCI's touted successes.

“So, 47 organizations were breached. The real question is will any of them be fined by the PCI Council?" says Tim Erlin, director of director of IT security and risk strategy for nCircle. "This seems like a significant blow to the effectiveness of PCI. After years of regulation and 'enforcement,' it appears that little progress has been made in actually securing cardholder data. Of course, that assumes the goal of PCI is to secure data. If you look at the PCI DSS as a means of transferring liability for the security of card holder data, then the question of PCI effectiveness can be viewed in dramatically different light.”

Knieff at NICE Actimize wouldn't go so far. He says he believes PCI has helped the industry make great strides in limiting the number of consumers victimized by card thieves. But he also believes there's still work to be done.

"PCI absolutely helps but it is not an end all be all. There are still weaknesses in the system," he says. "Obviously, one of the challenges that we face is that there's more than one level of PCI compliance on the merchant side. And because they're relatively well-known it also allows criminals to know who's likely to be weaker or stronger from a security perspective."

According to Knieff, PCI and security practices notwithstanding, such complex cybercriminal activity shows that organizations need to focus risk management not only on how they treat sensitive data but also how consumers interact with it.

"It definitely highlights the fact that no matter how hard you try, even if every merchant and every processor and every issuing institution was perfect, you still have weak links at the endpoint," he says, "which is the consumer entering their information into a phishing site or a skimming device on a POS terminal or an ATM. PCI is good but it's not good enough to solve all of our problems at this point."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.