Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

FBI Credit Card Ring Bust Exposes PCI Challenges

Some experts say existence of complex credit card fraud black market a sign that PCI isn't effective

The publicity around the FBI sting that nabbed dozens of criminals in an international credit card fraud ring provides a good opportunity to reflect on the sophistication of today's data theft black market and the importance of organizations to look beyond the baseline security levels set by compliance regulations such as PCI, security experts say.

[What do auditors really want? See The Secret World of Compliance Auditors. ]

Announced by the U.S. Attorney's office in the Southern District of New York, the criminal investigation was a two-year effort by the FBI into a carding operation that netted 11 arrests in the U.S. and 13 more in other countries. The action uncovered stolen credit card numbers taken from 47 breached organizations. The documents made public with the announcements showed how complex such a previously successful carding operation had matured to, offering everything from sales of credit card numbers to fraudsters by the thousands to peddling of a large variety of malware to would-be thieves looking to acquire numbers on their own.

"It's always been exciting when we see such a strong law enforcement action when we see this kind of fraud because we know that its very different to actually track down the individuals who are involved in this kind of scheme and it doesn't happen very often," says Ben Knieff, director of fraud product marketing at NICE Actimize. "It brings to light for people who aren't so intimately involved in fighting this sort of fraud how complex and how many different parties are actually involved."

Some within the security industry say the sting offers yet another piece of evidence of how important it is to move beyond check-the-box compliance.

"The prevalence of credit card theft that this sting clearly demonstrates is a call for security to move beyond check-the-box regulatory compliance and focus on effective security measures," says Gretchen Hellman, director of product marketing at McAfee. "Regulations can only provide general requirements for security practices, but given the unique nature of every IT environment and the subsequent environmental risk, it is up to enterprises to ensure those practices are effective in protecting customer data."

Still others go so far as to say this is evidence of PCI's ineffectiveness as a regulation, charging that the existence of such unchecked commerce in stolen credit card numbers cast a shadow on PCI's touted successes.

“So, 47 organizations were breached. The real question is will any of them be fined by the PCI Council?" says Tim Erlin, director of director of IT security and risk strategy for nCircle. "This seems like a significant blow to the effectiveness of PCI. After years of regulation and 'enforcement,' it appears that little progress has been made in actually securing cardholder data. Of course, that assumes the goal of PCI is to secure data. If you look at the PCI DSS as a means of transferring liability for the security of card holder data, then the question of PCI effectiveness can be viewed in dramatically different light.”

Knieff at NICE Actimize wouldn't go so far. He says he believes PCI has helped the industry make great strides in limiting the number of consumers victimized by card thieves. But he also believes there's still work to be done.

"PCI absolutely helps but it is not an end all be all. There are still weaknesses in the system," he says. "Obviously, one of the challenges that we face is that there's more than one level of PCI compliance on the merchant side. And because they're relatively well-known it also allows criminals to know who's likely to be weaker or stronger from a security perspective."

According to Knieff, PCI and security practices notwithstanding, such complex cybercriminal activity shows that organizations need to focus risk management not only on how they treat sensitive data but also how consumers interact with it.

"It definitely highlights the fact that no matter how hard you try, even if every merchant and every processor and every issuing institution was perfect, you still have weak links at the endpoint," he says, "which is the consumer entering their information into a phishing site or a skimming device on a POS terminal or an ATM. PCI is good but it's not good enough to solve all of our problems at this point."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21652
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2021-21653
PUBLISHED: 2021-05-11
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
CVE-2021-21654
PUBLISHED: 2021-05-11
Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.
CVE-2021-21655
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.
CVE-2021-21656
PUBLISHED: 2021-05-11
Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.