Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/19/2006
05:15 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Visa Outlines Credit Card Risks

Visa, US Chamber of Commerce list top five causes of credit card data breaches

You'd better hope that next time you pay by credit card the merchant's point-of-sale system doesn't store personal data swiped from your card's magnetic stripe.

Storage of magnetic stripe data is the number one cause of credit card data breaches, according to a new security bulletin released by Visa and the U.S. Chamber of Commerce. It's also a violation of the PCI Data Security Standard (PCI DSS) to store this data after credit card authorization has been completed during a transaction. (See Credit Card Giants Modify Security Specs.) The bulletin lists the top five vulnerabilities that compromise credit cards, based in part on fraud control data gathered by Visa.

The purpose of the bulletin is to promote compliance with the Cardholder Information Security Program (CISP) and PCI DSS, and to raise awareness among smaller businesses, which are the majority of the U.S. Chamber of Commerce's membership.

"We have 3 million members, 96 percent of which are small businesses," says Mike Zanis, a lobbyist for technology and electronic commerce at the U.S. Chamber of Commerce. "They are the first line of defense."

Attackers can easily duplicate a credit card just by getting the data stored in a magnetic stripe, such as a PIN number, so if merchants are storing this data they are leaving it vulnerable to exposure and ultimately, credit card fraud, according to Visa. Trouble is, many merchants don't realize their POS systems by default store this data.

The other major culprits of compromised credit card data include:

  • Missing or outdated software security patches
  • Use of vendor-supplied default settings and passwords
  • SQL injection
  • Unnecessary and vulnerable services enabled by default on servers

    Known and newly discovered software vulnerabilities are a popular conduit for an attacker to break into a system to get credit card data, according to Visa, so businesses need to ensure they are up to date with security patches issued by their vendors.

    And merchants and other small businesses should be sure to turn off default settings and passwords that come with products so the door isn't left open for an attacker. PCI DSS Requirement 2.1 requires that vendor defaults be changed before you install the system on the network, according to Visa.

    Visa's bulletin also pinpoints SQL injection as a risk for credit card data compromises. Commercial shopping-cart products most recently have fallen victim to SQL injection attacks. SQL injection has also jumped to the second most popular flaw that attackers exploit in software, according to Mitre Corp. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

    And defaults in server software such as FTP and email services may not be necessary for all apps, so Visa recommends disabling them to close as many potential "holes" as possible that may get forgotten by system administrators during the patching and upgrade process, for instance.

    — Kelly Jackson Higgins, Senior Editor, Dark Reading

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
    Edge-DRsplash-10-edge-articles
    Cybersecurity: What Is Truly Essential?
    Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
    Commentary
    3 Cybersecurity Myths to Bust
    Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-19924
    PUBLISHED: 2021-05-18
    In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
    CVE-2020-20220
    PUBLISHED: 2021-05-18
    Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
    CVE-2020-20227
    PUBLISHED: 2021-05-18
    Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
    CVE-2020-20245
    PUBLISHED: 2021-05-18
    Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
    CVE-2020-20246
    PUBLISHED: 2021-05-18
    Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.