Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/19/2006
05:15 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Visa Outlines Credit Card Risks

Visa, US Chamber of Commerce list top five causes of credit card data breaches

You'd better hope that next time you pay by credit card the merchant's point-of-sale system doesn't store personal data swiped from your card's magnetic stripe.

Storage of magnetic stripe data is the number one cause of credit card data breaches, according to a new security bulletin released by Visa and the U.S. Chamber of Commerce. It's also a violation of the PCI Data Security Standard (PCI DSS) to store this data after credit card authorization has been completed during a transaction. (See Credit Card Giants Modify Security Specs.) The bulletin lists the top five vulnerabilities that compromise credit cards, based in part on fraud control data gathered by Visa.

The purpose of the bulletin is to promote compliance with the Cardholder Information Security Program (CISP) and PCI DSS, and to raise awareness among smaller businesses, which are the majority of the U.S. Chamber of Commerce's membership.

"We have 3 million members, 96 percent of which are small businesses," says Mike Zanis, a lobbyist for technology and electronic commerce at the U.S. Chamber of Commerce. "They are the first line of defense."

Attackers can easily duplicate a credit card just by getting the data stored in a magnetic stripe, such as a PIN number, so if merchants are storing this data they are leaving it vulnerable to exposure and ultimately, credit card fraud, according to Visa. Trouble is, many merchants don't realize their POS systems by default store this data.

The other major culprits of compromised credit card data include:

  • Missing or outdated software security patches
  • Use of vendor-supplied default settings and passwords
  • SQL injection
  • Unnecessary and vulnerable services enabled by default on servers

    Known and newly discovered software vulnerabilities are a popular conduit for an attacker to break into a system to get credit card data, according to Visa, so businesses need to ensure they are up to date with security patches issued by their vendors.

    And merchants and other small businesses should be sure to turn off default settings and passwords that come with products so the door isn't left open for an attacker. PCI DSS Requirement 2.1 requires that vendor defaults be changed before you install the system on the network, according to Visa.

    Visa's bulletin also pinpoints SQL injection as a risk for credit card data compromises. Commercial shopping-cart products most recently have fallen victim to SQL injection attacks. SQL injection has also jumped to the second most popular flaw that attackers exploit in software, according to Mitre Corp. (See Cross-Site Scripting: Attackers' New Favorite Flaw.)

    And defaults in server software such as FTP and email services may not be necessary for all apps, so Visa recommends disabling them to close as many potential "holes" as possible that may get forgotten by system administrators during the patching and upgrade process, for instance.

    — Kelly Jackson Higgins, Senior Editor, Dark Reading

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/21/2020
    Hacking Yourself: Marie Moe and Pacemaker Security
    Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
    Startup Aims to Map and Track All the IT and Security Things
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-24213
    PUBLISHED: 2020-09-23
    An integer overflow was discovered in YGOPro ygocore v13.51. Attackers can use it to leak the game server thread's memory.
    CVE-2020-2279
    PUBLISHED: 2020-09-23
    A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to define sandboxed scripts to provide crafted return values or script binding content that can result in arbitrary code execution on the Jenkins controller JVM.
    CVE-2020-2280
    PUBLISHED: 2020-09-23
    A cross-site request forgery (CSRF) vulnerability in Jenkins Warnings Plugin 5.0.1 and earlier allows attackers to execute arbitrary code.
    CVE-2020-2281
    PUBLISHED: 2020-09-23
    A cross-site request forgery (CSRF) vulnerability in Jenkins Lockable Resources Plugin 2.8 and earlier allows attackers to reserve, unreserve, unlock, and reset resources.
    CVE-2020-2282
    PUBLISHED: 2020-09-23
    Jenkins Implied Labels Plugin 0.6 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to configure the plugin.