Bank Information Security has posted an interesting interview with Alain Sheer, an attorney with the FTC working on the CardSystems breach. He gives details on the attack:

Here is what we alleged in the complaint about what happened, and this is kind of a big picture kind of way of thinking about it, but I think you will see the picture. It is, starting in September 2004 an intruder used a SQL injection attack, and I will explain what that is in just a moment, to install common hacker tools on Card Systems network. The tools were used to find the mag stripe data and to export it every four days, starting in November 2004. Through the exploit, through this attack, the intruder got information about tens of millions of credit cards, the mag stripes basically.

He then goes into the multiple complaints filed and the steps that the FTC say should have been taken by Card Systems. Towards the end he describes harm:

In Choice Point, for example, the information that was stolen in many instances was the Social Security number, which allowed the thieves to open new accounts in the consumer’s name. The evidence also showed that a significant number of people lost a significant amount of money from identity theft.

In Card Systems, the consumers experienced a different type of injury in the form of fraudulent credit and debit charges, inconvenience and time lost. Although this is a real injury, consumer’s losses in circumstances like this are limited in many respects by existing consumer protection laws. Bank dispute procedures that kind of spread the loss among the affected companies and private litigation for example. Consumers are not typically held responsible for unauthorized charges on their credit cards. So in these cases we have not been getting monetary relief because they are really different from the Choice Point type case.

It’s a very good interview that helps illustrate the perspective of investigators as well as the security controls they expect companies to use.

In my “Top 10 Breaches” webinar this past Tuesday I placed the DDoS attack on the Republic of Georgia at number 3. This was for several reasons, which I try to explain in the presentation. Here is a bit more detail:

First of all, the attack was orchestrated under a cohesive and large group. Groups involved in financial attacks usually have to be small (for margins as well as leak prevention) and are only held together long enough to make a profit. However a nationalist movement has far greater threat potential as it can spread based on pride alone.

Second, the sophistication of the organization, advance planning, tests, and forum communication show that geography currently does not provide much of an obstacle for talent or resources to stage an attack. Whereas “bot-herder” tests started in the US the eventual operation against Georgia came from within Russia.

Third, the attacks targeted sources of information such as blogs and news stations. Jose Nazario has just posted an interesting review of this effect. He explains that botnets are increasingly being used as a weapon against dissent and free speech. This expands the concept of a group threat to be much larger than nations and further emphasizes the importance of this type of breach.

My first podcast has been posted, discussing details of the RBS WorldPay breach.

Well, it looks like already this year I have presented eight webcasts (covering HIPAA, IT Governance, NERC CIP, PCI DSS, Red Flags, and Security Breaches). I wanted to say thank you to everyone who has listened. My ninth webinar this year will be Thursday, again on NERC CIP.

Today’s webinar, “Top 10 Security Breaches” with over 500 in the audience, was especially fun. I tried to weave political, historical, legal, and economic considerations into the technical details of recent security breaches.

I also am starting this week to spin up some podcasts to provide a more in-depth look with an extended Q&A format. Today’s podcast will take a look at the WorldPay breach in detail. Hope to see you there.

Thanks again. Feel free to send me questions or comments especially if you would like more information or a topic covered in the future.