17 August 2017
Stephen Wilson

Stephen Wilson in Lockstep

Stephen Wilson - Lockstep Group

34Posts 130,772Views 174Comments
A post relating to this item from Finextra:

Network Solutions hack exposes 500,000 card accounts

27 July 2009  |  9869 views  |  0
eye_numbers.JPG
Details of 573,928 credit and debit cards may have been stolen by criminals who planted code on servers supporting e-commerce merchant Web sites hosted by Network Solutions.

PCIed out yet?

27 July 2009  |  3784 views  |  0

Wow! Are we all PCIed out?  The Network Solutions breach was announced on Friday 24th, and four or five days later we still haven't heard any accusations about whether they were or were not PCI compliant!

Perhaps that sinking feeling is transforming into a realisation that there's not much that PCI compliance can do to thwart these sophisticated attacks.  A security policy and audit regime might deter amateurs and reduce accidental breaches, but it will never stop organised crime gangs let alone insiders lured by the easy money to be made from lifting 573,928 credit card records. 

Forrester estimates that the cost of a data breach for a large organisation is around $200 per compromised record, or $100,000,000 for Network Solutions.  It's a reasonable estimate when you think about all the hoops they are now jumping through:

  • forensic investigations (according to Data Loss DB, Network Solutions seems to have taken 6 weeks after detection before making its announcement -- fair enough too, to get to the bottom of the incident)
  • managing relations with each of the 4,343 affected merchants (if you spent just one day with each merchant helping them through this, that's 21 person-years effort.  And you can bet senior management would be putting in some over-time)
  • managing relations with the other 6,000 merchants not affected
  • helping merchants help their customers (ouch)
  • paying for 12 months of free credit watch services for half a million card holders
  • media, media and more media
  • legal costs
  • lost business.

We will never rid ourselves of credit card fraud and ID theft until we make stolen personal data worthless.  The much hyped end-to-end encryption as currently conceived won't provide any fundamental protection, because it doesn't stop replay of stolen numbers, so stolen data will remain highly prized.  If criminals today have the wherewithall to install sniffer code inside Network Solutions' servers, then they will be able to play the same game behind one end of any future end-to-end encryption layer.

Many of us believe the fundamental fix lies in chip technologies.  CAP was a good start, but it's frustrating to use and it doesn't scale well because it still requires centralised servers to validate the received CAP codes.  The bulk of my company's research has been on a longer term digital signature based solution that uses chip cards in connected readers (as showcased by Finextra at the beginning of the year) to create tamper proof transactions that are faster and simpler for merchant servers to validate for themselves. 

Cheers,

Stephen Wilson, Lockstep Technologies.

Comments: (0)

Comment on this story (membership required)

Latest posts from Stephen

Now is not the time to go soft

03 August 2012  |  3845 views  |  2 comments | recomends Recommends 0 TagsSecurityPayments

How much worse can CNP fraud get?

17 July 2012  |  3061 views  |  1 comments | recomends Recommends 0 TagsSecurityPayments

Credit card numbers are like nitroglycerine

13 January 2012  |  4562 views  |  0 comments | recomends Recommends 0 TagsSecurityPayments

Banks really know their customers

13 December 2011  |  3166 views  |  1 comments | recomends Recommends 1

Taking full advantage of Chip

02 June 2011  |  4343 views  |  6 comments | recomends Recommends 0

Stephen's profile

job title Managing Director
location Sydney
member since 2008
Summary profile See full profile »
I specialise in digital identity, privacy, smart technologies and fraud prevention. I run the Lockstep Group, which researches and develops innovative solutions to Card Not Present fraud and identity...

Stephen's expertise

Member since 2008
34 posts174 comments

Who's commenting on Stephen's posts