Digg this story   Add to del.icio.us  
CardSystems made its choices clear
Daniel Hanson, 2005-07-29

As the outrage and accusations, the knee-jerk shootings (and the knee-jerk legislation) continues to make press following the explosions and attempted explosions in London, the last thing that many of us need is another example where a situation needs to be solved by ill-conceived legislation that is proposed and passed in the heat of something big. Unfortunately, this is exactly what is happening on both sides of the CardSystems credit card compromise debacle.

In case you're living in a time warp, on June 17, MasterCard and Visa reported that an obscene number of credit card numbers had potentially been compromised by a third party that was contracted to perform a service for them. That company, CardSystems, was a clearing centre for transactions, transferring money between banks to settle purchases made with the credit cards. Over the last month, additional details have continued to be revealed, first increasing the number of known compromised cards, and then highlighting the negligence of the company in protecting the data. The only bright side of all of this was that it was only credit card numbers that were affected. Since the company also processed other financial data, including some for the US federal government, it could have been even worse.

The limited exposure of a credit card may seem like cold comfort for anyone affected by the compromise. But if it is hard to get your financial house back in order after a credit card compromise, it is then a Herculean effort to solve all the problems that result from the compromise of something that can't be changed as easily as a credit card -- such as a Social Security or Social Insurance Number.

A straightforward story?

It seems like a perfect example of why the data protection laws need to change in many countries. Here we have a company that made a serious security mistake with their lack of protection of financial data gathered from a large number of people. The affected individuals had no knowledge that this company was even in possession of their data. Outrage follows and legislation starts to work its winding course.

The latest news in this escapade is that CardSystems has now lost the contracts it had, and also faces corporate extinction. Now some reading this may be cheering a little, or perhaps a lot, at the karmic balance of CardSystems potentially paying the ultimate price for their cavalier attitude. However other people are suggesting that this corporate extinction might come as a result of misguided notification laws implemented in California, and that without the mandated public disclosure and the resulting firestorm of controversy, the company could have fixed its problems quietly and kept on serving its shareholders and customers. I think that both of these views are misguided and miss the truth.

CardSystems violated a contractual agreement that was put in place by the companies it served. It's that simple. CardSystems kept data in an insecure fashion, with no concern given to the minimum security and encryption standards that it was required to implement. I fail to see why legislation on data protection would change this situation. CardSystems was already required to maintain a certain level of security and failed to do that. In one report, Bruce Schneier, mentioned that this was a common problem with contractual obligations: the fact that auditing is hard. Therefore I cannot see why changing a contractual agreement into a legislated law will make auditing any easier. To draw another comparison, did the fact that they were violating laws affect the behavior of the people at Enron?

Many companies have a long way to go in the security world, and yet the one sector of our civilian society that tends to get information security is the banking and financial industry. Sure they aren’t perfect, but in my experience they are heads and tails better than almost anyone else that I deal with at understanding data privacy. In the case of CardSystems, however, the industry insisted that minimum standards be maintained, outlined what those minimum standards were, and yet much of that was ignored.

CardSystems, if it does go bankrupt, will have done so because they willfully violated a contractual obligation, not because of disclosure laws, or public pressure. Would you use a company that had willfully violated previous contracts? Would you want your credit card company to supply your data to that company? I cannot see why repealing disclosure laws and helping to mitigate the lynch mob mentality that can follow a mistake changes the fact that CardSystems violated a contract, and that contract violation is what has brought about this imminent death.

I await the forthcoming laws that attempt to prevent something like this from ever happening again. Meanwhile, I continue to check my credit-card statement, bank statements and never give out my Social Insurance Number (or SSN) unless I absolutely have to. I wonder if any of the legislators who are outraged by this would give me their mother’s maiden name, birth-date and the name of their first pet?

Daniel Hanson manages the Focus Incidents area of SecurityFocus as well as the Incidents mailing list.
    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus