News broke today that Visa and MasterCard have reportedly warned banks of a major potential breach at a U.S.-based credit card processor (see Visa, MasterCard warn of 'massive' security breach and Warning over 'massive' MasterCard, Visa security breach). Analysts are already weighing in on the story.
"I've spoken with folks in the card business who are seeing signs of this breach mushroom. Looks like the hackers have started using the stolen card data more recently," Avivah Litan, vice president at Gartner, said in a statement. "From what I hear, the breach involves a taxi and parking garage company in the New York City area so if you've paid a NYC cab in the last few months with your credit or debit card – be sure to check your card statements for possible fraud. One interesting twist again sheds light on the fact that knowledge based authentication should not be relied upon. I heard (and this may not be factual) that the crime was perpetrated by a Central American gang that broke into the company's system by answering the application's knowledge based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently."
"While the scope and details of the attack are not yet known, it shows that three years after the Heartland Payment Systems breach of 130 million credit card numbers, credit card data is still vulnerable," Neil Roiter, research director of Corero Network Security, said in a statement. "The Payment Card Industry Data Security Standard (PCI DSS) is highly prescriptive in nature, but simply complying does not ensure credit card security. Companies that rely on PCI DSS to solely dictate their security measures will continue to remain vulnerable to attack."
"The breach affecting Visa and MasterCard serves as yet another reminder that conventional security solutions are fallible," Lancope CEO Mike Potts said in a statement. "The perimeter based approach is not sufficient and fails to protect critical data and internal resources that bypass these point solutions. Enterprises must find new ways to deal with ever-increasing online security issues that are made more complex by IT consumerization, mobility and movement to the cloud. Unfortunately, traditional tools such as firewalls, antivirus and IDS/IPS are no longer enough to protect against rapidly-evolving zero-day and insider attacks. Companies must instead seek out next-generation solutions such as flow-based monitoring to obtain the comprehensive network visibility they need to thwart today's more targeted and sophisticated threats."
"This incident sits squarely in the cross-hairs as to why PCI DSS was created in the first place," Matt Ulery, director of Product Management at NetIQ, said in a statement. "PCI raises the standards for all organizations processing credit card information. Now, while Global Payments may have deployed security technologies to pass a PCI DSS audit, that does not mean they are wholly protected against a myriad of threats. At this point, yes, they have identified that a breach has occurred, and now they are likely trying to determine the who, what and how. Was it a privileged user â? an inside employee who had access to systems and data beyond their role or function? Did Global Payments have the technology in place to watch privileged users and was it used effectively? Was it an outsider posing as an insider to gain a foothold and exploit access they were able to gain? As always, compliance with regulations like PCI DSS is mandatory and required. But compliance is not an end goal, it is a continuous process. It remains to be seen if the causes of this breach were due to the fact that only minimal compliance standards were met, which did not yield proper levels of data protection or if improper monitoring of privileged users, an advanced persistent threat or hack that led to the loss of cardholder data. Employing the right technology, including that which can monitoring and report on end user access and entitlements, deploying and maintaining it properly, and applying security best practices to yield compliance is the most appropriate course of action to protect against these kinds of incidents."
I will be updating this article with more statements from analysts as they come in. I am still waiting for more information from Visa and MasterCard, assuming they choose to give it.
- Visa tackling mobile accounts in developing markets with Orange
- Visa teams with Vodafone, Intel; intros new mobile commerce services
- Visa approves smartphones for NFC payments: Good start, but still hurdles ahead
- Facebook gives security researchers Visa debit cards
- MasterCard launches partnership program for mobile money services
- MasterCard further invests into mobile payments via mFoundry