Guest editorial by Mike Rothman
Do you remember that classic game show “To Tell the Truth?” It was great and trying to figure out who was the “real” person was always a challenge.
Unfortunately Visa and MasterCard are making all of us play the same game of late. There have been recent rumors running rampant (alliteration anyone?) about another data breach of a credit card processor (coverage: SCMag, Dark Reading). Allegedly on the scale of Heartland and that is bothersome. Especially when we can’t get any information from the banks or payment card brands. So we are forced to call is “Breach X” for the time being.
So in the absence of any real data, what can we do to make sure nothing is compromised? Let’s take two paths, the first is for you personally (and your employees) and the other is for your company.
Personal Protection Plan
There is a high likelihood that your credit card data has been compromised as a result of either Heartland or Breach X. If you are lucky, then your bank will just issue another card and you’ll need to go change all your numbers and update all your e-commerce sites and the like. It’s a hassle, but it’s not that big a deal.
If you aren’t lucky, they won’t and you’ll have a compromised card on the street. That’s why you should be monitoring your personal credit accounts on a daily basis. Each of your credit card companies have a web site and you can log in daily and check the recent transactions. This is a great habit to get into.
By the way, as a “value add” the corporate security team can do training for employees on things like identity theft and private data protection. These kinds of tips may come second nature to you (as a security professional), but certainly not to the rank and file. You can win a lot of credibility points internally by turning these massive breaches into an educational opportunity.
Corporate Protection Plan
If you accept credit cards, data being stolen from a payment process isn’t your problem, right? In the strict sense, yes - but that is a pretty myopic view.
We need to learn about these attack vectors and make sure that it’s not going to happen to us. That means we probably want to start monitoring (or even blocking) unauthorized outbound connections. Rich Mogull has a great post on that.
You probably want to monitor your network traffic as another layer of defense, and also your systems to ensure malware or unauthorized configuration changes haven’t been made.
And most of all, you need to call your issuing bank and yell at them. It’s unacceptable that Visa and Mastercard have been sitting on this breach because the payment processor can’t get their act together. Whoever Breach X happened to should be out of business this time next week.
Yes, that’s harsh, but in this kind of environment, when customer trust is at an all time low and people are struggling - to not come clean and come clean quickly is just ridiculous. There is nothing like a public execution to keep everyone focused on doing the right thing in the event of a breach.
Now will the real [Breach X] please stand up?
ALSO BY MIKE ROTHMAN: