On 18 Jun 2005 07:48:27 -0700,
[EMAIL PROTECTED] (Timothy Sipples) wrote:
>Saturday's Washington Post reports on the woes of CardSystems in Tucson, a
>credit card processor. A hacker got access to 40 million credit cards.
>MasterCard, Visa, and the FBI are not amused. The article briefly alludes
>to how the attack succeeded:
>
>http://www.washingtonpost.com/wp-dyn/content/article/2005/06/17/AR2005061701031.html
I've just read that article; for my part, I don't think there's enough
information in the Washington Post article to draw significant technical
conclusions at this point. (Partly, I'm skeptical that the
general-interest news media has sufficient expertise to understand and
articulate complex technical issues.)
I would note a couple of comments in this thread:
On 18 Jun 2005 09:03:29 -0700,
[EMAIL PROTECTED] (R.S.) wrote:
>Good door lock is worthless when not in use.
On 19 Jun 2005 12:05:59 -0700,
[EMAIL PROTECTED] (Gabe) wrote:
>We've all heard it before: Security is a business process not a program or OS.
I agree with both sentiments, especially Gabe's. Remember ChoicePoint; the
first of the current string of security breaches that have drawn national
news media attention? The misappropriation of data from ChoicePoint was
performed by a small ring of people who setup false business identities
and then signed up as ChoicePoint clients. This was a classic "social
engineering" attack, and NO platform, not even the most secure of z/OS
systems, could have prevented the attack. I don't think we know enough
about this latest incident to conclude that social engineering wasn't a
factor.
My girlfriend works for a firm that competes with ChoicePoint to some
extent. Like ChoicePoint, her employer sells information (such as credit
reports) to business customers. After ChoicePoint became public, I was
fascinated to hear how my girlfriend's employer was learning from
ChoicePoint's mistakes. For example, the firm vastly expanded an existing
program of performing on-site inspections of potential customers to make
sure the prospects were, in fact, legitimate businesses of some sort. (Her
employer had a long-standing policy of refusing to sell information to
home-office businesses or firms that have only a post office box.)
As Gabe said, "security is a business process not a program or OS."
Eric
--
Eric Chevalier E-mail: [EMAIL PROTECTED]
Web: www.tulsagrammer.com
Is that call really worth your child's life? HANG UP AND DRIVE!
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
