The Green Sheet Online Edition
December 22, 2008 • Issue 08:12:02
Outsmarting data thieves
Security compliance management firm Trustwave recently reported that businesses have made progress in protecting customer data over the years, but cyber criminals have adapted their techniques to access more carefully protected data.
Historically, data compromises have been the result of unauthorized parties penetrating network defenses and breaking into databases storing card data. To combat this cyber theft, the card brands now prohibit the storage of certain types of information.
As a result, nearly 87 percent of processors in North America no longer store Card Verification Value or Card Identification Number data. And according to Trustwave, these efforts appear to be working. Fewer compromised organizations investigated by Trustwave store prohibited data.
A numbers game
However, in 2008, the most notable development in payment card compromises has been the shift from stealing stored cardholder data to its theft in transit, Trustwave noted. Hackers are now pilfering data in real time as it passes through systems, not simply targeting at-rest cardholder information.
New attack vectors are increasing as cyber thieves attempt to stay one step ahead of their prey's defensive measures. One example is attackers' use of malicious software (malware) to steal sensitive data from a computer's random access memory (RAM).
With this technique, hackers install malware on computers that use RAM to gather information as it passes through payment applications. Even though card data is never actually written to a disk or stored, it is still vulnerable.
Trustwave has only recently discovered real-world examples of data taken from computers' RAM. The company said this development is unsettling because merchants can use applications that comply with the Payment Application (PA) Data Security Standard (DSS) and still fall victim to data compromise.
Other examples of cardholder data theft in transit involve key-logging software and packet analyzing - or sniffing - programs that access data as it enters or leaves systems.
Sniffing programs intercept and record data traffic entering or leaving systems. Key-logging records the information entered on keyboard or card reading devices as data travels through computers or payment applications.
Work the steps
Trustwave found the most troublesome aspect of merchant payment systems in North America is payment applications. Many victims of compromise use legacy systems or don't have their systems securely configured. Additionally, 66 percent of such merchants depend on third-party vendors to install, configure and support their payment applications. Trustwave found that negligence on the part of these vendors more often than not contributed to card compromises.
Merchants and ISOs must recognize that security extends beyond using PA DSS-validated applications and eliminating the storage of prohibited cardholder data.
Entities involved in the processing, storage or transmission of cardholder data also must ensure their network environments comply with the Payment Card Industry (PCI) DSS; organizations continue to fall victim to compromise by failing to do this.
Even though some data security pundits disparage the standard, PCI DSS compliance is ultimately the key to safeguarding cardholder data, according to Trustwave.
When all its steps are followed, the PCI DSS provides a comprehensive security protocol that prevents cardholder data theft, Trustwave noted. Many organizations have eliminated data storage prohibited by the card brands, but until they comply with all 12 PCI DSS steps, criminals will penetrate payment networks and continue to plunder.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.