[Owasp-codereview] [Owasp-ireland] Potential of 4.2 million credit card details stolen via cyber attack.

davidrook david.rook at realexpayments.com
Tue Mar 25 07:28:57 EDT 2008


I fully understand that 100% security isn't realistic -  Thanks for the 
clarification though ;-)

I agree that the standard will always be ambiguous but do you not feel 
that the interpretation of the standards is often what leads to a lower 
level of security than is required?

My own opinion is that any breach like this is a big issue, from a 
consumers perspective if they have lost *any* data it should be a point 
of concern.

Dave

David Ryan wrote:
> Dealing in absolutes is an error. There is no "secure". There are 
> security controls and depending on what, how, where, when, why, if, 
> biff, bam, and boom they are implemented and managed their effect is a 
> quasi-linear progression along the cost-versus-hardcore axis where 
> they intersect at the "good enough for us at this moment in time" 
> point. Compliance may equate to "good enough" security controls, but 
> suggesting there is a final resting point for IT expenditure on all 
> things security is folly. 
>
> PCI has gone through a round of improvements and perhaps it will 
> continue to do so in the future. Whilst I don't have a history of 
> other safety standard from our recent industrialised history, I 
> imagine there are comparable observations to be made. Cars did not 
> start off with airbags and they still don't prevent people from 
> killing each other on country roads or on overpriced toll roads.
>
> As for the PCIDSS being ambiguous, I agree. However, I think this is 
> perhaps a necessary quality: Not all companies are equal. I would 
> suggest that VISA/Mastercard/AMEX/etc wanted to establish a baseline 
> for their own "insurance" purposes (imho and used here as a loose 
> term).  Does it raise the proverbial bar? In my experience, it 
> probably has done for some clients I've worked with and maybe not for 
> others, but again this is an example of the underlying intention 
> functioning (imho). Another example is BS7799/ISO17799 certification. 
> No doubt any future attempts to provide a super-compliance-standard 
> will end up with ambiguity too.  The point is that the organisation 
> must interpret the "ambiguity" to suit their needs and explain why 
> they have interpreted it as such to the auditor and, where applicable, 
> compliance body.  The aim could be to provide the least amount of 
> ambiguity as possible, but being overly prescriptive would perhaps be 
> more prone to failure when issues such as capabilities, economics and 
> other factors are considered.
>
> As for who is to blame? I'm sure they both have insurance ... *if* no 
> personal data was lost, is this such a big issue? (from a consumers 
> perspective)
>
> On 25/03/2008, *davidrook* <david.rook at realexpayments.com 
> <mailto:david.rook at realexpayments.com>> wrote:
>
>     I think this is another example of PCI compliance being just that - a
>     compliance standard. Being compliant (as is demonstrated here and with
>     TJX) does not always equate to being secure.
>
>     PCI is ambiguous and it could be improved to try and make
>     companies both
>     secure and compliant. As for who is to blame, is it not a case of 6 of
>     one and half a dozen of the other?
>
>     Dave
>
>
>     Eoin wrote:
>     > Maybe a bit slow on this one but I'd thought I'd share it
>     >
>     > A PCI compliant company was compromised and an estimate of 4.2
>     million
>     > cc numbers were obtained.
>     > The issue arises that the company were PCI compliant and now the
>     blame
>     > game has ensued. The PCI assessors are being blamed, there is
>     mention
>     > of ambiguity regarding the PCI standard, where to apply some of the
>     > technical controls etc..
>     >
>     > http://www.theregister.co.uk/2008/03/18/hannaford_data_breach/
>     >
>     >
>     > http://www.hannaford.com/Contents/News_Events/News/News.shtml
>     >
>     >
>     >
>     http://www.merchantcircle.com/blogs/Pre-Paid.Legal.Services.Inc.-.Ind.Associate.786-390-0581/2008/3/4.2-million-account-numbers-stolen-at-Hannaford-Bros.-Co./70643
>     > --
>     > Eoin Keary OWASP - Ireland
>     > http://www.owasp.org/local/ireland.html
>     > http://www.owasp.org/index.php/OWASP_Code_Review_Project
>
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > Owasp-ireland mailing list
>     > Owasp-ireland at lists.owasp.org <mailto:Owasp-ireland at lists.owasp.org>
>     > https://lists.owasp.org/mailman/listinfo/owasp-ireland
>     >
>
>     --
>     David Rook | david.rook at realexpayments.com
>     <mailto:david.rook at realexpayments.com>
>     Information Security Analyst
>
>     Realex Payments
>     Enabling thousands of businesses to sell online.
>
>     Realex Payments, Dublin, www.realexpayments.com
>     <http://www.realexpayments.com>
>     Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
>     Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538
>
>     Realex Payments, London, www.realexpayments.co.uk
>     <http://www.realexpayments.co.uk>
>     1 Hammersmith Grove, London W6 0NB, England
>     Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264
>
>     Pay and Shop Limited, trading as Realex Payments has its
>     registered office at Castlecourt, Monkstown Farm, Monkstown, Co
>     Dublin, Ireland and is registered in Ireland, company number 324929.
>
>     This mail and any documents attached are classified as
>     confidential and
>     are intended for use by the addressee(s) only unless otherwise
>     indicated. If you are not an intended recipient of this email, you
>     must
>     not use, disclose, copy, distribute or retain this message or any part
>     of it. If you have received this email in error, please notify us
>     immediately and delete all copies of this email from your computer
>     system(s).
>
>     --
>
>
>     _______________________________________________
>     Owasp-ireland mailing list
>     Owasp-ireland at lists.owasp.org <mailto:Owasp-ireland at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-ireland
>
>

-- 
David Rook | david.rook at realexpayments.com
Information Security Analyst

Realex Payments
Enabling thousands of businesses to sell online.

Realex Payments, Dublin, www.realexpayments.com
Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538

Realex Payments, London, www.realexpayments.co.uk
1 Hammersmith Grove, London W6 0NB, England
Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264

Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is registered in Ireland, company number 324929.

This mail and any documents attached are classified as confidential and
are intended for use by the addressee(s) only unless otherwise
indicated. If you are not an intended recipient of this email, you must
not use, disclose, copy, distribute or retain this message or any part
of it. If you have received this email in error, please notify us
immediately and delete all copies of this email from your computer
system(s). 
--




More information about the Owasp-codereview mailing list