DPI Scrambles After Credit-Card Theft

March 6, 2003

By Larry Dignan

http://www.eweek.com/article2/0,1895,1821077,00.asp



"Security by obscurity" didn't work for one credit card processor: An "unauthorized outside party" ran off with credit card data anyway.

When Data Processors International (DPI) revealed in February that an "unauthorized outside party" ran off with more than five million Visa and MasterCard account numbers and expiration dates, it got an instant wakeup call.

Not only were the credit card customers' accounts potentially at risk, so was the company's reputation for trustworthiness.

Luckily, the accounts weren't abused. "There's nothing to tie the card numbers to personal data," says N. Scott Jones, spokesman for DPI. "There haven't been any reported incidents of misuse."

That was the good news for DPI, a 40-employee subsidiary of Dallas-based transaction processing company TransFirst. The bad news: Analysts say fraud cases could emerge if the thief does manage to connect numbers with names. And there's more bad news: DPI in the meantime will have to fight to repair its network and to keep business with Visa and MasterCard.

"In these situations, the trust is the one thing that suffers," says Rebecca Base, CEO of Infidel Inc., a Scotts Valley, Calif., network-security consulting firm. "In a down economy, an event like this could cost you your business."

It's also unclear what effect the DPI incident will have on TransFirst. DPI runs on a separate network from TransFirst, which is offering DPI technology resources, says Jones, who couldn't reveal what platform the two companies use. TransFirst processes more than $8 billion in annual sales volume for more than 64,000 merchants and 520 banks.

Visa and MasterCard have security policies that processors and merchants in the network must follow. Visa calls its requirements the "dirty dozen," which require parties to maintain firewalls, patches and antivirus software, encrypt data, track and restrict access and implement a security policy. Failure to comply with Visa's requirements can result in a fine, restrictions or permanent prohibition. MasterCard has similar "best practice" requirements.

DPI, based in Omaha, typically processes catalog and other transactions where a card isn't present. Because it is privately held, DPI has said little about the intrusion. Visa and MasterCard declined to comment beyond statements, citing an ongoing investigation by the Secret Service and FBI.

Jerry Brady, chief technology officer of security consulting firm Guardent, says the volume of credit card numbers indicates an inside job—contrary to DPI's statement—or a slow network leak where a thief accumulated numbers over time.

"I'd bet my bottom dollar on an insider attack due to the volume," said Brady. "With the big numbers there's a three-to-one probability it's internal."

Regardless, the highly publicized intrusion is likely to teach technology executives some valuable lessons.

For business leaders, the first lesson is to realize that seemingly unknown targets should consider themselves targets. Analysts note that hackers regularly troll for network weak spots and target companies that are low on the food chain, but have valuable data much like DPI.

Indeed, the "attack seems fairly unremarkable to me," says Matthew Caston, senior principal of consulting firm AMS' enterprise security group. "I'm not surprised because these hacks are a fairly regular occurrence."

Simply put, you have to assume that hacking incidents occur in your industry even if you don't hear about them. "Image is everything," says Avi Rubin, technical director of the Information Security Institute at Johns Hopkins. "Someone can steal $500,000, but the bad PR could make you lose $3 million in business."


main page ATTRITION feedback