[Dataloss] VISA / 1ST BANK

blitz blitz at strikenet.kicks-ass.net
Fri Oct 20 00:22:01 EDT 2006 

I think what we're seeing is the affected companies being told by 
their law-vultures to release as little as possible to minimize 
exposure. This in its essence, limits as well, the ability of 
independent verification and investigation to assist others in 
prevention and bring guilty parties to justice.
This is a trend that should be stopped ASAP. I believe they as well 
as we understand the time to "walk the walk" is upon us, and some 
serious lawsuits are in the offing in lieu of actually securing our 
data. The only model they will accept is one like HIPPA where the Fox 
guards the hen house.

One more notable side effect I'm seeing is the taking on blind faith 
that a missing data set has been recovered and has not been tampered with.
Says WHO? The FBI? They're ankle deep in these cases, and in case you 
don't remember recent history, they have been less than honest in 
evidentiary cases in the past. A company like MC or Visa certainly 
has the political and monetary clout to buy the results they're seeking.
Don't make me laugh. Hasn't been accessed? Copied to another hard 
drive for eventual compromise, maybe yes, but not tampered with? The 
professional thieves have access to the same tools we do. 
Compromising even an encrypted set of data is not an IF proposition, 
but merely a WHEN one. Anyone who understands distributed computing 
knows the power of a supercomputer is well within the budget of 
almost anyone who puts their mind to it.
Does the old cops-and-robbers line "lets lay low till the heat goes 
down" ring a bell?
When data's gone, its GOT to be presumed compromised, period. Extend 
the meager protections, mail the letters, and by all means, DO NOT 
allow a weak data protection statute at the Federal level preempt 
stronger State statutes.
The bottom line is all about minimizing exposure, and the clients who 
were compromised be dammed.
We need some serious introspection of what we believe, and who we 
trust after the fact IMHO.
Marc

At 16:43 10/19/2006, you wrote:
>The way I read the notification, it didn't sound like the processor 
>was affiliated with 1st Bank:
>
>"We would also like to reassure you that the compromise of 
>information occurred at a merchant card processor's location, not 
>FirstBank and therefore your account information at FirstBank has 
>not been obtained by these unauthorized indivuduals(SIC)."
>
>Perhaps they are just notifying customers affected by another 
>company's gaff? Must be a bad day if they didn't even spell-check 
>the notification before it went out..
>
>-Dennis
>
>
>
>----------
>From: B.K. DeLong
>Sent: Thu 10/19/2006 1:21 PM
>To: Chris Walsh
>Cc: dataloss at attrition.org
>Subject: Re: [Dataloss] VISA / 1ST BANK
>
>Is it that hard to find out who did the card processing for 1st Bank?
>
>On 10/19/06, Chris Walsh 
><<mailto:cwalsh at cwalsh.org>cwalsh at cwalsh.org > wrote:
>On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. DeLong wrote:
> > Well, whomever it was will probably get wacked with a HUGE fine for
> > violating PCI Security standards. I'm guessing it won't take long to
> > determine who falls under approved card processors for Visa.
>
>
>They might get fined, but not buy Visa.  Too much butter on that bread
>to throw it in the bin.
>
>The FTC, OTOH, may do some enforcement:
><http://www.emergentchaos.com/archives/2006/06/prediction.html>http://www.emergentchaos.com/archives/2006/06/prediction.html
>
>Visa has been zealously guarding the "privacy" of these processors since
>at least December of 2005, when the Sam's Club stuff started to hit the
>fan.  Even Gartner called MC and Visa out on it:
><http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html>http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html
>
>Chris
>
>
>
>
>--
>B.K. DeLong (K3GRN)
><mailto:bkdelong at pobox.com>bkdelong at pobox.com
>+1.617.797.8471
>
>http://www.wkdelong.org/                    Son.
><http://www.ianetsec.com/>http://www.ianetsec.com/                    Work.
><http://www.bostonredcross.org/>http://www.bostonredcross.org/ 
>Volunteer.
><http://www.carolingia.eastkingdom.org/>http://www.carolingia.eastkingdom.org/ 
>Service.
><http://bkdelong.livejournal.com/>http://bkdelong.livejournal.com/ 
>Play.
>
>
>PGP Fingerprint:
>38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE
>
>FOAF:
><http://foaf.brain-stream.org/>http://foaf.brain-stream.org/
>_______________________________________________
>Dataloss Mailing List (dataloss at attrition.org)
>http://attrition.org/dataloss
>Tracking more than 137 million compromised records in 430 incidents 
>over 6 years.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20061020/4eddc4a2/attachment.html

More information about the Dataloss mailing list