[Dataloss] VISA / 1ST BANK
George Toft
george at myitaz.com
Fri Oct 20 16:35:42 EDT 2006
The new truth of the Digital Millennium: "Your personal information
expires when you do." ~Brian Honan / SANS
Until the lawmakers of Washington suffer ID Theft, nothing will change.
If I were an ID thief, I would definitely dump any high profile name
from my database - no need to spoil the party. And the party will
continue until some high profile politico gets burned.
I was in Home Depot this week at the customer service counter. A
customer was telling the clerk about someone running around with his
SSN. It is becomming commonplace (at least in Arizona).
George Toft, CISSP, MSIS
blitz wrote:
>
> I think what we're seeing is the affected companies being told by their
> law-vultures to release as little as possible to minimize exposure. This
> in its essence, limits as well, the ability of independent verification
> and investigation to assist others in prevention and bring guilty
> parties to justice.
> This is a trend that should be stopped ASAP. I believe they as well as
> we understand the time to "walk the walk" is upon us, and some serious
> lawsuits are in the offing in lieu of actually securing our data. The
> only model they will accept is one like HIPPA where the Fox guards the
> hen house.
>
> One more notable side effect I'm seeing is the taking on blind faith
> that a missing data set has been recovered and has not been tampered with.
> Says WHO? The FBI? They're ankle deep in these cases, and in case you
> don't remember recent history, they have been less than honest in
> evidentiary cases in the past. A company like MC or Visa certainly has
> the political and monetary clout to buy the results they're seeking.
> Don't make me laugh. Hasn't been accessed? Copied to another hard drive
> for eventual compromise, maybe yes, but not tampered with? The
> professional thieves have access to the same tools we do. Compromising
> even an encrypted set of data is not an IF proposition, but merely a
> WHEN one. Anyone who understands distributed computing knows the power
> of a supercomputer is well within the budget of almost anyone who puts
> their mind to it.
> Does the old cops-and-robbers line "lets lay low till the heat goes
> down" ring a bell?
> When data's gone, its GOT to be presumed compromised, period. Extend the
> meager protections, mail the letters, and by all means, DO NOT allow a
> weak data protection statute at the Federal level preempt stronger State
> statutes.
> The bottom line is all about minimizing exposure, and the clients who
> were compromised be dammed.
> We need some serious introspection of what we believe, and who we trust
> after the fact IMHO.
> Marc
>
> At 16:43 10/19/2006, you wrote:
>
>> The way I read the notification, it didn't sound like the processor
>> was affiliated with 1st Bank:
>>
>> "We would also like to reassure you that the compromise of information
>> occurred at a merchant card processor's location, not FirstBank and
>> therefore your account information at FirstBank has not been obtained
>> by these unauthorized indivuduals(SIC)."
>>
>> Perhaps they are just notifying customers affected by another
>> company's gaff? Must be a bad day if they didn't even spell-check the
>> notification before it went out..
>>
>> -Dennis
>>
>>
>> ------------------------------------------------------------------------
>> *From:* B.K. DeLong
>> *Sent:* Thu 10/19/2006 1:21 PM
>> *To:* Chris Walsh
>> *Cc:* dataloss at attrition.org
>> *Subject:* Re: [Dataloss] VISA / 1ST BANK
>>
>> Is it that hard to find out who did the card processing for 1st Bank?
>>
>> On 10/19/06, *Chris Walsh* <cwalsh at cwalsh.org
>> <mailto:cwalsh at cwalsh.org> > wrote:
>>
>> On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. DeLong wrote:
>> > Well, whomever it was will probably get wacked with a HUGE fine for
>> > violating PCI Security standards. I'm guessing it won't take long to
>> > determine who falls under approved card processors for Visa.
>>
>>
>> They might get fined, but not buy Visa. Too much butter on that
>> bread
>> to throw it in the bin.
>>
>> The FTC, OTOH, may do some enforcement:
>> http://www.emergentchaos.com/archives/2006/06/prediction.html
>>
>> Visa has been zealously guarding the "privacy" of these processors
>> since
>> at least December of 2005, when the Sam's Club stuff started to
>> hit the
>> fan. Even Gartner called MC and Visa out on it:
>> http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html
>>
>> Chris
>>
>>
>>
>>
>> --
>> B.K. DeLong (K3GRN)
>> bkdelong at pobox.com <mailto:bkdelong at pobox.com>
>> +1.617.797.8471
>>
>> http://www.wkdelong.org/ Son
>> <http://www.wkdelong.org/%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0Son>.
>> http://www.ianetsec.com/ Work.
>> http://www.bostonredcross.org/ Volunteer.
>> http://www.carolingia.eastkingdom.org/ Service.
>> http://bkdelong.livejournal.com/ Play.
>>
>>
>> PGP Fingerprint:
>> 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE
>>
>> FOAF:
>> http://foaf.brain-stream.org/
>> _______________________________________________
>> Dataloss Mailing List (dataloss at attrition.org)
>> http://attrition.org/dataloss
>> Tracking more than 137 million compromised records in 430 incidents
>> over 6 years.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 137 million compromised records in 430 incidents over 6 years.
>
>
More information about the Dataloss
mailing list