On Sat, 18 Jun 2005, Major.Mikey wrote:
> Well, I'm sure you all have heard by now that a company in
> Tucson that handles credit card information had a
> cyber-breakin.
>
> 1- What operating system does this company use?
- The compromise vector sems to be a tailored Windows
harvesting tool. Shame on them for using a consumer grade
operating system for their workstation desktops handling
restricted data.
> I am having all my credit card numbers changed! What do all
> of those who are wiser than me think about that?
- I have been working in this part of the ISO (independent
servicing organization) credit card capture and clearance
business for several years. This scenario has been in my
nightmares for the last 5 years.
Clearly the company in question failed to meet its VISA CISP
and related Associations obligations, and some heads should
roll. The compromised business (CSI) may be part of the
walking dead already, although they are a moderately big
player.
As a practical matter, there is no way for an lay user to know
which ISO is handling their CC swipe data on behalf of the
merchant. As such seeking a changed credit card number is
like applying putting on bug repellant before going golfing.
i.e., a harmless 'feel good' measure, but not one directly not
addressing the true issues.
Taking ownership of one's own infosec, as in following a
sustained program of reviewing monthly card settlement
statements is much more likely to catch the occasional fraud.
- Russ Herrold
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)