How the Security Breach Occurred
Below is the testimony from CEO of Cardsystem, which can be found at here
It seems an insider job (knowing which file to look for and can bypass FW setups). It is very difficult to uncover a script on a server if it is plant by an insider. BUT having this script running for 8 months is another thing. Security Audits, periodic port scanning and health check should uncover this abnormality of the systems.
If one look into the root cause of this problem, it is the credit card data is stored for incomplete transactions. I believe lots of other card processing companies also store these type of data for manual settlements.
How the Security Breach Occurred
In September 2004, an unauthorized party placed a script (a sequence of instructions interpreted or carried out by another program) on the CardSystems platform (an underlying computer system on which application programs run) through an internet-facing application that is used by our customers to access data. In contrast to scripts, viruses and worms are programs or programming code that replicate indiscriminately and may result in file destruction. This script ran on our system and caused records to be extracted, zipped into a file, and exported to an FTP site (similar to a web address). It was a sophisticated script that targeted a particular file type, and was scheduled to run every four days. Based on all of
the forensic investigaions conducted externally, by independent scans and investigations and by the payment card providers, we know of only one confirmed instance in which any data was exported, and that is the May 22 incident that has brought us here today.
Why the data is stored
The data stored in the files that were confirmed to have been exported by the script consisted of transactions which were not completed for a variety of reasons. This data was stored for research purposes in order to determine why these transactions did not successfully complete. As we have repeatedly acknowledged, our error was that the data was kept in readable form in violation of Visa and MasterCard security standards. As of May 27, 2005, track data is no longer stored by CardSystems.
It seems an insider job (knowing which file to look for and can bypass FW setups). It is very difficult to uncover a script on a server if it is plant by an insider. BUT having this script running for 8 months is another thing. Security Audits, periodic port scanning and health check should uncover this abnormality of the systems.
If one look into the root cause of this problem, it is the credit card data is stored for incomplete transactions. I believe lots of other card processing companies also store these type of data for manual settlements.
How the Security Breach Occurred
In September 2004, an unauthorized party placed a script (a sequence of instructions interpreted or carried out by another program) on the CardSystems platform (an underlying computer system on which application programs run) through an internet-facing application that is used by our customers to access data. In contrast to scripts, viruses and worms are programs or programming code that replicate indiscriminately and may result in file destruction. This script ran on our system and caused records to be extracted, zipped into a file, and exported to an FTP site (similar to a web address). It was a sophisticated script that targeted a particular file type, and was scheduled to run every four days. Based on all of
the forensic investigaions conducted externally, by independent scans and investigations and by the payment card providers, we know of only one confirmed instance in which any data was exported, and that is the May 22 incident that has brought us here today.
Why the data is stored
The data stored in the files that were confirmed to have been exported by the script consisted of transactions which were not completed for a variety of reasons. This data was stored for research purposes in order to determine why these transactions did not successfully complete. As we have repeatedly acknowledged, our error was that the data was kept in readable form in violation of Visa and MasterCard security standards. As of May 27, 2005, track data is no longer stored by CardSystems.
Comments
forensic odontology