Or 'experts' who need to "have a take that doesn't suck"!
I went on a long rant in one of my previous posts, motivated by the Hannaford Bros. Breach. Not so much because I have anything specific to say about that breach, but simply to express my view that merchants should not be storing credit card numbers in the first place. I was not planning on saying anything else as I am not really sure what to make of the information we have been provided through the various press releases and news items.
I started to reconsider when I picked up Friday March 21st San Jose Mercury News (http://www.mercurynews.com/) issue. An associated press article in the business section is saying this is a new type of breach as the data was ‘Hijacked in transit’. Maybe that’s true. I don’ really know. But most of the quoted experts seem to provide more disinformation than anything else.
Aaron Bills, COO of 3Delta Systems was quoted as saying “Catching data on the move is a bit more challenging”. The comparison made is that stealing merchandise from a truck, meaning is it is easier to do if the vehicle is parked than when it is moving. I seriously hope this guy was mis-quoted. Bits are bits in this case, and the motion has almost nothing to do with the degree of difficulty in theft. At rest or in motion, theft requires some access point to the data, and networks tend to provide more access points (Mirror ports, sniffers, electromagnetic taps on copper wire, etc) than file or database servers. In fact, if encryption was being used, the ‘at rest’ variants tend to be stronger than the session based variety. And we are all guessing that encryption was not being used, and that is why all of this data was sniffed off the network.
Then we have Avivah Litan at Gartner asking the question “Would you like to sit at your gas pump for five minutes to get an authorization?” in response to why encryption is not widely used within the processing chain. Excuse me, but don’t all commercial POS systems already have encryption? Wasn’t there a mandate by most of the banks that required switching ATM & POS systems away from DES a few years back as it was a suspect algorithm? Please, educate me if I am blatantly wrong here. My point is we have had encryption in much of the processing chain for a long time, and we do not wait 5 minutes at the pump … well, except for that one Shell station on Carefree Highway that does literally does take that long, and it does in fact drive me nuts, so I would give this argument credence … problem is much of the processing chain is already encrypted and I get authorization in a few seconds in most places.
Then we have David Navetta, the president of InfoSecCompliance in Denver saying that Hannover was possibly tripped up by ambiguity in the PCI standard. What? Seriously? We have data breaches in the headlines every week, and we have been talking about deficiencies in PCI for a couple of years, so how could Hannaford Bros. custodial duties become ambiguous? Is that a variant of the ‘Twinkie defense’? InfoSecCompliance is a law firm if you didn’t guess.
I must give props for Richard Gorman of Voremetric for providing the sole rational quote “…need to wake up to the fact that they need to encrypt information along every step”.
These stories and many of the quotes are just weird. I’ll chalk this up to more ‘Journalism 2.0’.
Recent Comments