Contradictory Charges Rattle Data-Loss Case

Written by Evan Schuman
July 21st, 2005

During congressional testimony Thursday, executives from bank and credit card companies involved in the largest credit card data loss ever pointed fingers at a new culprit for gaps in security: the auditors who had certified the credit card processing systems as being up to snuff.

But in an interview with Ziff Davis Internet News, those auditors?who did not testify at the hearings?vehemently disagreed with the testimony and said one of the CEO witnesses was either lying or very mistaken.

The role played by the Cable & Wireless Security unit, now owned by Savvis Communications Corp., was made public during the testimony of David Watson, the chairman of Merrick Bank, which is one of seven banks that made payments to merchants who used CardSystems Solutions.

In May, CardSystems reported that someone had broken into its systems and stolen the details of as many as 40 million payments cards, including names, account numbers and expiration dates. The hearing was being held to see if new laws are needed to prevent such a situation from recurring.

CardSystems officials have admitted that they violated their contracts with major credit card companies by storing customer-identifiable data from card magnetic stripes.

Watson testified that CardSystems used Cable & Wireless Security for a security audit in 2003, choosing from a Visa-approved list of auditors who could certify companies as complying with Visa’s CISP (Cardholder Information Security Program).

Cable & Wireless did indeed certify CardSystems, according to CardSystems CEO John Perry, who testified that he relied on that certification to be sure that the systems were compliant with CISP rules and that they weren’t retaining data they shouldn’t.

Merrick’s Watson testified that after the May break-in, his company brought in its own auditing team, Ubizen, to perform a forensic security audit. Ubizen discovered two problems.

“First, CardSystems retained certain transaction data on its system in clear violation of association rules. These data-retention practices were inconsistent with CISP standards, and it is unclear to us why the Cable & Wireless report did not note any objection to the practice, which was ongoing when the CISP certification was approved by Visa in 2004,” Watson testified. “Ubizen reports this data-retention practice had been followed by CardSystems since 1998.”

Ubizen also “identified certain issues with CardSystems servers and software, which were compromised by the intruder. The Cable & Wireless report did not make any mention of these system vulnerabilities,” Watson told the panel.

“Ubizen reports that CardSystems servers showed evidence of unauthorized activity as early as April 2004. The Ubizen report does not confirm, however, any actual data loss until May 2005.”

A Visa executive who was testifying?Steve Ruwe, Visa USA’s executive vice president for operations and risk management?testified that Visa has asked Savvis to explain the discrepancy, has temporarily suspended using Savvis and is asking Savvis is revalidate earlier audits.

“Card Services is fighting for its life” said Richard Stiennon, vice president of threat research at Webroot, a Boulder, Colo.-based anti-spyware vendor.

Finger-pointing is useless, he said. “If you are installing unencrypted data on your machine, you are responsible,” Stiennon said.

CardSystems’ Perry even pointed to Cable & Wireless as a reason why his company couldn’t answer all of Visa’s questions. Perry testified that he “tried to contact former employees of Cable & Wireless” who had been involved in the audit, and “it was very difficult to track a lot of these people down.”

But Bill Hancock, chief security officer at Savvis?who was chief security officer for Cable & Wireless at the time of the audits?directly contradicted Perry’s testimony and defended his company’s audit in an interview with Ziff Davis Internet News.

Hancock said the audit team for CardSystems consisted of four people. Three of those people still work at Savvis and the fourth recently left, and Hancock said he knows exactly where he is. Calls placed to CardSystems to address the discrepancy went unreturned.

As for Perry’s congressional testimony about the missing former employees, Hancock said, “That is total, total disinformation.”

“It’s typical stuff,” Hancock said. “Whoever’s not in the room, let’s blame them.”

Asked if he thought Perry was lying, Hancock said that was a distinct possibility. He later said some of Perry’s CardSystems employees who had been involved in the audit process had left the company, and maybe Perry had gotten confused and was referring to his difficulties in trying to reach his own former employees.

As to the core issue of the quality of the audit, Hancock said the improperly retained magstripe data was absolutely not on any of the machines that his team inspected; the team’s mission was to inspect all of the machines that were involved with Visa transactions.

“The truth is that the people who did the audit are card-carrying certified information systems professionals,” Hancock said. “We examined the systems and there was nothing there. The systems were directly examined. We were very meticulous about that.”

During this kind of security audit, the audited company?CardSystems in this case?tells the auditors the relevant computers to examine.

If CardSystems was improperly retaining data at the time of the audit, Hancock said, the data must have been on a machine that was not among those that CardSystems identified as being relevant to the audit.

The audit “was done correctly. We don’t examine every stinking computer,” Hancock said, adding that auditors are limited to machines that are identified as relevant.

“In the boxes that we were told did the Visa processing, there was no evidence of mag [stripe] data being kept. But was it being kept 15 feet away?” Hancock asked. “If they had this stuff on a completely separate system, there is no way that any auditor would ever find this kind of information.”

Magstripe data could have been added to the certified machines after the audit as well, Hancock said. “What happened post to [the audit], I don’t know,” he said.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.