PCI Compliance Could Have Stopped Gonzalez
Written by David TaylorColumnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.
Call me a contrarian (or a Visa suck up), but I actually believe that the PCI DSS controls, implemented in an “above average” way, could have stopped the Gonzalez-led criminal masterminds from breaking into a company. Not all companies, but a company with above average security. Allow me to explain before you get too ticked off at me.
Recently, Evan Schuman wrote a piece on the Gonzalez breaches, where he quoted a security specialist who argued that these breaches constituted evidence of the failure of the PCI data security standards. (She even kept score: Hackers, 12; PCI, 0. I guess 12 is a winning score in some game with which I’m not familiar.) Anyway, I’m no apologist for PCI, as anyone who has read my columns or our research in the PCI Knowledge Base knows. But I think that position is wrong because it lays all the blame on the standards and ignores the responsibilities of the merchants. Here are the arguments for my position:
Since Albert Gonzalez has now agreed to plead guilty to what is clearly the largest data theft conspiracy to date (that we know about), we now know the names of virtually all the companies that Gonzalez and his cohorts stole from. What we don’t know are the names of the companies the criminals did not gain access to, and why. The conspirators (according to the indictment) started with a list of Fortune 500 companies.
Then, to narrow their list of targets, they did some basic security testing of the merchants’ websites, did some research on known vulnerabilities of the POS systems they used, did some war driving to test the security of their in-store wireless networks, etc. Pretty basic hacker stuff, and all covered by the PCI DSS.
My point is that the merchants who were the victims of their attacks were, comparatively, less secure than (I presume) other merchants who the criminals researched, but which were ultimately not attacked. Although it’s possible that these criminals broke into every single company they targeted, I doubt it.
Let’s say a group of retailers is being chased through the jungle by a tiger named, say, Gonzalez. To avoid being eaten by the tiger, it’s not necessary that each retailer run the fastest, but merely that each retailer should run faster than the slowest retailer.
The Gonzalez conspirators’ attacks are similar to most other security hacks, in that they took place in a series of phases, which are nicely laid out in the indictment.
For example, hackers typically use automated tools to identify weaknesses in the network perimeter, such as un-patched operating systems, default passwords, or wireless networks running without encryption keys. Once they find a weakness (or two), they employ more labor-intense tools such as brute-force password crackers, customized SQL injection scripts, and physically driving to mall parking lots to try to hack wireless networks.
Such effort is justified because their prior research has identified a subset of companies whose security is weaker than average, in those specific areas for which they have exploits. And again, each of these security attacks could have been prevented by a “better than average” implementation of the related PCI DSS controls.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
