[ISN] Network Solutions Breach Revives PCI Debate

From: InfoSec News <alerts_at_private>
Date: Tue, 11 Aug 2009 01:32:17 -0500 (CDT)
http://www.bankinfosecurity.com/articles.php?art_id=1691

By Linda McGlasson
Managing Editor
Bank Info Security
August 10, 2009

The recent data breach at Internet domain administrator and host Network 
Solutions compromised more than 573,000 credit and debit cardholders and 
begs the question: What more can be done to secure such systems? The 
incident also raises new questions about the Payment Card Industry Data 
Security Standard (PCI).

At the time of the breach, discovered in June, Network Solutions says it 
was PCI compliant. The breach was the result of hackers planting rogue 
code on the company's web servers, intercepting financial transactions 
between the sites and their customers, which are mostly small online 
stores.

So, if Network Solutions was PCI compliant, how could it be breached? 
Paul Kocher, chief research scientist at Cryptography Research 
Institute, says the fundamental limitation with PCI is that it attempts 
to distill security down into a static set of requirements, while 
adversaries aren't restricted to a rigidly-defined set of methods. "As a 
result, clever attackers will always find holes," he says. "PCI does 
provide some value by forcing merchants to put some effort into 
addressing the most common attacks, but the objective is to reduce total 
risk -- not stop all attacks."

Changes that would increase the burden on merchants could raise the bar 
further, Kocher notes, "Although it's not clear how much impact this 
will have on actual fraud rates." At this point, he sees no sign that 
security standards are anywhere near close to putting fraudsters out of 
business, and forcing them to work a bit harder doesn't necessarily mean 
they'll actually steal less. Kocher sees the most effective anti-fraud 
step the U.S. card industry could take would be to make a real effort to 
adopt smart cards. The secrets needed to copy stay in the chip, and 
terminals for card-present transactions simply do not have access to the 
secrets.

[...]


___________________________________________________
Visit and Submit to the Defcon Memory Repository
http://www.defconpics.org/
Received on Mon Aug 10 2009 - 23:32:17 PDT

This archive was generated by hypermail 2.2.0 : Mon Aug 10 2009 - 23:42:50 PDT