Shostack + Friends Blog Archive

 

The following is not to be construed as legal advice. Or anything else.

The acronym “IANAL” is no doubt familiar to anyone reading these words. Well, I Am Not A Lawyer, but Paul Rianda is, and he wrote an interesting article [link to http://www.transactionworld.com/articles/2005/September/theLegalJungle1.asp no longer works] for Transaction World’s September 2005 issue, that I happened to run across.
In it, Mr. Rianda, esq., discusses his view of why the breaches we are all familiar with have occurred, what the credit card folks have done about it, and the likely ramifications. Herewith, some fair-use excerpts:

A dedicated and intelligent hacker can potentially compromise any database in spite of the PCID standards or any of the other security standards developed by Visa and MasterCard. The fact that such standards are widely utilized and published allows hackers the ability to study them and find ways to work around them. Also, when numerous organizations use the same standards, it leads to a situation where if hackers can compromise one database they may be able to find ways to breach others because the databases are secured in a similar manner.
[…]
However, the likelihood of any such credit card processor like CardSystems going out of business to the detriment of their agents and merchants is extremely remote.

This was published after CardSystems was dropped as a processor by Visa.
Earlier in the article, Mr. Rianda, esq. opines that “The PCID [sic] standards are, to a large extent, common sense necessary to secure any type of computer network.”
As I say, IANAL, but if the standards are common sense, how does publishing them help the bad guys? Also, CardSystems was bought out in a mostly-stock transaction in October, 2005.

One comment on "The following is not to be construed as legal advice. Or anything else."

  • old geezer says:

    Prior to the advent of the internet, these databases were usually fairly secure, because it was difficult for individuals who were not employed by the entities to obtain access to the information. Therefore, before the internet gained widespread use, the focus to secure the information databases was primarily on trying to ensure that employees did not take the information.

    Its clear that the author suffers from a probably irreperable case of cranio-rectal inversion, and it unaware of things like TYMNET, x.25, or the overlap of phreaking and hacking.

Comments are closed.