login      my ps      about      contact  



home instructor-led training on-demand screencasts blogs


You Can Take it With You » How do such simple security failures like this still happen?!?!

How do such simple security failures like this still happen?!?!

You Can Take it With You

Pluralsight Blogs

Syndication

Recent Posts

News

  • Don't miss the next Windows Mobile Webcast... Unit Testing for Mobile Devices: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032382824&EventCategory=4&culture=en-US&CountryCode=US.

Archives

My wife is a big fan of movies produced by one of the major film & entertainment companies [I'd like to share the company name but to be honest, I don't need the hassles]. As a result she joined one of their movie clubs.

We all know movie/music/book clubs are a hassle but you expect to have difficulties with them and you accept it. What we didn't expect was this letter we received yesterday regarding a security problem at the vender who provides order fulfillment for the movie club.

One of [order fulfillment company]'s employee's sold certain credit card information to federal law enforcement agents, as part of an undercover sting operation. The information included your name, address, credit card number, and expiration date, and credit card type, and may have included your telephone number and email address if you provided that contact information to us [which we did].

I'm like WTF?!?! This thievery wasn't the result of a hacker, firewall breach, or any other technical attack. An employee simply copied the data and sold it.

The letter goes on to say a bunch of things that I guess are supposed to make me feel better…

The individual involved in this incident is no longer employed by [order fulfillment company] and no longer has access rights to [order fulfillment company]'s premises or computer systems. You should also know that [order fulfillment company] now has taken additional corrective and precautionary measures, and has been independently certified under the Payment Card Industry (PCI) Data Security Standard1, an industry standard for the safeguarding of consumer credit card information.

I sure hope the person that committed the crime no longer has access - geez!!

Also - now I don't know this for sure - but I imagine that [order fulfillment company] was already certified by the PCI Data Security Standard before this incident since the major credit card companies expect organizations that handle credit card info to be certified under this standard. And I certainly hope that the film & entertainment company requires [order fulfillment company] and any other vendors that handle credit card information to comply with the standard.

An issue that really bugs me is that one of the key tenants of the PCI Data Security Standard is that credit card information be available to only those employees who have a business need to know. I can't imagine why the person who sold this information would have a business need to know our complete credit card info and accompanying personal info; we're account holders in good standing with both the credit card company and the movie club.

I guess no real point to this rant - It just amazes me that such simple, human-based thievery is still so easily achieved. Why didn't [order fulfillment company] protect this information? More importantly, why didn't the major film & entertainment company require the fulfillment provider to demonstrate and certify adequate data protection?

The film & entertainment company is one of the biggest in the world; I gotta believe that had they taken security of this data with the seriousness that it deserves that they would've required the [order fulfillment company] to provide adequate security and sufficiently limited access to this data so as to avoid such simple thievery.

I wonder how many companies still make this kind'a data available to any employee who can type a SQL query.

--End of Rant --

1For a simple overview of the PCI Security Standard, checkout the PCI DSS page on Wikipedia

Posted Jul 10 2007, 08:24 AM by jim-wilson

Comments

Craig wrote re: How do such simple security failures like this still happen?!?!
on 07-10-2007 6:47 AM
And why would they take this seriously? They have little or no economic incentive to do so. The only downside is if you find out, and it's not like you're going to get any money from them.

The solutions to this problem are economic. Give ownership of the data to the people it's about, not the companies that hold it. Make it illegal to share data about consumers without that consumer's permission. Fine companies that buy and sell it. Push liability for leaked information onto the companies that failed to protect it.

Bet you'd see a quick change in the way things work then. People would still sell the information (organized crime, for example, would still pay for it), but if you made it directly affect the companies, you can bet your ass they'd do a better job of locking it down.
Darren Kopp wrote re: How do such simple security failures like this still happen?!?!
on 07-10-2007 7:58 AM
I'm gonna start a murder for hire fulfilment company. Then, even if one of my employees sells peoples info, we can handle it internally....
Kevin wrote re: How do such simple security failures like this still happen?!?!
on 07-11-2007 3:33 AM
This is bad but, unfortunately typical. Fact is that there are countless ways that thieves can gather information about us and our accounts. If you sit and think about it I'm sure you could come up with at least ten right away. Best we can do is be aware that we are all potential targets and do our best not to make it any easier than we have to for the thieves. My best brief recommendations: 1. Check your credit reports often! 2. Shred everything that has identifying information. 3. Don't use paper checks. 4. Don't provide your Social Security Number on ANY form unless you know why it's needed and are okay with that.
Jim Wilson wrote re: How do such simple security failures like this still happen?!?!
on 07-11-2007 5:29 AM
Kevin;

I agree that everything that you mention are great suggestions.

That said, none of those things would have mitigated this particular situation. In this case me and the many other people who were affected (they don't say how many people were affected in total) did nothing but provide our credit card number and the necessary identifying information to receive mailings from the movie club.

The bottom line is that you have to decide what organizations you're going to trust. As much as we all wish we didn't have to trust any of these organizations, one has to trust at least some of them if you're going to participate in the economics of society.

Had this happened because of something I bought from an unknown seller on eBay or some unknown website, then it would be my responsibility. In this case however I was dealing with a Fortune 100 company and provided the absolute minimum information that one could to receive the product (cc number to pay & contact info to receive the product).

Again, I agree that we are ultimately responsible for our own wellbeing and all of your suggestions are great ways to minimize one's exposure. But I also agree with Craig that the law needs to catch up with the realities of modern society and require companies to accept liability.

In the case I described, this company didn’t even implement the most fundamental safety practice of adequately limiting employee access to sensitive customer information.

Unfortunately, given the strength of lobbies in the US, it seems unlikely that any law that requires these huge companies to take additional financial liability seems unlikely to happen.

Thanks again for the great suggestions.

-Jim
theCoach wrote re: How do such simple security failures like this still happen?!?!
on 07-11-2007 5:57 AM
Jim,
I think you are fatally optimistic about where computer security is.

This type of human attack from say a developer is probably possible at about 99% of comapaines that handle data in my estimation.

There are not tools for development / troubleshooting that simplify this enough to justify the cost. As stated above, the problem is one of economics, and right now security is very expensive.

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation