“For everything else… there’s Mastercard…”
MasterCard Identity Theft
Background Information on the Mastercard Identity theft
Lessons learned from the MasterCard/Visa heist
In business, blind trust is a luxury you can’t afford
Reality Check, By Ephraim Schwartz (Infoworld)
June 28, 2005
How could MasterCard and Visa allow 40 million customer credit card numbers to be sucked out of their systems and into the hands of criminals? Last week I called them both to find out.
In response, Visa sent me a prepared statement. One sentence from the statement, in particular, is worth quoting: â€œWe are actively monitoring the situation on a real-time basis using our state-of-the-art fraud-fighting technologies.â€
Other than expecting to see VisaMan rip open his shirt to reveal his true identity as a state-of-the-art fraud-fighting superhero, something is wrong with this. Visaâ€™s statement seems more concerned with covering the companyâ€™s collective behinds than facing the real issues.
At least, thatâ€™s what Avivah Litan, vice president and research director at Gartner, says. And sheâ€™s not alone. John Pescatore, a Gartner colleague and one of the most widely respected security analysts in the country, told me that the payment card industry has security rules in place but hasnâ€™t been pushing hard enough and fast enough to enforce them.
CardSystems, the third-party service provider that let Visa/MasterCard down, made a simple and humble apology, explaining that it had put information it was not supposed to keep into the wrong file. A more meaningless explanation I have rarely heard.
Improper filing or otherwise, someone unauthorized was still able to get behind CardSystemsâ€™ firewall, insert code into the system that found the file, and download the data to his or her own system. If nothing else, I would like to ask that person how big a hard drive you need to hold 40 million records.
Fearful that additional layers of security would slow down credit card transactions and scare off customers, the industry has been dragging its feet, but Pescatore says that attitude has backfired. â€œConsumer confidence is now dropping faster than more security would ever have done,â€ he says.
After speaking to four security analysts, surprisingly I came away with the same answer from each.
Frank Smith, vice president of the technology strategy group at Capgemini, said, â€œThey donâ€™t supply due diligence to the whole system.â€ Gartnerâ€™s Litan said, â€œThey have everything in place; they just donâ€™t enforce it.â€ Paul Stamp, security analyst at Forrester Research, said â€œThe processes were not properly enforced.â€ Pescatore said that the standards â€œhave been pure eyewash. No enforcement.â€
Such a security breach is usually brought about by a combination of factors, according to Stamp. There could be a breakdown in the process, or the process isnâ€™t being enforced. A human could be doing something he or she shouldnâ€™t â€” for instance, an authorized person performing a task they were not authorized to do. Finally, there could be a technical system problem.
The fact that CardSystems, an authorized third-party service provider, was trusted with customer information and did something that was not authorized leads me to ask why the auditors from MasterCard and Visa didnâ€™t know that. Maybe itâ€™s time to re-examine the whole system.
Beyond the current scandal is the reality that enterprises rely more and more on outsourcing providers and business partners. Your company is going to have to trust that someone beyond your own four walls is as diligent as you are.
Thatâ€™s a tall order. If weâ€™re to learn anything from this latest example, itâ€™s that we need a little less trust and a lot more due diligence to protect our companiesâ€™ — and our customersâ€™ — information.