Credit Card Number

Norm Coleman, a former senator from Minnesota, is going through a legal battle to try to win back his seat in the senate. If the way he manages his web site security and the crises it created are an indicator, I am not sure that he has a place there.

Update (May 27th 2009) - The CardSystems incident is refusing to die. Merrick Back is now suing Savvis for certifying CardSystems as CISP compliant while it systems where wide open. CISP is a VISA program for certifying credit card processing systems which existed prior to PCI DSS.

The actual damage to an organization of an attack is rarely disclosed, and coverage focuses on the number of records stolen. In the court documents Merrick reveals that its own damage from the CardSystems incident was $16,000,000! The money was paid to card holders to compensate for losses and for legal fees and fines.

The case is also interesting as it put to test the liability of the certifying entity (in this case Savvis) resulting from assessing. The results may have profound influence on the PCI QSA market and therefore PCI itself. David Navetta posts an excellent legal analysis of the potential implications of the lawsuit.

This entry is a very important one. Most are already familiar with the infamous CardSystems incident where hackers stole 263,000 credit card numbers, exposed 40 million more and several million dollars fraudulent credit and debit card purchases had been made with these counterfeit cards. As a result of the breach CardSystems nearly went out of business and was eventually purchased by PayByTouch. CardSystems is considered by many the most severe publicized information security breach ever and it caused company share holders, financial institutes and card holders damage of millions of dollars.

But since the publication of the incident a year ago the way in which the breach occurred remained a mystery.

Recently new articles about the case (listed below) revealed that SQL injection was used by the attackers to install malicious script on the CardSystems web application database which where scheduled to run every four days, extract records, zip them and export them to an FTP site.

This is one of the most stunning examples where a web application security hole was used to launch a targeted attack in order to steal money.

Additional information:

• Cleaning up after a hack job: CardSystems' Christensen [Information Security (mirror), Apr 14 2006]
• FTC complain In the Matter of CardSystems Solutions [FTC, ]
• Midrange CardSystems Wiki [Midrange, ]
• CardSystems was a Web Application Hack [Cesar Cerrudo, Argeniss, Apr 18 2006]
• CardSystems Exposes 40 Million Identities [Bruce Schneier, Jun 23 2005]