massive data theft at MasterCard processor

Anne & Lynn Wheeler lynn at garlic.com
Mon Jun 20 22:26:25 EDT 2005


Steven M. Bellovin wrote:
> MasterCard reported the exposure of up to 40,000,000 credit card 
> numbers at CardSystems Solutions, a third-party processor of credit 
> card data.  CardSystems was infected with a script that targeted 
> specific data.  In other words, this wasn't the usual carelessness, 
> this was enemy action, and of a sophisticated nature.  See
> http://www.mastercardinternational.com/cgi-bin/newsroom.cgi?id=1038 for 
> the official statement.
> 
> Designing a system that deflects this sort of attack is challenging.  
> The right answer is smart cards that can digitally sign transactions, 
> but that would require rolling out new readers to all the merchants.  
> That's doable, about once per decade -- and at least one credit card 
> vendor (JP Morgan-Chase) is using the opportunity to push out 
> RFID-based credit card readers instead.  So the marketing department 
> outranks the security department -- big surprise there....

reference to posting in a usenet n.g. in a thread that talked about
putting encryption everywhere as a solution
http://www.garlic.com/~lynn/2005k.html#55 Encryption Everywhere?
http://www.garlic.com/~lynn/2005k.html#56 Encryption Everywhere?

as referenced in the above ... x9.59
http://www.garlic.com/~lynn/index.html#x959

has countermeasure against the harvesting vulnerability (w/o
requiring any encryption) which is so attractive to attackers because
the return is so enormous for the amount of effort
http://www.garlic.com/~lynn/subpubkey.html#harvest

it is a countermeasure to fraudulent terminals. there was some effort in
x9a10 working group (which was tasked with preserving the integrity of
the financial infrastructure for *ALL* retail payments, regardless of
kind, debit, credit, stored-value, etc ... and/or environment) with
regard to trusted terminal modules .... somewhat akin to EU finread
standard and existing POS security modules ... but with the addition
that the terminal also digitally signed the same transaction. the
consumer would digitally signed for authentication ... and the trusted
terminal would also digitally co-sign authenticating the terminal used.

the issue is there is still some vulnerability involving terminal
overlays (analogous to what has been read about regarding ATM cash
machine overlays ... although not for harvesting ... since x9.59 closed
that hole ... but for transaction misrepresntation ... the payback isn't
nearly as attractive as compared to harvesting tho).

so one of the AADS chip strawman suggestions for x9.59 from the 90s
http://www.garlic.com/~lynn/index.html#aads

was the same protocol and transaction whether it was with the merchant
terminals ... or with a consumer owned pda/cellphone device (any kind of
wireless to the merchant device) ... where a paranoid consumer would
always maintain physical control of their private display and keypad.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list