Don’t bank on secret security

If you have a MasterCard-issued credit card then you may be hearing from your bank in the next few days.

The credit card company has revealed that that a potential security breach at a UK retailer means that cardholder details may have been leaked. MasterCard has told banks that issue their cards to take what they call ‘necessary steps to protect cardholders’, which may include reissuing cards with new numbers.

Initial reports about the problem indicated that the cards affected were all from one issuer, which would have pointed to problems with MasterCard’s own systems, but now it seems that this is yet another case where a retailer fails to keep their customer database safe and gets hacked in.

This is what happened to customers of CD Universe back in 2000, and it’s still the most common problem for online retailing.  Even if you’re talking to a secure site from a well-protected home PC, you could be in trouble if the retailer doesn’t keep their customer database on a secured server separate from their website.

Of course sometimes card issues have problems of their own. In 2005 there was a massive breach of security at the credit-card processor CardSystems Solutions and details of up to 14 million accounts were accessed by hackers who installed their own software on CardSystems’ servers.

We can speculate, but we are very unlikely to know what really happened this time around, because shops and financial services companies rarely talk about their IT security, and they certainly don’t tell us the full details about how that security fails.

This is one of the few areas where the United States is ahead of Europe when it comes to legal protection for consumers, perhaps because it concerns money rather than personal data.

In California the Security Breach Information Act means a company has to notify customers if their personal data could have been leaked or compromised. And a law to cover the whole country, the Data Accountability and Trust Act, will shortly be considered by the Federal Trade Commission.

Being told that there has been a breach of security is a start, but it is not enough. We also need to know a lot more about the details, about what went wrong and – crucially – what has been done to fix it.

Banks like to argue that publicising these sorts of issues only makes life more dangerous, because criminals will find out about security problems that exist.

Yet apart from some very rare circumstances in which the exploitation of an apparently unknown security hole is so simple and so obvious that delay is clearly a good idea, attempting to ensure security in this way is never going to be effective.

The committed and well-funded criminal gangs that are trying to break into financial systems have their own sources of information, in the form or technical experts and, I would imagine, bank insiders.

They won’t be waiting for security announcements.

Excessive secrecy can also lead to the concern that in some cases banks do nothing about known problems because they decide that the risk of a serious breach is low, and the costs of changing their systems too high.

For example, there have been many reports recently about a serious problem with US-issued bank cards. Citibank was forced to reissue thousands of debit cards and for a while blocked the use of PINs for transactions taking place outside the US as it could not guarantee their validity.

The bank told its customers that ‘a US ATM processor was potentially compromised. Any cardholder that used an ATM serviced by this processor may be at risk’, implying that the bank machines were storing PINs as they were entered along with card numbers, allowing cards to be cloned and used.

However back in 2003 Citibank went to the High Court in the UK to stop the public disclosure of some security vulnerabilities in the way PINs were verified that could, according to one of those involved, ‘mean that bank insiders can almost trivially find  out the PINs of any or all customers.’

Perhaps the recent problem with unauthorised disclosure of  PINs is something to do with this earlier issue. Perhaps someone working for one of the ATM companies realised that the vulnerability still existed and added some extra code to the software on the cash machine that exploited it.

Or perhaps not.

We don’t know, and probably will never know, because banks choose not to share their security practices with the wider community, and as a result we are forced to trust them.

This is not enough, as the thousands of MasterCard customers who have just found out that they can’t rely on one of the places they shop to keep their card details safe demonstrate clearly why it must change.

At the moment MasterCard won’t even say which retailer seems to have been the source of the problem, arguing that investigations are continuing.   As as result shoppers are vulnerable and may still be passing credit card details to an insecure database at a poorly managed online retailer.

If the government announced that a bird had died of the H5N1 virus but that they weren’t going to tell us where until they’d sorted it out, there would be an uproar. But we are expected to allow MasterCard to keep things quiet.

It’s time the banks, and everyone else who stores or processes confidential information, came clean about their policies and practices, and started earning trust from their customers instead of just demanding it.

And it’s time that we were given full information as soon as a problem comes to light instead of being asked to trust the shops, banks and card issuers to sort things out behind the scenes.

There have been too many problems with online shopping for any of us to believe that they merit this degree of trust.
Bill’s Links

Card details revealed
Silicon.com argues for disclosure

BoingBoing on Citibank
Citibank blocking publication back in 2003

2 Replies to “Don’t bank on secret security”

  1. Hey Bill,

    It is interesting how the general public not only handover money to banks but their full trust too. I guess it goes back to the idea that holding money in a bank is better than keeping your bags of cash under the bed. But it just doesn’t work like that now.

    I’m a Software Tester and I used to work for a large Building Society. (Fortunately I got out of the banking industry and into e-commerce). Although they have no online banking facilities the number of IT developments that were just thrown together were quite considerable. The test process was eventually formalised but extremely old fashioned and didn’t even consider security issues. The whole ‘it’ll never happen to us’ attitude was prevalent.

    I once attended a test conference and got chatting to a senior software tester who worked for one of the big four banks. He said the test process there was a complete shambles.

    I agree that banks and the financial industry should be much more transparent about security.

    Cheers,
    Si

    ps the BillBlog is brilliant.

Comments are closed.