Security News > 2009 > August > Network Solutions Breach Revives PCI Debate
http://www.bankinfosecurity.com/articles.php?art_id=1691 By Linda McGlasson Managing Editor Bank Info Security August 10, 2009 The recent data breach at Internet domain administrator and host Network Solutions compromised more than 573,000 credit and debit cardholders and begs the question: What more can be done to secure such systems? The incident also raises new questions about the Payment Card Industry Data Security Standard (PCI). At the time of the breach, discovered in June, Network Solutions says it was PCI compliant. The breach was the result of hackers planting rogue code on the company's web servers, intercepting financial transactions between the sites and their customers, which are mostly small online stores. So, if Network Solutions was PCI compliant, how could it be breached? Paul Kocher, chief research scientist at Cryptography Research Institute, says the fundamental limitation with PCI is that it attempts to distill security down into a static set of requirements, while adversaries aren't restricted to a rigidly-defined set of methods. "As a result, clever attackers will always find holes," he says. "PCI does provide some value by forcing merchants to put some effort into addressing the most common attacks, but the objective is to reduce total risk -- not stop all attacks." Changes that would increase the burden on merchants could raise the bar further, Kocher notes, "Although it's not clear how much impact this will have on actual fraud rates." At this point, he sees no sign that security standards are anywhere near close to putting fraudsters out of business, and forcing them to work a bit harder doesn't necessarily mean they'll actually steal less. Kocher sees the most effective anti-fraud step the U.S. card industry could take would be to make a real effort to adopt smart cards. The secrets needed to copy stay in the chip, and terminals for card-present transactions simply do not have access to the secrets. [...] ___________________________________________________ Visit and Submit to the Defcon Memory Repository http://www.defconpics.org/