Ending the PCI Blame Game

Turiss CEO Phil Mellinger, former CISO of First Data, expresses concern over the costly infighting over financial responsibility for breaches and proposes five constructive steps

Current Job Listings

Fallout from the PCI Blame Game

A typical day. Russians were yet again selling fresh batches of stolen payment card data in closed hacker forums, and our initial undercover buys indicate that there was a significant breach. I knew what was going to happen next, and there was nothing that I or anyone else could do to stop it. No warning was possible. There was going to be another slow, painful train wreck—of that there was no question.

With our subsequent undercover buys of stolen cards, the involved issuer identifies the victim of the breach and notifies the card associations who eventually confront the victim. Disbelief. Shock. Panic. Lawyers—lots of lawyers. Outside attorneys. Estimates are made of the number of cards compromised—a meaningless figure that will later be prominently displayed in news headlines. PCI certification records are waved about. The victim's assessor is notified. Accusations. Finally, the victim is obligated to go public with the bad news. Their stock plunges as their customers jump ship. Game over.

Also see Heartland CEO on Data Breach: QSAs Let Us Down

As if being breached wasn't bad enough, the victim would now endure an endless stream of investigators, lawyers, and reporters that, in the end, would do little to prevent the situation from reoccurring elsewhere.

One by one, card industry players will be forced through this gauntlet: the PCI blame game. "It's your fault—you weren't diligent." "No, it's the PCI assessor's fault—they said we were compliant." "No, the associations certified the PCI assessor—it's their fault." The PCI assessor is summarily de-certified and placed on probation. The breach victim sues their assessor. The legal battle broadens as lawsuits pile up—everyone wants a piece of the victim. The associations fine the victim, who sells what remains of their business to scavengers. In nearly all cases, the victim had tried its best to interpret and follow the complexity of PCI rules, and yet they are always the one blamed.

>No system that seeks to blame victims for unprovoked attacks can long survive.

Payment industry resources must be refocused to fight those responsible for breaches. Worse than the PCI blame game, few now comprehend the scope of the problem: The payment card industry is today trying to stop attackers that may be beyond the capabilities of available security solutions. The bad guys have jumped to warp speed.

The third wave is upon us.

The Third Wave: From Payment Cards to National Security

We are now several years into the brunt of the third cyber-attack wave. It began on a small scale but gathered speed quickly, its ferocity unanticipated.

Back in the 1990s, the first cyber-attack wave targeted Internet merchant databases. As cyber-defenses initially stiffened, the second cyber-attack wave hit newly Internet-connected brick-and-mortar businesses with attackers "swiping" stores of magnetic-stripe data. PCI security was formalized after the millennium and old rules were revitalized to outlaw mag-stripe storage, but it was already too late. The attackers were hooked on cash and were updating their weapons. If the businesses wouldn't store mag-stripe gold, the attackers would create their own storage devices (sniffers) within businesses. Breach-funded attackers honed their skills to levels never before imagined.

And then the third wave hit.

In 2005, cyber crooks began wielding "crimeware" to attack consumer-entered data. Crimeware—malware used to conduct large-scale theft from financial industries—was the culmination of three advancements. First, signature-agile Trojans became invisible to signature-detecting anti-virus and firewalls. Second, botnet controllers scaled to manage hundreds of thousands of infected PCs. Third, key-logging techniques were perfected to efficiently collect valuable browser-entered form data. Undetectable Trojans organized into huge botnets that efficiently collected browser-entered data—a breakthrough combination that formed a nearly indefensible weapon.

The target was no longer PCI security's Maginot line of PCI-certified processors and merchants. Instead, attackers key-logged PCs as consumers entered form data bound for online financial institutions. Traditional security methods are useless against crimeware Trojans; if anti-virus or firewall companies happen to detect a variant, attackers quickly morph their Trojan to again be undetectable.

Seemingly paradoxical, fraud losses across the payment card industry suddenly dropped earlier this year. The reason was unclear at first, but quickly became all too evident as new, more lucrative, types of fraud skyrocketed. The attackers had moved on to greener pastures—online banking. Stories of unauthorized ACH-transfers now fill the news. Russian cyber-attackers, unable to drain accounts fast enough, have begun outsourcing cyber-attacks to their Chinese brethren.

Third-wave attacks are now, in my opinion, a national security concern, as this same technique can defeat security protections in place across the power grid and the military.

Five Steps Forward

What can be done?

First of all, the financial industry needs to launch an immediate moratorium on blaming breach victims—PCI-induced infighting, litigation, and fines, over breach responsibility serves no useful purpose.

Second, PCI rules must evolve to specifically address third-wave malware attacks.

Third, the financial industry desperately needs improved fraud intelligence to understand its attackers and their weapons. It's no longer sufficient to monitor Internet chat rooms. We need to directly infiltrate the attackers. We should reward those in our industry that identify the weaknesses in our defenses, not punish those that are attacked. This is a complete change in our current PCI dogma, but the only way we will improve.

Fourth, international laws must be changed to destroy cyber-attack sanctuaries. If law enforcement officials in eastern Europe, Asia, or anywhere else, refuse to deal with the attackers operating from within their borders, then the world needs to hold such countries accountable. Countries that shelter cyber-attackers should be treated no differently than countries that provide a safe haven for terrorists.

Fifth, new security approaches must be developed to thwart attackers and their weapons. For example, new tools might be developed that could be used to quickly and easily rebuild PCs to eliminate any resident malware, even though the malware is undetectable.

"Internet banking as we know it, the kind that happens when a user launches a browser, and goes through even a decent approximation of layered security on a bank's Website, is dead, made untenable by the massive fraud now draining hundreds of millions from corporate accounts."

-- Rebecca Sausner, Editor-in-Chief, Bank Technology News

In conclusion, Internet banking will not be the only casualty of third-wave attacks. Data to authenticate Internet card transactions (i.e., AVS, CVV2, expiration dates, etc.) is being compromised on an unprecedented scale. Credit bureaus, the foundation for information-based authentication of online financial transactions, are also being compromised at alarming rates. These cases are just the tip of the coming iceberg.

We are rapidly approaching an era where computers might not be trusted—the day may be coming soon. If we fail to counter third-wave attacks, the Internet as we now know it will cease to exist. Let us now begin to attack the real problem and not its victims.

Phil Mellinger was CISO of First Data for ten years and was involved in creating the PCI DSS standard. He is now CEO of Turiss.

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.