July 21, 2005

Contradictory Charges Rattle Data-Loss Case

By Evan Schuman, Ziff Davis Internet

During congressional testimony Thursday, executives from bank and credit card companies involved in the largest credit card data loss ever pointed fingers at a new culprit for gaps in security: the auditors who had certified the credit card processing systems as being up to snuff.

But in an interview with Ziff Davis Internet News, those auditors—who did not testify at the hearings—vehemently disagreed with the testimony and said one of the CEO witnesses was either lying or very mistaken.

The role played by the Cable & Wireless Security unit, now owned by Savvis Communications Corp., was made public during the testimony of David Watson, the chairman of Merrick Bank, which is one of seven banks that made payments to merchants who used CardSystems Solutions.

In May, CardSystems reported that someone had broken into its systems and stolen the details of as many as 40 million payments cards, including names, account numbers and expiration dates. The hearing was being held to see if new laws are needed to prevent such a situation from recurring.

CardSystems officials have admitted that they violated their contracts with major credit card companies by storing customer-identifiable data from card magnetic stripes.

Watson testified that CardSystems used Cable & Wireless Security for a security audit in 2003, choosing from a Visa-approved list of auditors who could certify companies as complying with Visa's CISP (Cardholder Information Security Program).

Cable & Wireless did indeed certify CardSystems, according to CardSystems CEO John Perry, who testified that he relied on that certification to be sure that the systems were compliant with CISP rules and that they weren't retaining data they shouldn't.

Merrick's Watson testified that after the May break-in, his company brought in its own auditing team, Ubizen, to perform a forensic security audit. Ubizen discovered two problems.

"First, CardSystems retained certain transaction data on its system in clear violation of association rules. These data-retention practices were inconsistent with CISP standards, and it is unclear to us why the Cable & Wireless report did not note any objection to the practice, which was ongoing when the CISP certification was approved by Visa in 2004," Watson testified. "Ubizen reports this data-retention practice had been followed by CardSystems since 1998."

Ubizen also "identified certain issues with CardSystems servers and software, which were compromised by the intruder. The Cable & Wireless report did not make any mention of these system vulnerabilities," Watson told the panel.

"Ubizen reports that CardSystems servers showed evidence of unauthorized activity as early as April 2004. The Ubizen report does not confirm, however, any actual data loss until May 2005."

A Visa executive who was testifying—Steve Ruwe, Visa USA's executive vice president for operations and risk management—testified that Visa has asked Savvis to explain the discrepancy, has temporarily suspended using Savvis and is asking Savvis is revalidate earlier audits.

"Card Services is fighting for its life" said Richard Stiennon, vice president of threat research at Webroot, a Boulder, Colo.-based anti-spyware vendor.

Finger-pointing is useless, he said. "If you are installing unencrypted data on your machine, you are responsible," Stiennon said.

CardSystems' Perry even pointed to Cable & Wireless as a reason why his company couldn't answer all of Visa's questions. Perry testified that he "tried to contact former employees of Cable & Wireless" who had been involved in the audit, and "it was very difficult to track a lot of these people down."

But Bill Hancock, chief security officer at Savvis—who was chief security officer for Cable & Wireless at the time of the audits—directly contradicted Perry's testimony and defended his company's audit in an interview with Ziff Davis Internet News.

Hancock said the audit team for CardSystems consisted of four people. Three of those people still work at Savvis and the fourth recently left, and Hancock said he knows exactly where he is. Calls placed to CardSystems to address the discrepancy went unreturned.

As for Perry's congressional testimony about the missing former employees, Hancock said, "That is total, total disinformation."

"It's typical stuff," Hancock said. "Whoever's not in the room, let's blame them."

Asked if he thought Perry was lying, Hancock said that was a distinct possibility. He later said some of Perry's CardSystems employees who had been involved in the audit process had left the company, and maybe Perry had gotten confused and was referring to his difficulties in trying to reach his own former employees.

As to the core issue of the quality of the audit, Hancock said the improperly retained magstripe data was absolutely not on any of the machines that his team inspected; the team's mission was to inspect all of the machines that were involved with Visa transactions.

"The truth is that the people who did the audit are card-carrying certified information systems professionals," Hancock said. "We examined the systems and there was nothing there. The systems were directly examined. We were very meticulous about that."

During this kind of security audit, the audited company—CardSystems in this case—tells the auditors the relevant computers to examine.

If CardSystems was improperly retaining data at the time of the audit, Hancock said, the data must have been on a machine that was not among those that CardSystems identified as being relevant to the audit.

The audit "was done correctly. We don't examine every stinking computer," Hancock said, adding that auditors are limited to machines that are identified as relevant.

"In the boxes that we were told did the Visa processing, there was no evidence of mag [stripe] data being kept. But was it being kept 15 feet away?" Hancock asked. "If they had this stuff on a completely separate system, there is no way that any auditor would ever find this kind of information."

Magstripe data could have been added to the certified machines after the audit as well, Hancock said. "What happened post to [the audit], I don't know," he said.