Just when we thought the big credit card data breaches were over, at least for a while (with Alberto Gonzalez put away after his scams at TJX, Heartland Payments and others) – along comes a new one reported today in www.Krebsonsecurity.com. See KrebsOnSecurity.com
Visa and MasterCard have already issued warnings on this. I’ve spoken with folks in the card business who are seeing signs of this breach mushroom. Looks like the hackers have started using the stolen card data more recently. From what I hear, the breach involves a taxi and parking garage company in the New York City area so if you’ve paid a NYC cab in the last few months with your credit or debit card – be sure to check your card statements for possible fraud.
One interesting twist again sheds light on the fact that knowledge based authentication should not be relied upon. I heard (and this may not be factual) that the crime was perpetrated by a Central American gang that broke into the company’s system by answering the application’s knowledge based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently.
Isn’t that usually the case? So if that’s indeed what happened, we can expect the PCI assessors to say NO to KBA on administrative accounts. They need to say NO to many different types of authentication which are being successfully bypassed by determined crooks. See our research on “The Five Layers of Fraud Prevention” and “When Strong Authentication Fails and What you can do about it.”
A layered approach is always best, since you have to assume the bad guys will get through one or two or even three layers.
In the meantime, I’m not sure what’s holding up public disclosure of this breach but expect it to come soon.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.