Bank Information Security has posted an interesting interview with Alain Sheer, an attorney with the FTC working on the CardSystems breach. He gives details on the attack:
Here is what we alleged in the complaint about what happened, and this is kind of a big picture kind of way of thinking about it, but I think you will see the picture. It is, starting in September 2004 an intruder used a SQL injection attack, and I will explain what that is in just a moment, to install common hacker tools on Card Systems network. The tools were used to find the mag stripe data and to export it every four days, starting in November 2004. Through the exploit, through this attack, the intruder got information about tens of millions of credit cards, the mag stripes basically.
He then goes into the multiple complaints filed and the steps that the FTC say should have been taken by Card Systems. Towards the end he describes harm:
In Choice Point, for example, the information that was stolen in many instances was the Social Security number, which allowed the thieves to open new accounts in the consumer’s name. The evidence also showed that a significant number of people lost a significant amount of money from identity theft.
In Card Systems, the consumers experienced a different type of injury in the form of fraudulent credit and debit charges, inconvenience and time lost. Although this is a real injury, consumer’s losses in circumstances like this are limited in many respects by existing consumer protection laws. Bank dispute procedures that kind of spread the loss among the affected companies and private litigation for example. Consumers are not typically held responsible for unauthorized charges on their credit cards. So in these cases we have not been getting monetary relief because they are really different from the Choice Point type case.
It’s a very good interview that helps illustrate the perspective of investigators as well as the security controls they expect companies to use.