« Microsoft Issues Six Patches (Four Critical) | Main | Application Security Testing Gold Rush is On »

Where much of the news about data protection following the TJX debacle has focused on hardening the storage of consumer information from direct attack, according to eWeek, an entirely other avenue of data vulnerability continues to operate right out in the open.

This vulnerability exists when retail businesses need to test out a credit card processing system. As they need concrete proof that the payment system actually functions (from my days in retail, there is nothing more frustrating then have a store all primed and ready to sell only to have the cash register malfunction), the tests they do -- which include point-of-sale upgrades, operating system patches, database changes, and more -- involves real live customer data.

Apparently, this test credits and debits real customer accounts using real customer credit card info, and while retailers have been generally ignorant about this vulnerability, cyberthieves are well aware of it. During the test there is the real risk of thieves accessing the data or penetrating the network, leaving behind a Trojan horse program to do their dirty work later on.

This has also caught the attention of Richard Simpson, who has 21 years with the Bank of America and has recently been appointed to the newly created senior IT risk coordinator for the Fed. Simpson has the tough task of "raising awareness of risks that might undermine public confidence in the U.S. financial system." Wonder if he’s going to start a blog.

Said Simpson: "A vulnerability that the Fed has observed during supervisory reviews is the practice of retaining unencrypted test data. Often large amounts of data will be pulled into a separate file for use as test data to verify program patches, run volume tests or simulate production output or reporting. The proper approach for temporary data is to destroy it immediately after use, to encrypt it if future use is planned, or to mask fields containing any customer confidential information."

“But that's not typically happening,” he continued. "Companies often consider test data to be less vulnerable than live transaction data and, therefore, take fewer precautions. Test data may also be accessed by third parties—such as vendors and outsourcers—more frequently than live data. Yet if the test data contains reusable customer information—credit card numbers, social security numbers, name and address—it can easily be used for fraudulent purposes if accessed by internal or external hackers."

And if a breach occurs with test data, companies often have a difficult time retracing their steps and figuring out exactly which file was breached and the full amount of consumer data it contained.

So why hasn’t an artificial list of test data been created? As is always the answer in these cases, it comes down to money, and who’s going to pay for it. So it seems that unless someone makes them do it, or a massively publicized breach occurs during the testing stage that faults a large retail organization like TJX, it simply will not become a priority.

Posted by pschooff in Better Protection |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2007