Here we go again -- more consumers in jeopardy

CardSystems Solutions, a payment processor, has apparently exposed approximately 40 million credit and debit card accounts. I would say "Here we go again" or "I told you so" at yet another security breach, but at this point, it's just getting repetitious.

Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld

In my column a few weeks ago, "Another week, another few million confidential records lost," I made the point that many of these data losses were basically human error, and that very smart people can make really stupid mistakes.

CardSystems' loss amps up the fear factor a bit. MasterCard says that information from 40 million credit and debit card accounts was exposed after an intruder gained access to CardSystems' computer network. CardSystems, for its part, has acknowledged the compromise of account information from as many as 200,000 cards form Visa, MasterCard, and American Express.

In other words, this was not someone leaving a computer disk drive at Starbucks while they ordered a grande latte. This was an intruder who knew enough to target a company like CardSystems, which processes payments for major credit companies.

Federal banking regulators and the FBI are both conducting investigations into the security breach. Although various federal agencies oversee banks and their various credit card subsidiaries, there is precious little oversight of payment processors like CardSystems. Not that banks, Visa, and MasterCard allow those processors to run wild. But as the old saying goes, "There's many a slip betwixt a cup and a lip" -- and that can include payment processors. If you're like me, you probably did not realize it until this recent breach, so whoever targeted CardSystems was one step ahead of most of us. Now we know.

If someone did indeed break into CardSystems and make away with some useful information, where will it go? It will probably be sold, according to John Watters, CEO at iDefense, a company that provides cybercrime intelligence for the government and private industry. A recent government investigation, Operation Firewall, broke up a 4,000-member ring, which had bought and sold more than two million credit card account numbers over two years, with an estimated loss of $4 million and lots of headaches for consumers, banks, and IT managers.

A basic American Express card number can go for about $40, with some premium-type cards going for as much as $70, according to iDefense. Multiply that out 200,000 times, at, say, $50 a card, and you can see there is a potential $10 million payoff. Not a bad day's work.

The U.S. Senate has been holding hearings on a number of bills that would attempt to deal with this issue and the problem of notifying consumers when their credit information has been compromised.

Testifying before the committee recently was Kurt Shedenhelm, president and CEO of Palisade Systems, which supplies content security appliances. Palisade's just-released PacketSure 4.0 is designed to identify, report, and block content that violates security and privacy policies from leaving a company network, regardless of the communications protocol. Shedenhelm believes his product could have prevented the CardSystems breach and believes PacketSure is a better solution than encryption.

"Many groups are calling for more encryption. But I believe that if we use encryption, someone can still get the key. And if they get the key, they will then have access. With our system, you actually monitor the content, and it can't leave the network if it violates your policies," Shedenhelm explained. Unfortunately, that just reminds me of another old saying -- the one about closing a barn door after the horse is gone.