Still playing catch up so this is a few days behind…
Saw a great blog post a couple of days back that talks about the US Chamber of Commerce’s findings about the top 5 causes of credit card data loss. They include:
- Storage of magnetic stripe data
- Missing or outdated security patches
- Use of vendor supplied default settings and passwords
- SQL injection
- Unnecessary and vulnerable services on services
Hrm… let’s take a look here. Three of those (patches, vendor defaults, vulnerable services) are old-school infrastructure security no-nos. Any organization should have had these bad practices solved a long time ago. Storing data that you shouldn’t? That is common sense-preventable. And anybody who hasn’t scanned their applications for SQL injection is almost as irresponsible as the folks who don’t have their infrastructures in order.
Come on, folks. We can do better. Until basic stuff like this has been sorted out Internet-wide we are not going to make progress against identity theft.
–Dan
dan _at_ denimgroup.com