The Wall Street Journal had a good article summing up credit card data theft over the past few months. The common theme: all of the merchants stored data they shouldn’t have and then found ways to blame the software they were using. Shifting the blame has never been easier. People generally trust the companies they do business with, otherwise they would go elsewhere, and they have been trained to fault IT products. All you have to do is say it’s the computer’s fault, and end of story, but it shouldn’t be. How do features end up in software products? As a general rule, our customer’s pressure the sales team for features, sales puts pressure on the IT department to build it, and application developers comply. I can think of very few times where application developers have added features just for the hell of it. So who is to blame, the customer or us, the developers of software?
I tell developers it’s not about assigning blame…not yet anyway. Who has the time? If the business community is not going to drive us to write more secure software, we can take it upon ourselves to do so. Sure every company says it wants to implement better security, but how many actually do? I have a lot of respect for Microsoft now (I used to only trust Linux servers for security) because of how radically things have changed over there. I remember the days when you could read about a vulnerability in a Microsoft product every single day on Slashdot. Now, products whose market share is, in the words of Peter Griffin, “some kind of fraction I can't even measure” have more exploits that are found than all MS products combined.
As for the breaches as of late, after reading the WSJ I read a couple of other news articles and found a few interesting tidbits. For example, Polo Ralph Lauren is notifying 180,000 General Motors MasterCard holders that their cards had been compromised. Those must have been some mighty picky thieves to only steal MasterCards bearing the General Motors logo. I will go out on a limb and say the bank that offers the cards, HSBC, is forcing the retailer to notify at least its customers. The worst part about the whole thing is that the software they used from Datavantage stored Track II data. This is used in actual card swipe transactions and serves no purpose afterwards except if it is stolen, in which case it is used to create credit card clones.
Several Banks have sued BJ’s wholesale club for storing the same data that Polo Ralph Lauren did. What was BJ’s response? Well to sue IBM of course. After all, they made the software. Unfortunately, the only direct evidence the banks have, is a newspaper article, something IBM is pointing out while at the same time maintaining their contract with BJ’s shields them from liability. It really would be interesting to see what happens, but as far as I can tell, these lawsuits will go no where.
Then there was DSW Shoe Warehouse, with 1.4 million credit card transactions stolen using software from NCR. Each company is claiming the other screwed up as the software can optionally delete information after the transaction has been processed. Where will it all end…