Comments on: When are data breaches just outliers?

By: A Discussion You Might Want to Follow – Security Threat Research News

A Discussion You Might Want to Follow – Security Threat Research News — Sat, 12 Dec 2009 12:20:48 +0000

[...] recent breaches and the questions above. Another great take on the indictments and security is at Mike Dahn’s blog (which also has a number of links). Walt Conway @ PCI DSS News and Information [...]

By: admin

admin — Sun, 23 Aug 2009 08:08:03 +0000

Rob, I think you missed the point of this post. Potential energy can be converted to kinetic energy with the proper catalyst. If a company has a vulnerability they should not ignore it because a cracker hasn’t exploited it yet. Corporate board rooms should be aware of the inherent risk in storing, processing, or transmitting payment-card data. Therein they should work to remove or protect that data. The failure to do so, after one major criminal is put away, would be improper.

By: admin

admin — Sun, 23 Aug 2009 02:16:08 +0000

Mark, your comment is a very compelling argument and I’m prone to think you may be right. Maksym and Gonzalez both appear to have a similar pattern of occurrence and profiteering. I think regardless of which is the more wealthy convict, they both fit into the same spectrum of targeted attacks rather than the generic scanning-for-dollars approach.

I think this brings up a very compelling argument in that most small merchants that are compromised are done as a target of opportunity. The flip side is that most large companies that are a target of choice.

By: admin

admin — Sun, 23 Aug 2009 01:58:21 +0000

Tyler, I mention these actions as an outlier only because they fall outside the spectrum of typical assumptions of crime. When we think of crime many times we talk about distributions like physical crime patterns in the city. We don’t always imagine the singularities that occur at regular intervals. Gonzalez is not really an outlier any more than Maksym is, but they are both outside the normal attack patterns we work to protect against.

By: Rob

Rob — Thu, 20 Aug 2009 09:40:43 +0000

Great read…I wonder how many CISOs, CSOs, Security Professionals, etc. have used the hammer of TJX, Hannaford, Heartland, etc. to push their agenda / budget across the board rooms of corporate America. So, without Gonzalez or whomever, would PCI have the teeth or traction today?

By: Mark

Mark — Wed, 19 Aug 2009 19:13:07 +0000

Great insight into this important and intriguing topic. I am a little bit sceptical of Gonzalez’s role as a “ring-leader” in this operation. In fact if you look at the indictments it would seem that his take in the scheme is far less than others that are involved. For example look at Maksym Yastremskiy the trafficker of the dumps. The forfieter claim stated that Maksym had:

$846,762.18 in E-Gold accounts
$ 87,517.36 in Parex Bank account
$3,781,436.36 in an Asia Universal Bank account
$4,862,884.96 in Western Union money transfers
$1,931,047 in US currency

And this is just what they could find – I would think that he had a much greater role in the conspiracy than Gonzalez did, and I would even guess that there are many other “Gonzalezes” out there. What are your thoughts?

By: Tyler Hannan

Tyler Hannan — Wed, 19 Aug 2009 13:03:28 +0000

An interesting post.

I had not considered the concept of breaches in which A Gonzalez was involved as a “statistical anomaly.” Perhaps it is because the result was real…but, regardless of the impact, the logic of his activities (especially due to the involvement in so many high profile cases) as an outlier is both intriguing and compelling. Definitely worthy of greater discussion and contemplation.

Quite possibly the most compelling portion of the post though is the final sentence. Carding is, in fact, a business model. Distasteful? Yes. Frustrating? Yes. Illegal? Of course…but a business nonetheless.

-tyler