Breaking News – Card numbers exposed by card associations using state of the art malware attack (April Fools)

FTC(April Fools) Tommorrow, April 1st, 2008 – Visa is expected to be sued today by the Federal Trade Commission for the loss of 990 million card numbers to an international crime ring known only as “C@rD_NO+_Pre$ent_anyMOR3” on non-English foreign language internet chat rooms as reported by the Payment Systems Blog and its Eastern European intrepreters.

“We thought that we were safe using 1970’s based technology and mainframe computers, They don’t even teach that in the schools nowadays,” states a Michael Verns, a former IBM systems programmer and night operator located in Foster City, CA. who requested anonymity and also wasn’t quite happy with his allotment of visa stock options which will force him to still work past his ideal retirement age, “I mean we don’t even get to use a mouse that much, but did state that he remembered when VisaNet bootstrap required card readers, and that while Visa DEX is pretty cool, but that is just a different front end to VisaNet.”

Martin McKeay, Security Expert and PCI auditor, speculated that nobody really knows if Visa or MasterCard are PCI compliant anyway, and he and Rich Mogull in the Network Security podcast Episode #100 suspects that “an un-patched vulnerability in the IBM hypervisor or Virtual Machine, called VM-CP running on IBM System/370, allowed state of the art malware to intercept or sniff SNA based network traffic and redirect it to a reel-to-reel tape library that wasn’t encrypted and was lost during transport to off-site storage. Jeff Hall, a Security Consultant, in a post in a PCI Forum writes — “Many people don’t know that there were Virtual Machines and Hypervisors way before VMware, System/370 and IMHO the wireshark project really should implement SNA network support so auditors can detect this type of thing in the future. Security of Virtualized systems should be covered in the next revison of PCI” (WireShark Project leaders are asking for hardware donations or instructions on how to setup http://www.hercules-390.org/ for development purposes, please help if you can)

These things can and do happen… and is why we dedicate ourseleves to the network security podcast”, state Martin and Rich, “It is simliar to the MacBook Air incident and CANSECWEST, everybody thought that OSX was secure, but we need to re-evaulate the security of all operating systems, regardless of how much market share they have.”

Security experts blame the amount of detail in Visa’s S-1 IPO filing, that provided enough detail for attacks to launch a directed attack. “They didn’t even need to do reconnaissance, it was all right there.”

Spokespersons from Visa, a publicly traded company (Quote: V) have stated that they are working with the Fed to structure a “deal” that would provide an infusion of capital for Visa to invest in a company to develop encryption software for its systems after it was decided that EBCDIC was not a reliable method to render card numbers unreadable, as well as to provide a vote of confindence in the world’s global payment networks. Investment gurus from www.bloggingstocks.com speculate that Credit Cards will be way worse than sub-prime will ever be.

Hans Morris, President of Visa states that “Remember that cardholders are not liable for any fraudulent charges and not to forget that Visa started both CISP (now PCI) and PABP and that Visa has been hacked less then the Pentagon”

Hillary Clinton has stated that under her administration PCI would become a federal initiative called – “Pay Cash Instead” and return the power to the people and away from greedy banks, and that the increased cash handling would be good economic stimulus and vechicle for job creation. Other economic experts state that compared to credit card balance tranfer mailings and card applications, the cost of re-issuing cards will not have a large impact on banks printing and postage expenese.

I will have more posts as this story develops.

3 Comments

  1. Ha, little did you know that there’s no podcast this week, we’ll be doing episode 100 as a live video feed from the Security Bloggers Meetup at RSA. Unless the gremlins attack that is.

    Martin

Leave a Comment.