Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Poor software development results in credit card breach

Fortify : 18 May, 2009  (Technical Article)
Fortify comments on the possible causes for Atlanta data breach where customer was able to view on-line credit card statements of 120 users
Fortify says an incident in which an Atlanta-based firm reportedly allowed an Aspire Visa card user online access to around 120 other card holder statements, was almost certainly the result of poor code auditing at the software development stages.

'Security faux pas like this - with an Indiana-based woman being able to view the statements of more than a 100 of her fellow cardholders - was probably due to a combination of factors that came together to create a rare, but repeatable, situation,' said Richard Kirk, Fortify's European director.

'Good code auditing at the program development stage would have helped to prevent this situation occurring and embarrassing the company that administers the card accounts for Aspire,' he added.

According to Kirk, the only piece of good news in connection with this incident is that the cardholder was apparently only able to view her fellow Visa users' accounts and not able to do much else.

This was, he explained, a view-only security situation but, he says, a coding error like this could also have allowed a customer access to other facilities that might - under certain circumstances - have allowed a fraud to perpetrated.

In this incident, he says, after the cardholder was given the cold shoulder after complaining - something that Kirk says also blots the card company's copy-book - she contacted the media, and the firm correctly suspended online access to customer accounts.

'It's good that they've done this. This will give the software development team time to review why this has happened and hopefully prevent it happening again,,' he said.

'Of course, if they had conducted more thorough auditing and soak testing of the code update that apparently caused this incident in the first place, they wouldn't be in the embarrassing situation they are in now,' he added.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo