“Shadow CIA” apparently stored credit card information in cleartext

I had not planned to post until January, but I decided to say something briefly about a news story that relates to one of the first posts on this blog, about security firm HBGary’s insecure storage of data.  This story, as I am sure many of you have already guessed, is the hacking of Strategic Forecasting, Inc., better known as Stratfor, by the group Anonymous.

Stratfor is a private intelligence-gathering firm whose principals have close ties to the US intelligence community.  Stratfor has been called the “shadow CIA.”  Anonymous claims to have obtained 200 GB of data, including 2.7 million private emails and 4000 credit cards.  While big media worldwide have focused so far on the “Operation Robin Hood” nature of the attack — the hackers claim to have made $1 million in donations to charities using the credit card information — one Anonymous member has stated that the real reason for the attack was to obtain the emails, and the hackers did not expect the credit card information would be as easy to obtain as it was.

Perhaps the most interesting writing I have seen on this subject is at the site databreaches.net, which provides a timeline of the hack, and suggests that it had been going on for a week or more, without Stratfor’s knowledge.  Databreaches.net also asks the reasonable question whether Stratfor might be legally liable for the compromise of credit card data, because it appears that both Texas law (where Stratfor is based) and Stratfor’s own privacy policy prohibit the storage of credit card information in cleartext.  Moreover, Stratfor apparently stored the 3-digit security codes of credit cards in cleartext also, and standard security procedure is not to store those codes at all.

This situation reminded me of a comment Peter Taylor made on an answer of Peter Shor on CSTheory.  Shor was answering a question about what would happen if it turned out that factoring could be solved in polynomial time.  Among other things, he said, “as soon as it was known that factoring was in P, the banks would switch to some other system.”  Taylor responded:

A bit off-topic, but as soon as it was known that factoring was in P, the banks would switch to some other system is largely wishful thinking. I discovered in December that a company which doesn’t do anything except process credit card details was using a variant of Vigenère with a key shorter than some runs of known plaintext. Worse, the technical director of the company wouldn’t believe me that it was insecure until I sent him some attack code. MD5, despite being widely considered broken, is still used heavily in banking.

For as long as I have been reading computer science theory blogs, commenters have left a lot of critical comments, along the lines of, “The result you are getting excited about is a very small advance, and has nothing to do with the real needs of industry.”   At a political level, similar arguments are used to reduce funding to theoretical research of all kinds, including theoretical CS.  I believe these arguments are completely incorrect, because the much more pressing problem is that industry doesn’t use fully-implementable techniques that theorists discovered years ago.  In the cases of HBGary and Stratfor, this may well have been because the principals considered themselves “too important” to take mundane steps, but there is no doubt that data insecurity, extremely suboptimal algorithm design, etc., is rampant in the business sector.  An industry, and a government, that dismisses the importance of theory, will pay heavy prices in the long run.

Postscripts

1. Jonathan Katz recently blogged about an upcoming workshop: “Is Cryptographic Theory Practically Relevant?”
2. There is a short CSTheory community wiki on the difference between the theory and practice of security and cryptography.
3. Databreaches.net reports that there is a series of hacks taking place in China right now, perhaps to protest a move to require the use of real names on the internet.  Over 40 million users have had their information compromised.  I hope everyone reading this blog stays safe, as we enter 2012.