iTnews
  • Home
  • News
  • Technology
  • Security

Security expert slams PCI auditing

By Clement James
Apr 7 2008 3:09PM
Follow google news

A recent security breach at US supermarket chain Hannaford Bros was almost certainly the work of hackers exploiting a single code flaw on internal systems, experts say..


Hannaford Bros revealed last month that intruders had broken into its network and stolen the credit card details of some 4.2 million customers.

It is understood that the hackers managed to download card details after the cards had been swiped at the checkout and were in the process of being authorised.

Brian Chess, founder and chief scientist at security firm Fortify Software, claimed that the uniformity of the breach suggests that the attackers were taking advantage of a software weakness.

"The fact that the servers in almost all of the stores were compromised makes it much more likely that the attackers found a vulnerability in a piece of code that was common to all the servers and used malware to exploit the weakness," he said.

"My guess is that hackers first broke into the internal corporate network, then did some basic network scanning to identify all of the target servers.

"They then figured out that there was a vulnerability on some piece of code running on all of the machines. We see many organisations that are much more lax about internal systems."

Chess added that the interesting thing about the case is that Hannaford Bros is believed to be fully PCI compliant and, as such, is unlikely to have to pay fines under current PCI rules.

"The store chain had passed its PCI audit, but PCI takes a relaxed attitude towards internal machines," he said.

The security expert pointed out that PCI DSS section 6.6, for example, requires companies to "ensure that all web-facing applications are protected against known attacks by applying either of the following methods: having all custom application code reviewed for common vulnerabilities by an organisation that specialises in application security; and installing an application layer firewall in front of web-facing applications".

This means that Hannaford Bros fulfilled section 6.6 by default so long as its web applications were only for use inside the corporate network.

"PCI DSS is a lot like a fire code or a health code. It does not guarantee smooth sailing, it just helps people avoid repeating a lot of painful mistakes from the past," said Chess.

Add iTnews as your trusted source

Add iTnews As Your Trusted Source Add iTnews As Your Trusted Source
Got a news tip for our journalists? Share it with us anonymously here.
Copyright ©v3.co.uk
Tags:
auditingexpertpcisecurityslams

Related Articles

  • Anthropic releases Mythos-class model for public use Anthropic releases Mythos-class model for public use
  • Apple bumps up security in fresh operating system releases Apple bumps up security in fresh operating system releases
  • Meta accuses NSO Group of violating court order by WhatsApp spear phishing Meta accuses NSO Group of violating court order by WhatsApp spear phishing
  • Researchers build self-replicating AI worm with BYO LLM Researchers build self-replicating AI worm with BYO LLM
Join our WhatsApp Channel

Partner Content

Onel Consulting Strengthens Its White-Glove Services With Strategic COO Appointment
Promoted Content Onel Consulting Strengthens Its White-Glove Services With Strategic COO Appointment
From test case to control tower: How DXC and ServiceNow are governing enterprise AI at scale
Promoted Content From test case to control tower: How DXC and ServiceNow are governing enterprise AI at scale
Thomas Peer Solutions unveils data cloud platform and executive leadership forum for 2026
Partner Content Thomas Peer Solutions unveils data cloud platform and executive leadership forum for 2026
You meet the security standard. Shame no one can see it
Promoted Content You meet the security standard. Shame no one can see it

Sponsored Whitepapers

Agile in the AI Era: why projects still fail
Agile in the AI Era: why projects still fail
When Technology Becomes the Blocker: Unlocking Real Outcomes from AI and Cloud
When Technology Becomes the Blocker: Unlocking Real Outcomes from AI and Cloud
High-volume data sources for AI-driven security analytics
High-volume data sources for AI-driven security analytics
How healthcare organisations can get more value from cloud
How healthcare organisations can get more value from cloud
1 in 3 companies lose SaaS data. Here’s how to prevent it
1 in 3 companies lose SaaS data. Here’s how to prevent it

Events

  • iTnews State of Security Breakfast iTnews State of Security Breakfast
  • iTnews State of Data & AI Breakfast iTnews State of Data & AI Breakfast
  • The 2026 iAwards The 2026 iAwards
  • Integrate 2026 Integrate 2026
  • Security Exhibition & Conference Security Exhibition & Conference
Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Anthropic opens Claude Mythos Preview AI program to Australia

Anthropic opens Claude Mythos Preview AI program to Australia
Defence says Palantir is "sandboxed" in its environment

Defence says Palantir is "sandboxed" in its environment
Services Australia describes fraud, debt-related machine learning use cases

Services Australia describes fraud, debt-related machine learning use cases
Researchers build self-replicating AI worm with BYO LLM

Researchers build self-replicating AI worm with BYO LLM
techpartner.news logo
Sydney-based AI-cloud waste startup raises $3m
Sydney-based AI-cloud waste startup raises $3m
Brennan uses NiCE to modernise its contact centre
Brennan uses NiCE to modernise its contact centre
Impact Awards: Tecala slashes customer response times for fintech IQumulate
Impact Awards: Tecala slashes customer response times for fintech IQumulate
Interactive introduces private cloud platform
Interactive introduces private cloud platform
Digital61 expands cybersecurity portfolio
Digital61 expands cybersecurity portfolio
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.