Remember, after the recent earthquake and tsunami in Japan, those stories about wallets filled with money being found and turned-in to the authorities, still stuffed with cash? That’s one positive aspect of Japanese culture, but does it also make them too trusting? Sony’s loss of first 77 million customer records and now another 24.6 million suggests that may be the case. A society with low crime rates and comic book criminals screams of unsophistication, which was confirmed for me this week when I heard from a reader who is a payment system auditor. He looks inside Japanese institutions and often doesn’t like what he sees.
“For whatever reason (low crime rate, maybe?),” my reader says, “the Japanese cannot seem to get their heads around the fact that unencrypted cardholder data sitting on servers in unsecured areas and being transmitted across public networks is a bit of a risk. Every other country in Asia has grasped this easy concept, but not Japan. I have tried many times to explain why this is bad but am usually met with blank looks and checking of watches.
“I could remote desktop right now to a Windows 2000 server in a facility in Japan with a public IP (user-name Administrator, no password) which contains hundreds of thousands of .csv files with full PAN, CSV, name, address etc. I notified the facility in question about this two years ago, by the way, and they have never done anything about it.”
This is Bob again. From my own experience with Windows systems I can’t imagine such exposed servers having not been repeatedly explored by bad guys over the past two years. That information isn’t just vulnerable, it is gone.
But it isn’t just the Japanese who are at fault. A short survey of some of my U.S. admin friends showed there are plenty of unsecured or under-secured payment servers running in this country, too, though none I know of without passwords. I don’t want to name too many names, but if your organization is handling funds on old unsupported Windows 2000 servers you are probably in trouble.
Now back to Sony. With now over 100 million accounts exposed, Sony finally sent lame duck exec Kaz Hirai out to take one for the team and apologize. Hirai offered — just as I predicted — a month of free service. What now? Lawyers will sue, Sony will fix their systems, and gamers once again will game. But while Sony may escape large economic losses from the current problems plaguing its various networks, there is one group that will continue to be rightly upset with the electronics giant — credit card companies like MasterCard and Visa.
The credit card companies have published standards for the management of customer data. These standards are a good combination of requirements and best practices. Anyone who does a significant amount of credit card-based business is required to meet these standards, which Sony appears to have ignored. Independent audits are required. To enforce the credit card company rules there are fines and the death penalty — being cut off.
Since Sony processes credit card transactions — and even offers its own credit cards as you’d know if, like me, you obsessively watch Jeopardy — they are going to be under a very uncomfortable microscope very soon.
The auditors are coming. Worst case they might tell Sony to buzz-off — to refuse Sony’s credit card charges for those 100+ million accounts. Then something really interesting stuff might happen.
Sony might not care.
If Sony is busted by Visa or Mastercard, Discover or American Express, all that probably means is they’ll have to hire a middle man — usually a big bank — to do the credit card transactions for them. Different servers in a different data center would handle the money and all would once again be right with the world, though at the cost of an extra service charge to Sony.
But what if Sony chose a different path? What if Sony cut a payment deal with, say PayPal, instead?
It’s a tempting gambit. PayPal would like nothing more than to pick up those 100 million accounts. They’d pay Sony for them, turning a loss into a gain and a loss of face into an industry transition.
PayPal has been looking for a chance to kick the credit card companies down a peg, grabbing some business.
I can almost hear the phones ringing in Tokyo….