There's been a lot of discussion about cloud security, and the conclusion has generally been that we'd see a major exploitation of cloud vulnerabilities sooner rather than later.
It may have already happened.
Last month, Atlanta-based Global Payments Inc., one of the world's largest processors of Mastercard and Visa payments, discovered that up to one and a half million credit card numbers may have been exported by hackers who had access to its network. The information taken was considered sufficient to make fraudulent purchases or clone credit cards. It had initially been thought that as many as 10 million accounts might have been affected.
Major enough? Perhaps we're inured to news of this kind after living through the wave of assaults on Sony's networks last year, the Zappos hit in January, and sundry attacks on banks and financial institutions. The significance of the Global Payments exploit may lie, not in its scale, but in the possibility that it's an example of our worst cloud nightmares coming true.
A possibility is all it is, because Global Payments, while keen to emphasize the limited nature of the damage done, has been less than forthcoming about the circumstances surrounding the breach. Analysts like Gartner's Avivah Litan and security expert Brian Krebs have been trying to piece the story together.
As Krebs observes, Global Payments moved its hosting to Amazon's EC2 cloud in February this year. Krebs also reports an anonymous source claiming that Global Payments was breached well in advance of the reported date, possibly as early as January 2011. He also points out that it's by no means clear that early rumors of a 10 million card breach refer to the Global Payments exploit or a different, as-yet-undisclosed incident.
Litan, meanwhile, had also been hearing about an intrusion affecting a payment aggregator for a New York taxicab or parking garage business. Breaking the relatively unsophisticated knowledge-based authentication gave access to this business's admin account. The weakness of the cloud's infrastructure then gave the hackers a window into Global Payments.
As is evident, cloud security can be compromised by "weakest link" participants -- in this case, quite possibly a participant with easily forced password security.
I'm thinking, "Who uses knowledge-based authentication?" Probably these not-so-sophisticated, and even the sophisticated, cloud providers. Cloud providers don't like to distribute tokens or do anything too difficult. Then that's why the [Global Payments] CEO wasn't lying by saying none of their merchant systems were compromised, because it was the cloud security provider's system that was compromised. That's my theory, at least.
Right now, a theory is all it is. But it leaves questions that urgently need to be answered, not just by Global Payments, but by the cloud vendor. Litan raises the suspicion that the possibility of hackers migrating from one client to another within the cloud was the key vulnerability in this case. That seems to be a question that Amazon, rather than Global Payments, needs to address.
— Kim Davis , Community Editor, Internet Evolution