Monday, January 07, 2008

Should ScanAlert be revoked of their PCI Scanning abilities?

I was passed on this link today about "Hacker Safe Website gets hit by Hacker". For those who don't know, Hacker Safe is a service provided by Scan Alert (which is set to be acquired by McAfee). I am not going to go into the details of how safe are the sites displaying the logo "Hacker Safe". I don't even want to go into the details of what level of scanning services are provided by ScanAlert through Hacker Safe. What I do want to talk about is, the PCI Compliance Certificate provided by ScanAlert after their scan.

ScanAlert provides a PCI scanning service for $149.00 a year. Oh and their website claims they work directly with VISA and MasterCard. Personally, I don't care about their pricing model, they could provide their service for free, for all I care. What matters to me is, they are "PCI APPROVED VENDOR".

So, the story today was about one of their clients, Geeks.com. Here is an excerpt from the article

"Geeks.com is a $150 million company specializing in the sale of computer-related excess inventory and manufacturers' closeouts. Its Web site prominently proclaims that it is tested on a daily basis by ScanAlert Inc."

According to the PCI Compliance guidelines, Geeks.com should now become Level 1 merchant and have to pay fines and everything, now that there has been a breach resulting in loss of credit card details. But, what about ScanAlert, shouldn't they be penalized too?

As I mentioned in my last post -
Who are the real culprits for PCI Compliance?
Geeks.com hired a PCI approved vendor to scan their site and provide them solutions. ScanAlert scans Geeks.com site everyday and didn't find any vulnerabilities. Now that Geeks.com is hacked, I am sure everyone would blame them about lax security practices and what not but what about ScanAlert? Shouldn't they share a part of the blame too?

In the end, I think the bigger question is - Is this level of service accepted by PCI Council?

11 comments:

Anonymous said...

You really do not know what you are talking about. Just because you read an article you believe it.

I guess you also belive the Star enquirer and all the "I had an alien baby" because some wrote it down.

If you really are a security evangelist then do some security work and research the facts.

Anurag Agarwal said...

Well.. if you think otherwise, please take sometime to write down your facts too or at least have the guts to leave your name. Just criticizing without reasons is considered a weak response.

Shoaib Yousuf said...

I totally agree with you Anurag. I personally think in the same way. I think Geeks.com should stand up and take some action against ScanSafe.

I can't blame PCI Complaince for putting up fine on Geeks.com as there website was hacked and in the real world they got victim, doesn't matter what type of precautions they are using to keep them safe.

Value your post. Really interesting.

Anonymous said...

ScanAlert's Reply:
The headline (“'Hacker Safe' Geeks.com Hacked") is false and misleading, and does not match the facts provided by Geeks.com to its customers. So far, no one knows exactly what happened, or whether this breach occurred on the web site or somewhere else. There is no evidence that this web site was hacked while it was certified HACKER SAFE. In fact, all of the information that ScanAlert has gathered so far indicates that this breach did not happen while Geeks.com was certified HACKER SAFE.

Vishal Garg said...

I think this type of incidents are going to be more common in future. I would really be worried if a company has become PCI compliant and then gets hacked. No doubt, they are the victims, but by hiring the services of an ASV, and by being certified they have done what they were supposed to, so why should they be punished. Shouldn't it be the ASV vendor who gets punished if such an incident occurs after they have certified a company or does that simply mean that becoming PCI compliant does not make a web site any safer?

Anurag Agarwal said...

Vishal -

I am not against PCI Compliance and to me if they want to raise the bar, by all means they should. But the point I mentioned in my earlier post and exactly what you mentioned in your comments, a company doesn't understand PCI let alone security. Thats why they hire these ASVs to provide them solutions. These ASVs are making a lot of money with that. So, they should take some part of the risk too.

Aidan said...

anonymous, regardless of whether Geeks.com was certified HackerSafe or not at the time of breach we must not overlook the fact that no VA scanning tool can with any certainty declare a website "hacker safe". As well put by
>Drazen Drazic
, basic VA is not a full website security review. That said, also interesting to get some insight into ScanAlert from others.

anurag, while PCI requires that VA scanning is conducted by an ASV, it also requires web application penetration testing to be conducted. Manual testing has the potential to discover many issues that cannot be found with VA scanning. How well a pen test is conducted really depends on the skills and knowledge of the tester.

Vishal, the payment brands have stated that if an entity is certified PCI Compliant and they experience a breach, they wil be give "Safe Harbour" status. This means that if they can demonstate compliance at time of breach, they will be exempt from paying any fines or having restrictions placed on them as a result of a breach.

kingthorin said...

"or does that simply mean that becoming PCI compliant does not make a web site any safer?"

True!

While I do feel that the security testers should be held to their results no scan vendor/contractor is ever going to agree to more liability than the value of the contract. So if you hire some company to assess your site for $30k don't expect them to cough up more than $30k when you get hacked. While keeping in mind that that $30k liability is only good until you change something on the site, because GL proving that your modifications after their assessment didn't introduce the hole that resulted in the breach.

Anurag Agarwal said...

@aidan
In my earlier experience, when i was trying to get the company I was working for, PCI certified, I spoke to so many ASVs and none of them mentioned about web application pen testing. I found ASVs providing PCI service for as less then few hundred dollars to $15000. There were so many questions but nobody could provide clear answers. Now, i knew the web application security field, so I went with what was right and not what was required just to get certified.

That being said, how many companies are out there who doesn't have the luxury of an in house web application security professional. How would they distinguish the difference between $600 service to $9000 service? And if ASVs don't have a stake in the game, they would go out there provide cheap service, make money and leave the companies hangin' out to dry.

I understand companies should do more then just PCI, but who is there to guide them? They don't understand the field, so how would they make the right choices and PCI council is not making it any easier for them.

@kingthorin
I am not going to go into what penalties should be imposed on vendors, thats the job of PCI council, but there has to be something. It could be as small as a bad mark against their reputation and when clients go out to hire a ASV, they should be made aware of that bad mark.

kingthorin said...

@ anurag
I can agree with that. There should be some consequence for the mistake. My main point was that if they pay $30k a year for the service they shouldn't be expecting to recover millions from ScanAlert.

pci said...

Agree with you.