This September, British Airways (BA) was the victim of a major cyber attack. Around 380,000 customers of the largest airline in the UK had their sensitive information compromised. Besides the customers’ names and email addresses, the bad actors behind the attack made off with these unfortunate people’s credit card numbers, expiration dates, and security codes (e.g. CV2, CVV). After investigating the breach, researchers found that the hacking group responsible, Magecard, used a web-based credit card skimmer to intercept BA customer data. Upon second review, however, the British Airways’ website was found to not be PCI DSS compliant. In light of this, we will discuss the related requirement of PCI DSS compliance, PCI Section 8. Namely, we will focus on how to achieve compliance with strong identity security and multi-factor authentication.
What is PCI Section 8?
PCI DSS Section 8 states that users who are permitted into a Cardholder Data Environment (CDE) must have authorized identities. While it may seem straightforward to only sanction access to the correct people regarding sensitive data of a CDE, the truth is a bit more tricky. In the case of the British Airways breach, the dissidents at Magecard managed to bypass the authorization process through some method and install their skimmer script. While the actual method of bypass is still unclear, one can assume that the attack could have been due to poor identity security.
Multi-factor Authentication for Stronger Identity Security
While there are several methods for improving identity security, an up-and-coming solution is multi-factor authentication (MFA). MFA leverages several different techniques depending on its implementation, but the end goal is still the same. By using an additional step in the authorization process, be it a TOTP (time-based, one-time password) key or a physical login token USB, the chance of an identity being compromised is decreased dramatically. In their report on MFA, Symantec found that 80% of security breaches in the last several years would have been stopped via MFA.
At JumpCloud®, we believe that strong identity security starts with a strong directory service, like Directory-as-a-Service®. Creating a secure identity (Read more…)