Brian Bertacini from AppSec Consulting clue me into this story. This snippet kicks off the story...
ID Thieves Turn Sights on Smaller E-Businesses
"After scanning the search results, he purchased the inexpensive item -- a USB cable used to synchronize the Treo's settings with his personal computer -- from Cellhut.com, the first online store displayed in the results that looked like it carried the cable. The site featured a "Hackersafe" logo indicating that the site's security had been verified within the past 24 hours. Later that day, information from Cole's purchase --- including his name, address, credit card and phone numbers, and the date and exact time of the transaction --- were posted into an online forum that caters to criminals engaged in credit card and identity theft."
ScanAlert Inc., a Napa, Calif.-based company, scans over 75,000 online merchants each day for thousands of known Web site flaws. According to the story ScanAlert is investigating the breach. Of course one would think that law enforcement would be performing this task. We'll have to wait and see for sure if this was a web application hack or something else. But if you look at the published statistics, a web security attack is the smart bet.
"According to a report released this month by VISA, four-out-of-five of the top causes of card-related breaches were digital security weaknesses common at merchants large and small, including missing or outdated software security patches, misconfigured Web servers, and the use of vendor-supplied default passwords and settings, all of which are a violation of new payment card industry standards."
Several experts weighed in with their thoughts. Most of which were the normal best-practice stuff, but this one caused me to pause.
"Having one of these scanning services in place is definitely better than nothing because a lot of small and medium sized online stores don't have the staff in place to make sure their applications are secure," Jason Lam, who teaches a course on securing Web sites for the SANS Institute.
Normally I would agree doing something is better than nothing. This might be a different situation. If a scanning vendor tells you they scan for vulnerabilities which they are clearly not finding, then all you've bought is a false sense of security. The bad guys quickly figure out that any business carrying the logo probably in fact has vulnerabilities because the reports say otherwise!
My question is since ScanAlert is a certified PCI scanning vendor, what does this say about enforcement of the PCI standard? I've talked about this problem in the process before. And then also what does this say about the rest of ScanAlert's 75,000 customers? Maybe its just as the logo suggests, "safe for hackers".