Fortify says online credit card security lapse may be due to poor software code auditing

15 May 2009

Fortify, the application vulnerability specialist, says an incident in which an Atlanta-based firm reportedly allowed an Aspire Visa card user online access to around 120 other card holder statements, was almost certainly the result of poor code auditing at the software development stages.

"Security faux pas like this - with an Indiana-based woman being able to view the statements of more than a 100 of her fellow cardholders - was probably due to a combination of factors that came together to create a rare, but repeatable, situation," said Richard Kirk, Fortify's European director.

"Good code auditing at the program development stage would have helped to prevent this situation occurring and embarrassing the company that administers the card accounts for Aspire," he added.

According to Kirk, the only piece of good news in connection with this incident is that the cardholder was apparently only able to view her fellow Visa users' accounts and not able to do much else.

This was, he explained, a view-only security situation but, he says, a coding error like this could also have allowed a customer access to other facilities that might - under certain circumstances – have allowed a fraud to perpetrated.

In this incident, he says, after the cardholder was given the cold shoulder after complaining - something that Kirk says also blots the card company's copy-book - she contacted the media, and the firm correctly suspended online access to customer accounts.

"It's good that they've done this. This will give the software development team time to review why this has happened and hopefully prevent it happening again,," he said.

"Of course, if they had conducted more thorough auditing and soak testing of the code update that apparently caused this incident in the first place, they wouldn't be in the embarrassing situation they are in now," he added.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development