Paay, a New York-based card payments processor, left about 2.5 million credit card transactions publicly exposed for roughly three weeks. The organization forgot to put password protection on the server, allowing anyone to access the data inside. Specifically, the housed data contains plaintext credit card numbers, expiration dates, the amount spent and partially masked copies of each credit card number – cardholder names, CVVs were not included.
PAAY offers a service as a third-party middleman between two banks by providing an additional security layer for the transactions, but unfortunately leaves all records exposed without passwords and vulnerable to attacks. It\’s important for banks of all sizes only rely on vendors and third parties that are PCI compliant and come equipped with the necessary security and certifications to keep customers protected. Even though exposing millions of credit card transactions and plain text card numbers due to a missing password is a serious security lapse, passwords in general can no longer be trusted to keep sensitive data safe in today’s fraud environment. The timing of this breach also couldn’t be worse for victims as storefronts are closed amid the global health pandemic and more purchases are made online. Impacted users are at greater risk for cybercriminals using exposed credentials to make fraudulent purchases. This is another glaring reminder why traditional authentication methods, like passwords or knowledge-based authentication, need to be eliminated. Artificial intelligence, coupled with facial authentication (using a person’s unique biological characteristics to confirm identity), ensures a card holder is who they say they are when making an online purchase.
According to Paay’s CEO, they spun up and subsequently misconfigured an instance leaving their database of 2.5 million card transaction records exposed to the public without a password. Unfortunately, Paay’s misconfiguration is quite common and we’ve grown used to seeing these data exposures pop up in headlines every couple of weeks. Companies need to realize that without a holistic approach to security, they open themselves up to undue risk.
What we have seen from a lot of companies to date, is that their security and compliance practices have been mainly reactive. If they are among the more prepared organizations, their teams will scramble to catch cloud infrastructure misconfigurations, risks, and compliance violations after provisioning or creation (i.e., “at runtime”). However, relying primarily on runtime detection increases security and compliance risks significantly. It also interferes with productivity, as developers have to spend their time addressing issues. The friction you hear about between security professionals and developers generally stems from a reliance on runtime security which in turn makes it more likely that developers will try to circumvent security altogether, leading to, you guessed it, more misconfigurations.
Paay’s exposure of transaction data highlights how developers and security teams should work towards proactively identifying cloud compliance and security issues before cloud resources are deployed. Organizations should not rely solely on runtime security and instead must “shift left” by taking preventative measures early on in their continuous integration (CI) and continuous delivery (CD) pipelines. Such a proactive approach will allow organizations to prevent security issues from occurring and will enable security teams to catch cloud infrastructure misconfigurations before massive leaks occur.