VISA has compiled a list of applications used by retailers that store sensitive data – and may leave you vulnerable to hackers and identity thieves
Buried in the networks of many major retailers are computer applications, often obsolete or unused, that store the personal and financial data of customers. VISA apparently compiles a list of applications that may store sensitive customer authentication data after a payment has been authorized. Many application versions on the “bad-apps” list are outdated versions or programs or programs that are no longer being sold.
While these programs are not deemed an immediate identity theft threat by VISA - cyberthieves would have to expend a great deal of effort sifting through a retailer's network looking for possible sources of data, with no guarantee that such programs are there (this is called the “ effort-to-benefit ratio”), they are a concern as a possible security breach source – either through the disposal process of old network and server equipment or by data-mining software.
The list is not one that Visa wants to be too easy to get – in fact, the the list is not directly shared with retailers. Yes, there is a slight risk of cyber-thieves searching for the riskier versions in retail systems. It turns out that there is not much of an immediate concern, however, because of the effort-to-benefit ratio. But if that’s a real security issue, then Visa’s publishing an approved list that says “version 5.2 and above is compliant” pretty much telegraphs to the bad buys what they need to seek. In short, it’s a problem regardless of whether the Bad Apps list is disclosed.
Not making cyber-thieves job easier is one reason why VISA is not releasing the full list of “bad-apps” to retailers and purchasers of new software. If criminals know in advance what applications to search for, then VISA will have made their task of stealing data much, much easier!
(See the full list of applications