Sam pointed to a colleague. "We went to a Best Buy store with one of these blank credit cards and tried to make a purchase," he said. When the cashier questioned the blank card, his response was remarkable.
"We just told her it was the new American Express 'White' card." He said that he told the cashier that it didn't show his name because the new card was designed to protect his identity. The cashier looked at his driver's license, but didn't make a note of anything.
Sam and his colleague performed this exercise to learn how it was done and to see if they could actually pull it off. But the blank card was actually cloned to a valid personal credit card so there was no fraudulent transaction or loss to the store.
As I spoke with other security researchers, a pattern became clear. Despite all the reports about credit card fraud, data breaches, malware and other criminal activity, the people who actually need to protect their data have learned nothing. The training about credit card security has apparently fallen on deaf ears.
Then I talked with another researcher who showed me the latest Top 10 list of the Open Web Application Security Project. This is a research project that lists the most common vulnerabilities of Web-based applications. The OWASP site lays out the list and also has detailed articles about each item on the list as well as why it's a problem.
The list includes the usual suspects, including injection, misconfigured Websites, broken authentication, cross-site scripting and similar problems, most of which are the result of poor coding or a failure to follow best practices.
But what's really depressing about the list is that it's virtually identical to the Top 10 list from 2010. In other words, even though the same vulnerabilities have been exploited for years, nothing has changed—there have been no improvement in the security situation despite the availability of ways to fix those very problems.
I spoke with Jacob West, CTO for HP's Enterprise Security Products practice and who briefly remarked on the fact that so much about security was about training people to be mindful about security. That, of course, is a necessity.
But there has to be more. While enterprises can think like a Bad Guy, or train their employees not to click on attachments, there needs to be a better solution. One approach is to essentially take the people out of the process, which is what Apple is doing with Apple Pay.
But there also has to be some level of commitment by people at every level of the corporate hierarchy to think about security, whether a person is running a cash register, running a board meeting or designing code. I'm beginning to wonder if that part is futile.