"A front & back copy of the [credit] card is required for processing." You're kidding, right?

I'm working on a PCI DSS project for a good client of mine that's in the concessions and food service business.  I was pleased to find that this company does not have any paper forms that ask a customer to fill in their CVV code, a practice that's against card brand rules and not compliant with PCI DSS.  I see organizations breaking this rule much more often than you would think.  

I poked around a bit to see if I could find any signs of this practice at a few other companies in similar types of businesses.  It only took a few minutes to find the order forms I was looking for.  I found more than I wanted to.  
  • One of the forms I reviewed asks the customer to fill in the "Three Digit Security Code Located on Back of Card:"  Bad.  
  • This same form asks the customer to "Please complete this form and return to email_address_here...".  This is also bad.
I reviewed another form from another venue and found even more interesting results:
  • The form asks the customer to provide "CREDIT CARD ID: (3 or 4 digit ID on front or back of card)".  Bad. 
  • They go one step further and actually REQUIRE that "a front & back copy of the [credit] card is required for processing. This includes all clients that have made payment in full in advance with a company check."  This is beyond bad.

Wow, now this is way out there when it comes to compliance.  Not only are they storing the customers CVV code by asking them to print it on their order form, but they require a photocopy of both sides of the credit card and store this.  Yea, this photocopy also includes the CVV code.  The code they are not supposed to be storing.  And to just make sure they go way outside of their card processing agreement, they gather and store the Name, Account number, Expiration date, and the CVV code even for customers who do not pay with a credit card.   

These types of infractions beg the question, "What else are they doing wrong?" 

Please review all of your paper order forms and confirm the following:

1.  The form does not ask the customer for their CVV code.
2.  The form does not request that a customer include a copy of their card.
3.  The form does not imply that the completed form can be submitted by email.  Do not include an email address anywhere on the form.

If you have been doing #1 or #2, you should track down all of those forms and destroy them in an appropriate manner.   
If you have been doing #3, you should track down any inbound order forms that were emailed to you.  These messages should be appropriately deleted and purged from all systems and media in which they are found.

Posted via email from Kenneth M. Smith CISSP CISA GCIH FREAK

Human error continues to be responsible for large disclosures of sensitive information

Recently I had to contact a mail order pharmacy to inform them that the envelopes they used for their statements were insufficient for preventing anyone from seeing the SSN, which was printed on the first page of the statement.  You didn't even have to hold it up to the light it was so obvious.  They told me that apparently "someone" changed the layout of the form but neglected to change the envelope to mask the new layout of the sensitive information.  An obvious lack of communication or simply negligence.  I questioned why they even printed the whole SSN on the statement in the first place.

Many examples of disclosure of sensitive information caused by human error can be found in the Privacy Rights Breach Database.  The most recent is another that was completely avoidable (see below).  People, if you don't want your company to be added to this Breach Database then please manage your technology and appropriately oversee the dissemination of EVERYTHING THAT LEAVES YOUR COMPANY.  Especially large mailings like this.  

"Universal American Action Network of St. Petersburg, FL - Thousands of Pennsylvanians could become victims of identity theft just because a piece of mail has been sent to their homes. Right on the front of the piece of mail, under the persons name, in plain view, is the recipient's Social Security number. The postcards were from the Universal American Action Network, a subsidiary of Universal American Insurance. 80,000 postcards with Social Security numbers on them were sent out to Universal clients throughout the country. More than 10,000 of them were mailed to Medicare participants in Pennsylvania."
[Source: privacyrights.org Data Breach Database]

Posted via email from Kenneth M. Smith CISSP CISA GCIH FREAK

Is this what #PCI has come down to?

Spotted this yesterday and it made me laugh. Think a plunger would help with PCI DSS?

Posted via email from Kenneth M. Smith CISSP CISA GCIH FREAK

Marriott Rewards email snafu, customers get test email in error

If you are a Marriott Rewards member you may have received an email from them recently that didn't quite make sense.  I got one, it looked something like this:
Subject:  "Don’t miss your free night from Marriott Rewards"
CUSTOMER_KEY : ######## (8 digit number that I have removed)
MR_NUMBER : ######### (9 digit number that I have removed)
MR_NUMBER_ENCRYPTED : (32 character value here also removed)
TEST Links
Hosted Email Link Using MR_NUMBER : With MR_NUMBER Link
Hosted Email Link with out MR_NUMBER : Without MR_NUMBER Link
Hosted Email Link with out Jennies Suggestion : With entrypted MR Number & Customer key
I inquired with Marriott about this and it was apparently an error.  Looks like they were testing some functionality but emails got sent to actual customers.  Here is their response email.
"Dear Valued Guest,

Yesterday morning, you received an email from Marriott in error. We were testing functionality to further enhance your online experience. During the testing process, a small number of emails erroneously deployed.

In the email, you may have noticed your name and a reference to your MR number. Rest assured, the information contained therein is private and no information specific to you or your account was shared with anyone else. To reiterate, this email was sent to you in error, but the contents of the message itself pertain only to you and your account.

Marriott is committed to your data security and the protection of your personal information. We apologize for any confusion our earlier email may have caused.

Best regards,
The Marriott Team"
What it doesn't say is whether this information in the email was "sensitive".  Why would there be a field MR_NUMBER_ENCRYPTED?  I followed a few of the URL's in the email and information similar to the email content was there on an unprotected web page.  Hmmm.
Kenneth M. Smith    CISSP CISA GCIH
Information Protection, Privacy, PCI Consulting
Phone: 978-595-1536 (1KEN)
Twitter: @ken5m1th

Posted via email from Kenneth M. Smith CISSP CISA GCIH FREAK

Retail sales associates sentenced for role in credit card, bank fraud

Four men from Atlanta Georgia were sentenced this week by United States District Judge Orinda D. Evans on charges of bank fraud, credit card fraud and aggravated identity theft.


Posted via email from Kenneth M. Smith CISSP CISA GCIH FREAK

I'm getting more reports of card fraud (cloned cards) taking place in the South East

Maybe a month ago I wrote about reports of card fraud taking place in North Carolina.  These were physical (card present) transactions in which other items of approximately $200 each were purchased.  These are likely gift cards or some other form of anonymous payment card.  This likely means that there was a stripe data breach and fake cards were made with the card stripe data.

I heard another report of this more recently, this time from a Discover Card customer.  Same MO, and the fraudulent transaction took place at a Walmart store just like the others.

A stripe data breach that has yet to be disclosed perhaps? 

Posted via email from Kenneth M. Smith CISSP CISA GCIH FREAK

The ad says "Don't try this at home". But why the heck not?

This is an ad I saw for an after-school program in the Boston area. I've walked by it a number of times and it aggravates me when I see it. I'll tell you why.

The advertisers message is that you should not let your child do things like this at home, but instead send them to a place outside of the home (for which you would need to pay) where your child will supposedly be allowed to do such things. But my question is, why not?

Why not let them get messy, take chances, be creative, and even make mistakes? And why not at home so family and friends can enjoy?

Kids should be given the opportunity to do things like this at home. As Randy Pausch said in his world famous presentation The Last Lecture, "let your kids paint their room".
I completely agree.

Posted via email from Kenneth M. Smith CISSP CISA GCIH FREAK

BCBS suspected breach impact not just North East, now close to a million Dr's

There was a story recently about a stolen personal laptop of a BCBS associate in Chicago that contained some PII of approximately 39,000 doctors.

It looks like this issue involved much more than just Doctors in the New England region. See below (via Twitter).

idexperts: RT @amednews Breaking: 850,000 doctors could be hit by potential data breach from insurer's stolen laptop http://bit.ly/z5crm
Original Tweet: http://twitter.com/idexperts/status/4663639559

Posted via email from Kenneth M. Smith CISSP CISA GCIH FREAK

My son practicing for his license

(21130 KB)
Watch on posterous

We're in trouble.

Posted via email from Ken Smith

PCI Scan Vendors, please stop telling SME that all they need to do to comply is... #PCI

Here is a quote from a PCI ASV (Authorized Scan Vendor) web site. 

"For small and medium sized retailers and service providers, compliance with the Payment Card Industry Data Security Standards (PCI-DSS) requires completion and submission of the Self-Assessment Questionnaire (SAQ) and quarterly external network scans."

This is NOT a valid statement and you really need to stop communicating things like this.  PCI Compliance requires that you adhere and practice everything outlined in the PCI DSS version 1.21 available from https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html
For organizations that are not categorized as Level 1 merchants, you need to attest to being in compliance with PCI DSS by completing and submitting the appropriate SAQ and quarterly scan results. Doing ONLY this does not mean you are PCI DSS compliant.  It means that you did what was expected of you (at this time) to attest that you are in compliance.  


Posted via email from Ken Smith

Spotted this on a bottle of spring water, what is he supposed to be?

"Milky" - What the heck is he supposed to be? Kinda reminds me of Spongebob. Is he a gallon jug of milk ?

Posted via email from Ken Smith

openairboston moves forward, letter from my friend Brian Worobey

OAir Logo.jpg

Dear friends of openairboston.net,

Last week marked the 40th anniversary of the first test of the technology that would become the Internet. The engineers working back then could never have imagined the incredible impact that their work would have on our present day world. Internet access has shaped both my career and my personal life.   I ask you to take a moment and reflect on the Internet's value to you.

Know that, even in Boston, one of the most innovative cities in America, Internet access is simply unaffordable for the majority of low-income residents and this lack of access has profound and lasting effects.  The students in our Boston Public Schools, who without home computers resort to typing assignments on their cell phones, become the job seekers, who without Internet access, cannot complete job applications for even the most unskilled jobs.  Without Internet access, these residents rarely find the opportunities to develop the skills they need to succeed in today's workplace.

openairboston.net is a non-profit organization working to erase this inequality and help ALL our residents thrive in an increasingly online world. We bring free Internet connectivity, training and low-cost computers to residents currently left at the sidelines of our connected world.  Through our efforts, we have brought an open-source community wireless network in the Fenway and Mission Hill neighborhoods and aim to expand our work to other much-in-need communities. We bring not only connection but also the education necessary to create self-sustaining support and training programs that allow neighbors to help neighbors and fostering true community ownership of these networks. 

The word is getting out and our momentum is building. From features in both the Boston Globe Magazine and Mass High Tech to our recognition by the IRS as a 501 c 3 tax-exempt organization, openairboston has both a local and national mandate to expand our work to all the many communities still in need.   

Everyone deserves the same opportunity to succeed, to have the access to the technological skills and resources so necessary in today's world.  We are working to make this equality a reality and ask for your help in our efforts.   Think what it means to you to be connected and consider making a donation to our work.   Please consider making a contribution to openairboston with your time as a volunteer to help build our network or train residents, with your connections by forwarding this email to those who may want to join our cause, or with your financial assistance.   All donations are welcomed at our website  and we encourage you to follow our progress on facebook and twitter

I hope you will join us.  The future of Boston lies before us - let's connect.



Brian Worobey




Posted via email from Ken Smith

Abstract night-time photography

I love taking weird shots like this, just looks cool.

This picture is of the commotion near the MGH red line station on Wednesday night after the tunnel fire caused the shutdown of the MBTA red and orange lines.

Posted via email from Ken Smith

Police officer stole computers from university, then sold on eBay

vcuinfosec: Police officer stole computers from university, then sold on eBay. He was caught b/c he was an idiot. http://bit.ly/W3hab
Original Tweet: http://twitter.com/vcuinfosec/status/4028390977
Sent via TweetDeck (www.tweetdeck.com)


 Kenneth M. Smith
Information Protection
& Privacy Consulting
Phone: 978-595-1536 (1KEN)

 Twitter @ken5m1th

Posted via email from Ken Smith

Ringo gets no respect

Back cover of newly released remastered HELP from the Beatles.

Kenneth M. Smith
Information Protection
& Privacy Consulting
Phone: 978-595-1536 (1KEN)
Twitter @ken5m1th

Posted via email from Ken Smith

Patriots game traffic causing plenty of delays

I saw miles and miles of traffic from Burlington down past the Mass Pike around 4PM, bet it's worse now.  Apparently many decided to take the MBTA Cummuter Rail Patriots train, just got this alert from the MBTA: "Due to very heavy ridership the Patriots Train was unable to service Norwood Central Station.  Customers at Norwood Central desiring service to Foxboro will be accommodated by train 719 to Walpole Station where they will meet up with the Patriots Train". 

I hope it's a good game!

Posted via email from Ken Smith

Ask not what your country can brew for you, but what you can brew for your country

That is the caption below this stain glass art at John Harvard's Brewhouse in Framingham MA.

Posted via email from Ken Smith

Hey merchants! Stop asking people to write down their CVV for credit card payments...

I know you get a better exchange rate and all that, but the fact that you ask your customers to write this down on your form means that when it arrives at your location you are now "storing" it, and this is a NO NO.  It's intended to confirm card-not-present electronic transactions and the customer themselves should be typing this in.  You are putting yourself and your customers at risk by asking for this and storing it. 

Posted via email from Ken Smith

Twitter over capacity error. Are we the whale or the birds in the image?

Posted via email from Ken Smith

Bank of America, I knew it was you.

Not long ago I read this story, "Teller allegedly stole thousands from customers at Peabody bank".  I brushed it off at the time. 

"Jeffrey C. Gautreaux, 25, of Peabody, was indicted in federal court on 17 counts of bank fraud, one count of access device fraud, and two counts of aggravated identity theft for a scheme executed from about July 2005 to June 2006, Acting US Attorney Michael K. Loucks said in a statement." -Source Boston Globe

Just recently I was going though and shredding some older statements and realized that around the time that these crimes allegedly took place, I was the victim of fraud on my Bank of America card. 

This wasn't a card that I normally used.  It had a small balance on it and was rarely used.  I remember that the only real 'activity' was that I went to the Bank of America branch (mentioned in the article) and I made a payment with a teller as I didn't want my payment to be late.  Then the fun began.

It started with missing a statement.  When I spoke with their fraud department I was literally interrogated by multiple people on the phone.  The were convinced that I was not the owner of the card and were treating me with great suspicion, and finally I found out why.  The address on the account, they informed me, was an address in the Bronx.  According to Bank of America by account mailing address was changed.  It just so happens it was days after I made my payment in person at this branch.   Yea, the "change-the-account-mailing-address, wait-for-the-convenience-checks-to-arrive, then-go-spend-those-on-something-expensive scam".  

The part that didn't make sense is that even if someone were to obtain the account number and expiration date, this isn't enough for them to make an account change like that.  Their fraud department insisted that I must have given the information necessary to change the address to someone.  This information includes the account number, ssn, birth date, phone number and a few other things that are typical for card accounts.  Here's the thing.  No one in this world knows the answers to some of the security questions except for me.  I can't get into why I know this, but I do.

A typical card company fraud department will tell you very little about the possible source of the fraud, other than talking about the fraudulent transaction amounts and merchants.  Oh, and they will ask you repeatedly if you have ever been to the city in which the fraudulent transactions took place.  I was even asked, "Are you sure you haven't lived at that address?".  Ugh.  I hate when people don't believe me. 

I did everything that you should do when you have to deal with a situation like this.  Note to Bank of America: Telling your customers to "just sign an affidavit and you're all set" is NOT enough.  There is much more to do than that, even if you have only suffered card fraud and not true identity theft.  After all was said and done I was still left with a feeling that something was very fishy about this.

Once I saw the article I didn't immediately connect the dots, but I came around.  Although none of this is concrete, it makes perfect sense that I was a victim of this alleged ex-employee's little scheme.  It's over with but what stays with me is the way Bank of America's fraud department made me feel like the guilty party and that this was all my fault somehow.  Bank of America, I had a hunch it was you. 

Posted via email from Ken Smith

Reducing your local privileges to reduce vulnerability

I have long been a proponent of using the least privileges needed in order to accomplish a task. It's just the right thing to do. Doing this greatly reduces your attack surface because most malware needs certain privileges on the local system in order for it to work as designed. Take away those rights and the malware may download but it will just sit there causing no harm to the system or data.

You would think that simply creating yourself a local account with fewer privileges would take care of this. Unfortunately, many application on the Windows platform were not developed with this in mind, many assume and require that you have Administrator privileges for them to run. You will quickly tire or trying to run certain apps using RunAs, since this solution doesn't share your lower-privileged user profile. Whatever you do after you have initiated something using RunAs will be stored within that privileged accounts' profile, not the one you initially logged in as.

Fortunately, there are a number of tools to help you deal with this. These tools take one of two approaches:

A. Log in with lower privileges and use a utility to increase privileges when necessary or increase privileges for specific apps.

B. Log in with higher privileges and use a utility to decrease privileges when necessary or decrease privileges for specific apps.

It takes a little time to get one of these solutions working in a way that you can live with every day. Depending on the type of user you are, you may quickly tire of all the tweaking needed and simply give up. I have tested many of the "type A" tools including sudown, sudowin, and Makemeadmin. These tools try to mimic the sudo functionality provided by most UNIX and Linux systems. I have also tested many "type B" tools such as PSExec or Drop My Rights. What did I find? None of them are perfect. And some of them can be dangerous if you are not careful!

For now, on Windows XP systems, I have found that the most realistic thing to do is to log in with the least-privileges needed to do your work (that doesn't break the apps that you use) and reduce the privileges of the processes that access the Internet. For many that might mean continuing to log in locally with administrative privileges. But by running certain applications with reduced privileges, you are making your system less vulnerable to successful malware exploitation. After all of my testing, my opinion is that using something like PSExec or DropMyRights is a good choice.

For many IT folks I feel that the best solution (for now) on Windows XP is going with the type B approach - logging in with higher privileges and using a utility to decrease the privileges of Internet applications (such as Web Browsers, Twitter clients, etc.) and others that you know will work without Administrative privileges. Two that work similarly are PSExec and DropMyRights.

For non-IT and home users, I suggest trying a type A solution to increase privileges when needed. Home users may find it especially challenging to get some games to work (for your kids of course ;-) when using a less-privileged account. The vendors will tell you that you must have Administrative rights, but I have been successful in getting all such apps to run as a Power User account and an understanding of the file system and registry permissions that the application is expecting. I'll tell you more about that in another blog update.

There are some slick commercial tools also available to address this issue, I will write up something on that soon. Whatever you choose, be sure to make a system backup before you start playing with any of these tools. You have backed up your system recently, haven't you?

Why so much credit and "good" publicity for Heartland Mgmt for not practicing proper risk management?

Today in my in-box I got yet another invitation to attend a webinar that uses the Heartland Data Breach for some sort of benefit to the sponsoring organization. Yea, everyone is doing it. Just like we all did with TJX.

What annoys me is seeing those that were in IT Management (leading up to and at the time of the breach) being put up on a pedestal. Especially those that were ultimately responsible for the information security of the organization. It strikes me as odd that this occurred on their dime and they are now making dollars because of it. I'm not blaming them directly, at least I don't think I am.

Regardless of who ultimately turns out to be "the bad guy" in the whole Heartland breach fiasco, most breaches (the publicly disclosed ones anyways) are ultimately found to be avoidable. Most could have been avoided by having an information security program that's properly aligned with the organizations overall risk management program. The PCI DSS is supposed to promote this model, but many organizations jump right to focusing on meeting the minimum requirements of the DSS. Having a QSA (qualified security Assessor) wave his magical Report-On-Compliance wand and deem you PCI compliant isn't the solution.

Give me back my Login ID: How decoupling the Login ID and email address is better for security

Everyone seems to be talking about the recent email account compromises that have resulted in the disclosure of some sensitive documents (or at least some embarrassment). The latest one is that of a Twitter employee which is detailed in the following Twitter blog entries:


All kinds of "experts" in the field are writing about these incidents and making suggestions to prevent things like this. Most suggest a stronger password and improving upon the security questions that you need to answer in order to recover your account if you forget your password.

First, I highly recommend that everyone read this article "The Anatomy of the Twitter Attack" from techcrunch. It's probably almost 6 pages long, but worth the investment.

Here is my take on this issue. I wrote in December 2005 about Web Security Getting Weaker as I started to see web sites transition to forcing users to use their email address as their login ID. I don't think this is a good idea since this means that a typical user will have the same login ID on practically every site they use. Once you have this info, then all that's left is to guess the password or try to recover it fraudulently by making guesses to the security questions. With more users signing up for SaaS services in the cloud, this literally means that if you have gained access to someones email account, you pretty much have everything.

What can be done to prevent these continued account compromises?

I suggest the following:

1. Change your login ID to something other than your email address. I am a firm believer that no one except you should know your login ID and your password. This means that it should not be your email address. If the web site or email service doesn't allow this, bug them to change this policy.

If you have no choice, you can create yourself another email account for the sole purpose of using it as the login name for web sites. Make it something that someone could not easily associate with you. It can be almost anything, although there are some character restrictions at most sites.

Set this new email address to forward to your real email account and set this password to something very complex. Write the login ID (email address) and password down and keep it somewhere safe and secure. You should not need to log in to this account often at all. Warning: Don't use an email service that disables your account after a certain period of inactivity. This is how the perpetrator in the latest gmail-twitter hack was able to reset the password of the victims Gmail account. Don't give this email address to anyone. Now, change your login name on the sites in question (webmail) to the one you just created. Remember to only change your login ID and leave the email address set to your primary (public) email address. While you're at it, you may as well change your password to something strong that you will remember.

2. Be creative when setting account recovery questions and answers. The security questions can be used to your advantage to further secure your account if done correctly. Let's look at an example. The above article mentions that one of Google's security questions is:

  • What was your first teacher's name?

Your answers to these questions can be ANYTHING you want them to be. Make something up! Set your first teachers name to 'monty python' or 'big iced coffee from starbucks' if you want. As long as you remember what you initially set, or store it securely somewhere, you are all set. If you don't have a very good memory, see item 3.

3. Use a secure password manager. Let's face it, we don't all have amazing memories especially as we get older. Do you really expect users to set a different complex password for each of the sites and services they use and change them on a regular basis to another complex password? It's a pipe dream. Anyone who does this is probably using one of the many available login ID and password management tools available.

One of the great things about such tools is that most of them have a strong password generator built-in. Once you are accustomed to using a password management tool, you will then find it very easy to start doing things like setting unique login ID's for each of the sites or services you use. There are some great solutions that will even synchronize with your mobile phone if you need access to login information when you are away from your PC.

I have tested and used many of these password management tools, and will post a follow-up that will provide an overview of my experiences.

Reminder: Check your credit reports

If you have not done so in the last 12 months, you should request your free annual credit reports from the three major bureaus. https://www.annualcreditreport.com

Signs of card data breach?

I am getting reports of some interesting unauthorized credit card transactions occurring in North Carolina. These are allegedly fraudulent 'card-present' transactions made at well-know retail establishments. The interesting part is that at least one of the affected people I spoke with is positive that they have the (only) card in their possession.

This tells me that it's likely related to a breach of stripe data, but I can't be sure yet. I wonder if we will be hearing about another breach soon?

Security awareness training...how to start.

Someone recently asked about how to get going on some training for their corporate users. I would approach it like this:

1. Internally 'publicize' some recent incidents to your user community. Reference such things as http://www.privacyrights.org/ar/ChronDataBreaches.htm#2009 and break down how they occurred and where the mistakes were made. Pick some examples that are from companies in the same or similar businesses. Don't get overly technical here. The intent is to get everyone to understand that their actions, no matter how small, contribute to the company being able to stay out of the newspaper. An incident will hurt the company, and therefore could impact their job.

2. Put together some high-level (plain english) training material such as a Frequently Asked Questions on the areas in which you get the most questions from your participants from step 1. Make sure every question is clearly answered.

3. Follow this up with a more formal awareness program to help reinforce good decisions. Host a lunch-and-learn that breaks down your policies in plain english. Make this as interactive as possible. Add some role playing.

Liking this Google Calendar/Mail/Contacts

I needed something that would replace MS Exchange for managing my calendar, address book, and emails. I am currently doing my own thing and not working for a firm that has Exchange and I currently use a Windows Mobile device, not a BlackBerry. I was pleasantly surprised to see that Google has done a pretty good job so far.

Once you do the basics (setup gmail, Google calendar, Google docs if you'de like) you just need to setup Google Sync for your mobile device (for calendar and address book) and configure your device to connect via IMAP with gmail. You should use IMAP instead of POP if you can, it's more secure and more efficient. Now everything is in sync. The only thing that (I don't think) you can sync currently is the todo list.