Today in my in-box I got yet another invitation to attend a webinar that uses the Heartland Data Breach for some sort of benefit to the sponsoring organization. Yea, everyone is doing it. Just like we all did with TJX.
What annoys me is seeing those that were in IT Management (leading up to and at the time of the breach) being put up on a pedestal. Especially those that were ultimately responsible for the information security of the organization. It strikes me as odd that this occurred on their dime and they are now making dollars because of it. I'm not blaming them directly, at least I don't think I am.
Regardless of who ultimately turns out to be "the bad guy" in the whole Heartland breach fiasco, most breaches (the publicly disclosed ones anyways) are ultimately found to be avoidable. Most could have been avoided by having an information security program that's properly aligned with the organizations overall risk management program. The PCI DSS is supposed to promote this model, but many organizations jump right to focusing on meeting the minimum requirements of the DSS. Having a QSA (qualified security Assessor) wave his magical Report-On-Compliance wand and deem you PCI compliant isn't the solution.
Showing posts with label PCI Compliance. Show all posts
Showing posts with label PCI Compliance. Show all posts
Reminder: Check your credit reports
If you have not done so in the last 12 months, you should request your free annual credit reports from the three major bureaus. https://www.annualcreditreport.com
Signs of card data breach?
I am getting reports of some interesting unauthorized credit card transactions occurring in North Carolina. These are allegedly fraudulent 'card-present' transactions made at well-know retail establishments. The interesting part is that at least one of the affected people I spoke with is positive that they have the (only) card in their possession.
This tells me that it's likely related to a breach of stripe data, but I can't be sure yet. I wonder if we will be hearing about another breach soon?
Do You Think Faxing Something Means It's Secure?
Not necessarily. There are vulnerabilities that can make faxing risky. The first, and most obvious, is that faxes are initiated by people. People make mistakes. People punch in the wrong number. People inadvertently fax things to the wrong person. It happens. You can remind people to be careful, but mistakes are just going to happen. Just the other day someone I know received a fax from a Bank that included a list of names, social security numbers, and account numbers. A big oops.
To help address this issue, pre-program the fax numbers for the recipients that you commonly send sensitive information to. Also make sure that you use a cover page that clearly states who the intended recipient is, that the fax is only for that recipient, and provide instructions for an accidental recipient to follow in case they were to receive a fax in error.
The other issue is that many fax recipients are not walking up to the fax machine to pick up the received document. Instead, faxes are forwarded to the organizations email system where they are attached as images or as a PDF document. Why does this matter? You may not have intended for that potentially sensitive fax to be stored in the recipients email inbox on their local hard drive, on their corporate email server, in their email archiving solution, and now stored permanently on the email server backup media. Will the access controls you intended for this document continue to be upheld for these additional digital copies now floating around? Probably not. If that fax included payment card information or personally identifiable information, like social security numbers, then a law or rule was just broken. That sensitive information is now likely stored unencrypted on multiple systems that do not provide the access controls and protection now required for such data.
Just because it's faxed doesn't mean it's completely immune to security risk.
©2008 Kenneth M. Smith
To help address this issue, pre-program the fax numbers for the recipients that you commonly send sensitive information to. Also make sure that you use a cover page that clearly states who the intended recipient is, that the fax is only for that recipient, and provide instructions for an accidental recipient to follow in case they were to receive a fax in error.
The other issue is that many fax recipients are not walking up to the fax machine to pick up the received document. Instead, faxes are forwarded to the organizations email system where they are attached as images or as a PDF document. Why does this matter? You may not have intended for that potentially sensitive fax to be stored in the recipients email inbox on their local hard drive, on their corporate email server, in their email archiving solution, and now stored permanently on the email server backup media. Will the access controls you intended for this document continue to be upheld for these additional digital copies now floating around? Probably not. If that fax included payment card information or personally identifiable information, like social security numbers, then a law or rule was just broken. That sensitive information is now likely stored unencrypted on multiple systems that do not provide the access controls and protection now required for such data.
Just because it's faxed doesn't mean it's completely immune to security risk.
©2008 Kenneth M. Smith
15 Steps for Protecting Your Credit Card Information During Retail Purchases
How to Protect Yourself When Using Your Credit Card for Retail Purchases
Copyright (c) 2008 Kenneth M. SmithFor years, most of the focus and buzz has been around the threats posed by the Internet and online transactions. But a substantial amount of security breaches have had nothing to do with the Internet. There are vulnerabilities in the "card-present" transaction process just as there are in the online world. Every time you take your card out of your wallet there is some risk involved.
In a previous article, "Checklist For Protecting Your Credit Card Information Online", I provided some tips on protecting yourself when using your credit card for online transactions. As promised, here are some tips for protecting yourself from payment card fraud and identity theft when using your card for purchases at retail establishments.
1. Always get a receipt - Although merchants are no longer required to provide you with a receipt by default for purchases of $25 and under, you should still request one. This is your only record and proof of the amount of the original transaction and what you purchased.
2. Check that the receipt shows only the last four digits of your card number and that the expiration date is not printed. If it is, use a marker or pen to cross out this information and ask to speak with the manager. Remind them that this is against payment card rules and, depending on the state you are in, may even be against the law.
3. Fill out your duplicate receipt. This is typically for establishments like restaurants. Fill out your copy with the amount you gave for a tip and add up the total again. This allows you to confirm your math and also allows you to keep track of what the actual transaction total was. There have been a number of scams involving the fraudulent modification of the tip and total amounts on the restaurant copy of the receipt.
4. Use your credit card instead of your debit card. Most credit cards provide some form of protection in case fraud were to occur. For example, you are usually not liable for any fraudulent purchases if you notify the card company quickly and complete an affidavit. But you don't normally get these protections and liability limits if you use one of the many types of debit cards available that can also be used as if they were a credit card. They are not truly a credit card and they do not have the same benefits.
5. Set purchase limits. Set a single purchase limit or daily purchase limit on the cards you normally carry with you.
6. Set card notification alerts. Setup notification alerts with your card provider so that you will receive some sort of notification when a transaction exceeds a certain amount.
7. When your card is out - keep your wallet in hand. After you have given a clerk your credit card, keep your wallet out in your hand. This will help prevent you from accidentally leaving without your card.
8. Watch what the cashier does with your card. Your card should remain within your sight as much as possible. Watch for anything suspicious, like a cashier swiping your card with a small hand-held "skimmer" device or clicking a picture of it with their cell-phone camera.
9. Avoid small establishments that take your card out of sight. Small gas stations and many restaurants still fall into this category and are a few of the last types of retailers that take your card from you and out of your sight. Table checkout solutions are gaining in popularity to address this problem in restaurants. And most gas stations have pumps that let you swipe your card, or they let a full service attendant do so within your view.
10. Write 'ASK FOR I.D.' on the back of your card. Use large letters and a permanent marker, write this above or below your signature on the back of your card. You will find that many clerks will still not ask for your ID, but it only takes a few seconds to write this on your card and could stop a fraudulent purchase.
11. Sign your card. Some think that not signing the back of the card forces the cashier to ask for an ID, making the transaction somehow more secure. This couldn't be further from the truth. Actually this makes it more risky. According to card company rules, your card is not valid until it's signed and merchants are not supposed to accept an unsigned card. So, sign your card now.
12. Do not allow the merchant to write down any information from your card. This includes situations in which the merchants electronic payment system isn't working properly. Don't take their offer to write down your card information to settle the transaction later. If they don't have a way for accepting your card payment and you don't have the cash, they don't get the sale. Be especially prudent to be sure that no one writes down the CVV security code found on the back of the card.
13. Do not let anyone make a photo copy of the back of your card. The back of your card contains your CVV code as well as your signature. The practice of making a photocopy of your credit card, especially for large amounts, is common at merchants such as automobile dealerships. It's a way for them to prove that the card was 'present'. If they do make a copy of the front of your card, ask them about their security procedures and how they are going to protect that photocopy. Regardless, never allow anyone to make a copy of the back of the card.
14. Don't put those miniature credit cards on your key-chain. I honestly don't know what anyone was thinking when they came out with these. Most people do not protect their keys as they do their wallet. Even if you don't put one of these little cards on your key-chain, they are easier to misplace and just increase the chances of your card information getting in the wrong hands. I don't recommend using them at all.
15. Never write down the CVV security code from your card. If you are ever asked to write this number down, just say no. For paper order forms, it's O.K. for the merchant to ask for your name, card number, and expiration date. It's not O.K. for them to ask you to write down the CVV code, anywhere. This number is never to be stored by a merchant, and having it written down on a form is storing it.
If you have found this check-list helpful, please let me know. You may forward a link to this post to anyone on any planet. You may reproduce this article as long as the author is credited and a link to this blog (http://mrsm1th.blogspot.com) is provided. If you would like to use this article for commercial purposes, please contact me by leaving a comment below.
Contents Copyright (c) 2008 Kenneth M. Smith
Does 'storage security' buy you anything?
I sat in on a webinar the other day and reviewed the sponsors' product data-sheets and other product materials. This was a 'storage security solution'. What is a storage security solution?
To sum it up, it's a data encryption solution that secures data at the SAN/NAS storage layer. In other words, it encrypts the data stored within the SAN and also includes access controls to restrict access to certain data within the SAN by certain hosts. Sounds kinda neat, huh? I found it interesting that the vendor was touting that their product addresses the encryption and data security requirements of the PCI (Payment Card Industry) Data Security Standard. I have to completely disagree with this positioning.
The product does encrypt data at rest within the SAN. But this is not really where the threat exists. The solution does nothing in regards to protecting data once a host is authorized to access the data within the SAN. And the threat of someone getting physical access to your SAN in order to attach to an existing volume is, shall we say, not very probable. And, if you are following the other requirements of PCI, you have your SAN and servers secured within a data center with appropriate physical access controls. So the chance of someone walking off with servers and your SAN also has a low probability.
With a solution like this in place, the Oracle database server has complete access to the encryption keys and all of the data in the SAN that it needs in order for the database to operate. And the web application that's connected to this database has access to all of the data it needs in order for the application to operate. So, even with such a solution implemented, you are still completely dependent on the security and access controls (and inadequacies) of those systems to protect the data. If someone can circumvent the controls in the web application or the database access controls, is doesn't really matter if the data is encrypted in the SAN. Implementing a database encryption solution would be a much more effective and secure solution.
But a solution like this isn't all bad. Where I do see value is in highly virtualized environments. Since the data is encrypted with the SAN you will have the capability to restrict access to only authorized hosts. Another great feature of the solution I reviewed is the ability to apply this technology to backup media. This is an area that's fraught with vulnerability, and it's good to see a product that addresses this head-on. What bugs me is when vendors get a little over zealous in their marketing strategy, attempting to position themselves as a solution to problems they don't really solve.
Copyright (c) 2007 Kenneth M. Smith
To sum it up, it's a data encryption solution that secures data at the SAN/NAS storage layer. In other words, it encrypts the data stored within the SAN and also includes access controls to restrict access to certain data within the SAN by certain hosts. Sounds kinda neat, huh? I found it interesting that the vendor was touting that their product addresses the encryption and data security requirements of the PCI (Payment Card Industry) Data Security Standard. I have to completely disagree with this positioning.
The product does encrypt data at rest within the SAN. But this is not really where the threat exists. The solution does nothing in regards to protecting data once a host is authorized to access the data within the SAN. And the threat of someone getting physical access to your SAN in order to attach to an existing volume is, shall we say, not very probable. And, if you are following the other requirements of PCI, you have your SAN and servers secured within a data center with appropriate physical access controls. So the chance of someone walking off with servers and your SAN also has a low probability.
With a solution like this in place, the Oracle database server has complete access to the encryption keys and all of the data in the SAN that it needs in order for the database to operate. And the web application that's connected to this database has access to all of the data it needs in order for the application to operate. So, even with such a solution implemented, you are still completely dependent on the security and access controls (and inadequacies) of those systems to protect the data. If someone can circumvent the controls in the web application or the database access controls, is doesn't really matter if the data is encrypted in the SAN. Implementing a database encryption solution would be a much more effective and secure solution.
But a solution like this isn't all bad. Where I do see value is in highly virtualized environments. Since the data is encrypted with the SAN you will have the capability to restrict access to only authorized hosts. Another great feature of the solution I reviewed is the ability to apply this technology to backup media. This is an area that's fraught with vulnerability, and it's good to see a product that addresses this head-on. What bugs me is when vendors get a little over zealous in their marketing strategy, attempting to position themselves as a solution to problems they don't really solve.
Copyright (c) 2007 Kenneth M. Smith
Checklist For Protecting Your Credit Card Information Online
Kenneth M. Smith CISSP CISA QSA
I am an information security consultant and a PCI Qualified Security Assessor. I have worked with companies to help them lower their risk when it comes to protecting customer card data and personally identifiable information (PII). I have seen some pretty interesting things, some of which I would rather not share or will not share due to non-disclosure agreements. I will let you surmise what I mean by "interesting".
But an important part of the equation is consumer awareness and good practice when it comes to using credit cards, whether online or at retail establishments. Below is my first attempt at a checklist for consumers when using their credit cards to make purchases online. I assume that you are practicing basic safe computing by using a Firewall, Anti-virus, and Anti-Spyware software. There are 18 items and they are not in a specific order of importance.
Note: In a future installment I will provide a checklist specifically related to retail purchases as there are also plenty of steps you can take to protect yourself when visiting your local restaurant, gas station, or other retail establishment. Dealing with a case of card fraud and identity theft is also quite a chore, not nearly as easy as some might make it sound. I am also working on a checklist for dealing with such an event.
1. Avoid using your email address as your login name. Don’t use your email address as your login ID on web sites that you use your credit card to make purchases from. It’s a common practice now that web sites default to using your email address as the login name. This is for convenience and to help address the problem of users forgetting their login name. The problem is that if your login information is compromised on just one site, it could be assumed that you used not only the same login name (email address) but the same password too. Now all the attacker needs to do is to try this same login name and password on other sites.
I am an information security consultant and a PCI Qualified Security Assessor. I have worked with companies to help them lower their risk when it comes to protecting customer card data and personally identifiable information (PII). I have seen some pretty interesting things, some of which I would rather not share or will not share due to non-disclosure agreements. I will let you surmise what I mean by "interesting".
But an important part of the equation is consumer awareness and good practice when it comes to using credit cards, whether online or at retail establishments. Below is my first attempt at a checklist for consumers when using their credit cards to make purchases online. I assume that you are practicing basic safe computing by using a Firewall, Anti-virus, and Anti-Spyware software. There are 18 items and they are not in a specific order of importance.
Note: In a future installment I will provide a checklist specifically related to retail purchases as there are also plenty of steps you can take to protect yourself when visiting your local restaurant, gas station, or other retail establishment. Dealing with a case of card fraud and identity theft is also quite a chore, not nearly as easy as some might make it sound. I am also working on a checklist for dealing with such an event.
1. Avoid using your email address as your login name. Don’t use your email address as your login ID on web sites that you use your credit card to make purchases from. It’s a common practice now that web sites default to using your email address as the login name. This is for convenience and to help address the problem of users forgetting their login name. The problem is that if your login information is compromised on just one site, it could be assumed that you used not only the same login name (email address) but the same password too. Now all the attacker needs to do is to try this same login name and password on other sites.
2. Delete online accounts you no longer use. Remove your credit card information and your login account from sites you no longer frequent. It will only take a moment and it will reduce your exposure. If the site does not make this easy to do this online, call them or send them a letter with your request.
3. Change your password regularly. And I don’t mean once a year here. A reasonable time frame is probably every few months or even more frequently depending on your online buying habits. If the site does not make it easy to change the password, contact them for assistance on how to do this yourself online.
4. Use complex passwords. This goes without saying but I continue to be amazed when performing security audits at how many people use very simple passwords. Consider using passphrases instead of passwords and mix it up with numbers, upper and lower case letters, and other punctuation characters. If a web site doesn’t allow the use of characters other than numbers and letters in the password, complain! This just isn’t good security practice.
5. Don't log in using your SSN or account number. Do not log into sites using your full social security number or account number as the login ID or password. If any sites you use require this, contact them and demand that they change this practice. There is really no reason for this.
6. Perform initial web site registration for services that provide online access as a benefit. You likely have credit card, bank, medical, insurance, 401k, and other sites that make online access to your accounts possible as an additional benefit. You may not even be aware that you have online access to your account as a counterpart to your standard account management method. The first time sign-in to some sites may use a portion of your social security number or other personal information as part of the initial sign up confirmation process. If you don’t plan on using such sites, contact the company and request that they disable online access to the account. If you do plan on using the site, perform the initial login as soon as you can and assign a complex password to the account. Also, as mentioned above, avoid using your email address as your login name.
7. Read the security and privacy policies of web sites that you use for card transactions. A number of large well known sites clearly stipulate that they are not responsible if your account or data is compromised and that there is no expectation of security or privacy on their part. Most users of these sites are probably not aware of this. Consider the consequences of using such sites.
8. SSL doesn’t mean your data is secure or that the company follows best security practices. Don’t trust sites that have a security and privacy statement that simple says “this site is protected with the latest SSL security technology so your information is secure”. This really bugs me to see this as a security statement on a web site. SSL only protects your information in transit between your web browser and their web server during your session. This means nothing when it comes to protecting your information once it is saved to their server, or leaves their server to be processed or stored elsewhere. Read their policy on protecting your information after the transaction.
9. Don’t make online card transactions from an untrusted computer. This includes Kiosks, Internet Cafes, or even a friends computer. You just don’t know what might be running in the background capturing your transaction information.
10. Use online payment services. Use an online payment service to reduce the number of merchants that have your credit card numbers. These services reduce the possible ‘attack surface’ of your card information by keeping your credit card and identity information with the payment service, not with each of the merchants.
11. Don’t ignore warnings from your web browser. They appear for a reason and you should read them. Don’t get in the habit of clicking Ok or Cancel before you know what the warning is about. An error could be a sign of a malicious site redirect, man-in-the-middle, or phishing attack.
12. Use additional security features offered by the site. If the site offers additional security features, like those that confirm the authenticity of the site and the user computer, use them. They help ensure that you are connected to the actual site you intended, not a spoofed site.
13. Watch for the lock. You’ve probably been reminded of this hundreds of times. But it’s worth mentioning it again. If there is no lock, then the site is not using SSL. If the lock indicator does appear but it looks “broken” or there is a line across it, then there is a problem with the web sites SSL certificate. Click on the lock for more information about the problem.
14. Avoid logging in from the main page of web sites. There are some sites that provide login fields on their main web site page which are not initially secure (no lock displayed). This, they claim, is for user convenience. In most cases, the actual login will usually then be carried out encrypted with SSL, but not until you enter your login information and click login. This behavior is inconsistent with the idea of ensuring that the site is secure (you see the lock) before providing your login information. A simple workaround is to click on the login button without providing a login name and password. You will see a login error but you will immediately be redirected to a secure login page where you can login as usual.
15. Do not use the ‘remember me’ feature for sites in which you use credit cards. For many sites, this means that they will store a persistent ‘cookie’ on your computer so they will know it’s you the next time you connect to the site. If your system were to be compromised, that ‘cookie’ is all that’s needed to login to your account without a login name and password. Note that this is different than the new feature of some sites that let you 'register' a computer as a system that you normally use to login. Also, after an online card transaction, remember to always click on the “log out” button and then close the browser window.
16. Do not use a debit card for online purchases. Most credit cards provide some form of protection in case fraud were to occur. For example, you are usually not liable for any fraudulent purchases if you notify the card company quickly. But you don't normally get these protections and liability limits if you use one of the many types of debit cards available that can also be used as if they were a credit card. They are not truly a credit card.
17. Check your credit report often. Many victims first learn of fraudulent accounts created on their behalf while reviewing their credit report. One of the tell-tale signs is a new address showing up in your credit report that is obviously not yours. At a minimum, you should be requesting your free credit reports from http://www.annualcreditreport.com/ or by phone at 1-877-322-8228 every 12 months.
18. Check your card statement as soon as it arrives. Many victims first learn that their card has been used fraudulently while reviewing their monthly statement. Be diligent and read it as soon as it arrives. Also, if you don't get your statement around the time it normally arrives, be concerned. Contact the card company to make sure the delay is on their end, and that someone didn't fraudulently change the address on the account.
Contents Copyright (c) 2007 Kenneth M. Smith
Where does most credit card fraud occur?
According to Visa, the majority of credit card fraud occurs at small and medium restaurants. Unfortunately, most restaurants fall below the radar of the Payment Card Industry (PCI) levels that require proof of compliance. This means that fraud at such establishments will continue to be a problem. As a matter of fact, as more criminals realize the sad state of credit card data protection procedures at most restaurants, the problem will likely increase.
Subscribe to:
Posts (Atom)