Search

Brian Pennington

A blog about Cyber Security & Compliance

Month

February 2011

Lush Cosmetics is once again trading online

Lush the company that has suffered “security issues” over the last few months is up and running again.

The Lush website states “The Lush IT team have worked with our security advisers and bank providers

The site also states “Should you choose to make a purchase, you will see that our payment page now takes you away from the Lush website and directly to our card providers site, where your payment is safely in the hands of the big boys at the money institutions. You can shop with confidence knowing that your details will be safe.”

Hopefully, the lessons have been learnt and they will be trading as well as they did in the past.

Read about the original UK and Australia Hacks here

Advertisements

Card Payments Roadmap in the U.S.: How Will EMV Impact the Future Payments Infrastructure? – Smart Card Alliance

Close up of contacts on a Smart card with sign...
Image via Wikipedia

The EMV specification defines technical requirements for bank cards with embedded microchips and for the accompanying point-of-sale (POS) infrastructure. With few exceptions (primarily in the United States), financial institutions worldwide issue EMV bank cards to businesses and consumers.

According to EMVCo, approximately 1 billion EMV cards have been issued globally and 15.4 million POS terminals accept EMV cards. The primary purposes of including a chip in a bank card are to store cardholder data securely, protect data stored on the chip against unauthorized modification, and reduce the number of fraudulent transactions resulting from counterfeit, lost, and stolen cards.

Smart Card Alliance website

Smart Card Alliance White Paper: Card Payments Roadmap in the U.S.: How Will EMV Impact the Future Payments Infrastructure?

PCI Awareness Training – official courses are now available

The PCI Council has announced that it is offering PCI Awareness Training to anyone interested in learning more about PCI DSS.

The dates of the official council courses are

  • 2 March 11, 2011 London, England 09:00-17:30 $995 USD plus local taxes
  • 3 April 1, 2011 Sydney, Australia 09:00-17:30 $1500 USD plus local taxes

 Course Description

  • What is PCI and what does it mean to companies that must meet compliance with the DSS?  An overview of the payment card industry, the terminology used within the industry, the flow of transaction data through the various components that make up the payment card industry, and the relationships between the various organizations in the process.
  • How the credit card brands differ in their validation and reporting requirements – Detailed coverage of the classifications and compliance requirements for merchants and service providers and details about the various card brands’ compliance programs.
  • Roles and Responsibilities – Descriptions of the key actors in the compliance process including high-level overviews of the Qualified Security Assessor (QSA), Internal Security Assessor (ISA), Payment Application Qualified Security Assessor (PA-QSA) and Approved Scanning Vendor (ASV) programs.
  • PCI Data Security Standard (DSS) – An overview of the current DSS (version 2.0), the testing procedures for validating compliance, and what constitutes compliance with the requirements.
  • PCI Hardware and Communications Infrastructure – Generalized overview of the types of devices used by organizations to accept payment cards and communicate with the verification and payment facilities.
  • PCI Reporting – An overview of the different types of reports that must be submitted to the card brands or their designated agents to demonstrate compliance (or non-compliance) of the organizations filing the reports.
  • Real world examples – An overview of compliance issues and mitigation strategies including defining compensating controls, creating policies and modifying the cardholder data environment.

 

PCI often fails because of an employee’s action so it is good to see the PCI Council has launched these courses. However, there is only one course in Europe and it is on a first come first served basis which means only a few of the millions of European Merchants will gain any advantage.

I have found “general” PCI Awareness courses fail to meet the needs of organisations because:

  • The course will be pitched at differing skill levels, from beginners (hopefully there are not too many left) to experts who may have been through external Audits by a QSA.
  • It is not specific to an industry type, the needs of an e-commerce merchant are very different to a mail order/telephone merchant.
  • The individual employee has the daunting task of taking the knowledge and rehashing it for the rest of their organisation. Even if they have the slide ware they never have the gravitas of an external trainer or QSA who can handle all the questions that will be fielded.

 

There are alternative sources of training who will deliver public or bespoke courses for an organisation.

In a recent client scenario, we provided a 1-day classroom based training for senior managers, a series of ½-day road trip stop local sites for branch workers and 1-hour web-based sessions for field-based staff.

This ensured the right people gained the right knowledge when and where the client required it.

Find the details of the PCI Council courses here or ping me an email for ideas on how you can make your employees more aware of PCI.

Downloadable: CyberSource’s report on UK Online Fraud 2011

The report is based on an industry wide survey, and addresses the detection, prevention and management of online fraud.

The Cost of Fraud

On average, the percentage of annual online revenue that businesses expect to lose to payment fraud in 2010 has dropped from 1.8% to 1.6%.

The survey revealed that this does vary dramatically by merchant size:

  • very large businesses expected to lose £365,500 to online payment fraud, equating to an average of 1.5%
  • Large businesses expect to lose £173,500 (1.2%)
  • Medium businesses £66,000 (2.4%)
  • Small businesses £3,500 (1.5%)

The report delivers:

  • Key fraud metrics, including review and order reject rates
  • Most widely used fraud detection tools
  • Chargeback practices; re-presentment and win rates
  • Merchants’ fraud management priorities for 2011

Download the report here, required registration.

29% of credit card holders hit by fraud as global fraud rises

ACI Worldwide conducted fraud research in 14 countries and found that 29% of the 4,200 respondents had been victims of credit card fraud in the last 5 years.

The percentage in the UK was above the norm at 33%, a rise of 6% in the last 18 months. This estimates the number of UK Consumers hit by credit card fraud as 14.6 million in the past five years.

Other countries fared better, such as the Netherlands with 11% experiencing fraud whilst others, like China with a 43% fraud rate, fared worse.

ACI Worldwide http://www.aciworldwide.com

Lush confirm their Australian Website has been hacked

Credit cards
Image via Wikipedia

In a statement on the Lush Australia website http://www.lush.com.au/ Lush have confirmed that hackers have gained access to the site and that customer data “may” have been obtained (hacked). Lush advice customers to contact their bank about their credit cards.

They point out that the Australian website is not directly connected to their recently hacked UK site. The hacked UK site has a similar announcement to the Australian site http://www.lush.co.uk

Eight must-fix flaws prior to an application penetration test

An excellent article by Neil O’Connor for SearchSecurity.

 The full article is HERE but Neil’s Eight must fix flaws are listed below:-

 1.         Trusting client-side validation

2.         Blacklisting for input validation

3.         Improper error handling

4.         Forgotten/change password functionality

5.         Unencrypted communications/authentication

6.         Lack of auditing and logging

7.         Not reusing good security API or already tested code

8.         Not following Microsoft best practice development guides

For PCI DSS the guidance for requirement 6.6 is:-

Attacks on web-facing applications are common and often successful, and are allowed by poor coding practices. This requirement for reviewing applications or installing web application firewalls is intended to greatly reduce the number of compromises on public facing web applications that result in breaches of cardholder data.

  • Manual or automated vulnerability security assessment tools or methods that review and/or scan for application vulnerabilities can be used to satisfy this requirement

 

  • Web-application firewalls filter and block non-essential traffic at the application layer. Used in conjunction with a network-based firewall, a properly configured web-application firewall prevents application-layer attacks if applications are improperly coded or configured.

Wells Fargo Offers Online and Mobile Fraud Prevention Tips

Wells Fargo Advisors
Image via Wikipedia

Wells Fargo & Company announced it has published a list of tips to help people keep fraud prevention top-of-mind as encouraging findings are released in the new 2011 Identity Fraud Survey Report from Javelin Strategy & Research, an independent industry research firm.

Wells Fargo Offers Online and Mobile Fraud Prevention Tips | TradingMarkets.com.

Top 5 Riskiest Places To Use Your Credit Card | B2B News

From B2B News

You can still be a victim of credit card fraud even if you use it with utmost caution. Credit card companies and banks are more and more often putting the onus of catching phony or incorrect credit card charges on the consumer.
The most important thing is to check your billing statement. And there are organizations like Creditcards.com that offer tips on how to keep your cards safe as well. Here, we take a look at 5 of the riskiest places you might use your card, according to Creditcards.com, and what you can do to stay away from dangers.

 Non-Bank Owned ATMs

Encryption at these ATMs is often not as good as at bank ATMs. These ATMs also are more likely to be hacked. And in some cases, people have put up devices that look like ATMs but don’t give out cash. Instead, they are just card-skimming devices aimed at stealing your credit card or debit card information.

 Flea Markets

Flea market merchants are often transient and can be difficult to locate if there is a problem with charges. It’s especially true for vendors who don’t have online credit card terminals and instead make carbon copies of your credit card.

That doesn’t mean those vendors are necessarily fraudulent, but it makes the transaction less secure. The credit card company might have trouble doing a charge back. If you’re going to the flea market, take cash. It’s also easier to negotiate that way.

 Small Shops/Cafes in Foreign Countries

These smaller merchants have a significantly higher percentage of credit card fraud as reported by large banks and credit card companies. Many of these transactions end up being written off by the banks because the merchants simply can’t be located. There’s just a higher chance of fraud when you get outside of the mainstream, so when in doubt, use cash.

Non-Secure Online Checkout

Any safe, reputable e-commerce site is going to have a secure checkout page, like the one shown at left. If that doesn’t appear, it should be a red flag. You can almost be sure it’s not legitimate, and even if it is, you’re opening yourself to that transaction being seen by others.

Purchases on Smart Phones

Purchases on smart phones can also be less than secure. If your smart phone connects to a public wi-fi signal, you’re going to be much less secure. Someone else can potentially see the transaction, or malware can be placed on your device that can potentially transmit your personal information

Top 5 Riskiest Places To Use Your Credit Card | B2B News.

14 Arrested for Credit Card Fraud

First 4 digits of a credit card
Image via Wikipedia

Authorities arrested 14 members of a criminal ring that has netted $30 million in credit card and bank frauds

Courthouse News Service.

Risk of identity theft in hotel declines – USATODAY.com

Hotels are no longer the No. 1 target of hackers in their quest to steal credit card information but your data still has a higher chance of being stolen inside a hotel, a veteran cybersleuth tells Hotel Check-In.

Last year, hotels became a top priority for online criminals seeking to steal travelers’ credit-card information and other data.

But this year, online thieves are now focusing on restaurants, Nicholas Percoco, senior vice president and head of SpiderLabs at data security firm Trustwave, told me. That means they might target a posh hotel restaurant with a sommelier, a fast-food joint or anything else in between.

Thieves started to ease up on hotel computer systems in mid-2010, about 18 months after attacking Wyndham hotel computers and computers of other chains.

I asked Percoco if hotels moved down a notch because the industry spent more money to protect their computer systems, if travelers got smarter or if thieves just decided to move on.

It’s a mix, he told me. Many of the big chains – like Marriott, Hilton and InterContinental Hotels Group, though he wouldn’t name names – have thrown resources to shore up their computer security, he told me.

Furthermore, all the media reports about hotels being at risk for cybercrimes made the thieves fearful that they could get caught.

As they did with hotels, these cybercriminals look for a weak link in a restaurant or fast-food chain and enter their computer system to steal credit-card information and other data

Risk of identity theft in hotel declines – USATODAY.com.

http://travel.usatoday.com/hotels/post/2011/02/trustwave-spiderlabs-hotels-hackers-identity-security/142372/1

Low security awareness found across IT

Extract from the Computerworld article:

 

The survey, polled 430 members of the Oracle Application Users Group (OAUG) conducted by Unisphere Research and sponsored by Application Security Inc.

 

About 22% of respondents claimed to be extensively involved in security functions

 

60% claimed a limited or supporting role, and the rest said they were not involved with security at all.

 

About 100 respondents belonged to companies with more than 10,000 employees.

 

Just 4% admitted to being fully informed about security breaches within their organizations.

 

About 80% of those who said their organizations had suffered a data breach in the past year were unable to tell which IT components might have been impacted by the breach.

 Low security awareness found across IT – Computerworld.

McAfee CTO warns of new combined threat named ‘Night Dragon’ – SC Magazine UK

McAfee CTO warns of new combined threat named ‘Night Dragon’ – SC Magazine UK.

Information Commissioner’s Office issues third and fourth fines to Ealing and Hounslow Councils over loss of unencrypted laptops

Yesterday saw the second wave of fines from the Information Commissioner’s Office (ICO) over breaches to the Data Protection Act.

After the landmark first cases in November where monetary penalties were issued to Hertfordshire County Council for ‘two serious incidents’ regarding accidentally sent faxes, and to employment services company A4e for the loss of an unencrypted laptop, two more councils have also been fined for the loss of unencrypted laptops.

http://www.scmagazineuk.com/information-commissioners-office-issues-third-and-fourth-fines-to-ealing-and-hounslow-councils-over-loss-of-unencrypted-laptops/article/195948/?DCMP=EMC-SCUK_Newswire

When talking to customers I often find they deal with legislation and compliance in silos e.g. PCI DSS. The reality is there are common security elements across almost all pieces of legislation and compliance.

A simple way of dealing with the above issue is to ask “how important is the data”. E.g. because of PCI DSS, card holder is important and with the Data Protection Act so is customer data, so why not apply the same levels of protection and controls to both?

PCI fines could put merchants out of business

Sample American Express-type credit card featu...
Image via Wikipedia

An interesting interview with Bob Russo, general manager of the PCI Security Standards Council and Practical e-Commerce, an online resource for merchants.

This part of the interview concerns the rarely discussed issues of fines

Practical e-Commerce asked the question “although there is a lot of talk about having to comply with PCI standards, there don’t seem to have been any real ramifications for non-compliant merchants to date.

Bob Russo replied “I totally disagree. You’re playing Russian roulette here with your business. While there might not be a validation requirement (which is to say that you may not have to prove to anyone that you are PCI compliant), if in fact you suffer a breach and you are found not to be compliant at the time of this breach, then there are tremendous ramifications.

“There are fines, and for a small business, a fine could literally put them out of business. There is the specter of customers walking away because they’ve either figured out, or  with our breach notification laws  someone has told them that the breach occurred at the merchant’s site. There’s the specter that they will not shop with the merchant anymore because they feel like you [the merchant] are not keeping their information safe, whether it be credit card information or personal information. It’s a really big issue. Are your readers willing to play Russian roulette? They’re the only ones who can answer that question.”

Read the full interview at http://www.practicalecommerce.com/articles/2565-PCI-Council-General-Manager-on-Non-Compliance-Russian-Roulette-

The majority of stolen Credit Cards stop being used after 24 hours

Ethoca in their report “Fraud Attacks Cross Industries” (Jan 2011) have established that in 86% of cases, fraudsters stopped using a credit card in less than 1 day (24 hours) either because the card was cancelled by the issuer or because the fraudster began using another card.

They also found that 10% of stolen cards were used at multiple merchants.

In only 29% of the cases did the fraudster stay within the same industry sector. In other words the fraudsters try to spread their fraud across as wide a field as possible. Probably to avoid the credit card issuers anti fraud procedures which can spot buying patterns – how many mobile phones does one person need?

The report established that the number one target for cross industry fraud was Mobile Phones followed by pre-paid Gift Cards. This means that in almost all case of organised fraud the fraudster will have a Mobile Phone and a Gift Card on their shopping list.

About the report

Ethoca’s data came from credit card issuers and online merchants. The 95 merchants studied in their program represent 61% of the top 500 Internet merchants as measured by revenue*.

Issuers had identified the fraud with their own risk management systems and then confirmed with the cardholder that the order was indeed fraudulent before providing the transaction details to Ethoca. As a result, Ethoca was able to study a total of 25,188 confirmed cases of fraudulent transactions from June 2010 through October 2010.

*Source: Internet Retailer Magazine for 2009 www.top500guide.com

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: