Brian Pennington

A blog about Cyber Security & Compliance


November 2011

Combating Cybercrime to Protect Organisations

PWC have released their annual Cybercrime report, “Cybercrime: protecting against the growing threat – Global Economic Crime Survey“, and as usual it makes very scary reading.

The report shows that crime is up and those organisations have been slow to react to the threats. Threats that were highlighted in previous reports.

Organisations of all sizes need to improve their abilities to protect their sensitive data and the report focuses on several area that need addressing, for example awareness of the threats in senior management and training for employees in how to spot crime and how to take the appropriate steps to react to the incident (Incident Response Planning…).

There needs to be adequate protection in the form of technology, procedures and policies for the proposed awareness and training to be effective and efficient.

The report is based upon 3,877 respondents from organisations in 78 countries. The scale of the survey has provided a global picture of economic crime.

The key findings of the report are shown in full, with the remainder of the post focusing on the statistics shown in the report.

Key Findings from the PWC “Cybercrime: protecting against the growing threat” report

Our sixth report paints a dramatic picture of UK organisations still struggling in the face of severe austerity cuts.

Economic crime has risen by 8 percentage points since our 2009 survey, with over half of respondents reporting at least one instance of economic crime in the last 12 months. Even more concerning for Senior executives was the fact that 24% of respondents reported more than ten incidents in the last 12 months.

Our findings suggest that the combination of rising economic crime in the UK, and widespread austerity cuts that limit the resources available to focus on economic crime, has made today’s business environment altogether more difficult and risky.

Cybercrime has become the third most common type of economic crime, whilst levels of ‘conventional’ economic crime have fallen (asset misappropriation has fallen by 8 percentage points since 2009, and accounting fraud by 5 percentage points in the same period). So we think organisations need to take a fresh look at how they deal with fraud.

Cybercrime now regularly attracts the attention of politicians and the media, and should be a concern to business leaders as well. Our survey gave respondents their first direct opportunity to highlight cybercrime as one of the main economic crimes they had experienced, and over a quarter of those who had reported economic crime in the last 12 months did so. The largest number of these were from the financial services sector.

Our survey shows that organisations need to be clear about exactly what cybercrime is, and who is responsible for managing it.

Economic crime perpetrated externally has increased and fraud carried out by employees within the organisation is declining.

Statistics extracted from the report

  • 47% of respondents said the cybercrime threats have increased over the last 12 months
  • 84% of respondents who identified an economic crime had carried out at least one fraud risk assessment in the last 12 months
  • 19% of UK respondents didn’t perform a fraud risk assessment in the last 12 months. This is a much lower figure compared with the global 29% of respondents
  • Over half of UK respondents reported economic crime in the last 12 months, compared with 34% globally
  • 51% of respondents experienced fraud in the last 12 months (UK)
  • 26% of those who experienced an economic crime in the last 12 months reported a cybercrime
  • 48% of respondents felt that responsibility for detecting and preventing cybercrime falls to the Chief Information Officer, the Technology Director or the Chief Security Officer
  • 66% of respondents said they had reported a cybercrime incident to law enforcement, compared with 76% of those who experienced economic crime
  • 54% of respondents representing organisations with offices in more than 20 countries saw an increased risk from cybercrime in the last 12 months. 35% of respondents representing organisations based just in the UK perceived a similar rise

Cybercrime awareness

  • The most effective way to raise cyber security awareness is through face-to-face training. In spite of this, only 24% of UK respondents received this type of training
  • 33% see cyber security as the responsibility of the Chief Executive Officer and the Board, the global figure is 21%
  • One in five respondents said the CEO and the Board only review these risks on an ad hoc basis

Response to cyber crime

  • 16% of UK respondents said their organisation has in place all five of the measures specified in the survey, compared with 12% of global respondents – see the link to the full report below.
  • 83% were concerned about reputational damage
  • 57% of respondents representing UK organisations have a media and public relations plan in place. The global response was 44%
  • 28% of respondents said they didn’t have any access to forensic technology investigators

Profile of the internal fraudster

  • male
  • aged between 31 and 40
  • employed with the organisation for between three and five years
  • educated to high school and not degree level

Top 5 departments perceived to present the biggest cybercrime risk

UK  Global
1. Information technology 52 53
2. Operations 42 39
3. Sales and marketing 36 34
4. Finance 37 32
5. Physical/Information security 22 25

Find the full report here.


Information Commissioner fines two councils for emailing personal information

The Information Commissioner’s Office (ICO) has served monetary penalties to two councils for breaching the Data Protection Act.

North Somerset Council and Worcestershire County Council after staff at both authorities sent highly sensitive personal information to the wrong recipients. The news comes as the Information Commissioner is pressing for stronger powers to audit data protection compliance across local government and the NHS.

1. Worcestershire County Council was fined £80,000 for an incident in March 2011 where a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients. The error occurred when the employee clicked on an additional contact list before sending the email, which had only been intended for internal use.

Enquiries by the ICO found that Worcestershire County Council had failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists. The council had also failed to properly consider an alternative means of handling the information, such as holding it in a secure system that could only be accessed by members of staff who needed to see it. Fortunately, on this occasion all of the unintended recipients worked for registered organisations used to operating within the council’s protocols about handling sensitive data. Worcestershire County Council has explained to the ICO that as soon as the breach occurred the council employee immediately realised their error and attempted to contact all of the unintended recipients to ensure that the information was deleted.

2. North Somerset Council was fined £60,000 for breaching the Data Protection Act when a council employee sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.

The incidents, which took place during November and December 2010, occurred when a council employee selected the wrong email address when creating a personal distribution list. The council employee was told about the error by the unintended recipient shortly after the first incident took place. Despite this, information was emailed to the same NHS employee on a further three occasions. The issue was then raised at senior level. Two of the council’s Assistant Directors highlighted the issue with the employee on 9 December but a fifth and final incident took place later that same day. The NHS organisation verbally confirmed to North Somerset Council that it destroyed the emails after their own internal investigation was complete.

The ICO’s enquiries found that, although North Somerset Council had some policies and procedures in place, it had failed to ensure that relevant staff received appropriate data protection training. In response to these incidents, the ICO has recommended that the council adopts a more secure means to send information electronically, including encryption and ensuring that managers sign off email distribution lists.

Information Commissioner, Christopher Graham, said: “Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils. It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.

“There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure. Of course this includes having the correct training and policies in place, but it’s also about common sense. Considering whether email is the appropriate medium, checking and double checking that the right recipients will receive the information – and measures like encryption and data minimisation – should be routine. I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you.”

The ICO is pressing the Ministry of Justice for stronger powers to audit local councils’ data protection compliance, if necessary without consent. The same powers are sought for NHS bodies following a series of data protection breaches.


RSA’S October Online Fraud Report

Below is a summary of RSA’s October Online Fraud Report.

October was Cyber Security Awareness Month. A public relations effort made by several US-based government bodies to increase security-literacy across the tiers that make up our digital society. By encouraging each and every Internet user to “Stop, Think, Connect,” the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) hope to increase security within the home, business environment, and ultimately within the entire nation. While this effort was founded in the U.S., its aspirations of increasing security literacy among the general public could easily be embraced across the globe.

Ironically, October also marks a major milestone for RSA, reaching the official shut down of over 500,000 phishing attacks around the globe. Sometimes viewed as one of the oldest scams in the book, phishing is still a very popular method among cybercriminals.

RSA recently estimated that worldwide losses from phishing attacks alone during H1 2011 amounted to over $520 million, and losses incurred from phishing attacks during the 12-month period of H2 2010 through H1 2011 reached nearly $1 billion.

Phishing Attacks per Month

The number of phishing attacks identified by RSA in September increased by 45%, setting a new all-time high of 38,970 attacks. As in the month prior, this increase was largely attributed to repeated attacks on a handful of large financial institutions which have been heavily targeted throughout the past few months.

Number of Brands Attacked

The total number of brands attacked decreased 15%, dropping from 351 targeted brands in August to 300 brands in September. Last month, no new brands endured their first phishing attack, compared to seven newly-targeted brands in August. Monthly counts of newly-targeted brands last year hovered around 20 to 25 entities per month indicating a slowdown in the trend of attacks on new targets.

US Bank Types Attacked

In September, the portion of targeted brands among U.S. credit unions dropped from 19% to 6%. In contrast, the portion of targeted brands among regional U.S. banks increased 5%, while attacks against nationwide U.S. banks increased 8%. Nationwide banks continue to be the most lucrative target among phishers likely because their customer bases are large and geographically dispersed.

Top Hosting Countries

The U.S. hosted two out of three worldwide phishing attacks in September. Since September 2010, the only countries that have consistently hosted the highest portions of phishing attacks have been the U.S., UK, and Germany.

Top Countries by Attack Volume

The U.S. and UK continue to remain the top two countries targeted by the highest volume of phishing attacks. In September, they endured 79% of the world’s phishing attacks. Brazil, Canada, and South Africa remained among the top five countries in September in terms of phishing attack volume.

Top Countries by Attacked Brands

U.S. and UK brands accounted for 43% of all the brands targeted worldwide by phishing in September.

The full report can be found here.

The RSA September Online Fraud Report Summary is here.


RSA’s September Online Fraud Report

At bit of a catch up on the excellent RSA Fraud Reports. The results from their September report are below.

At the bottom of the post is the August Report Summary link.

Phishing Attacks per Month

The number of phishing attacks identified by RSA in August increased by 7%, setting a new all-time high of 26,907 attacks. This increase can be mostly attributed to repeated attacks on a number of large financial institutions which have been heavily targeted through the past few months.

Number of Brands Attacked

The total number of brands attacked increased 9% in August, climbing from 321 targeted brands in July to 351 brands in August. Last month, seven brands endured their first phishing attack. Last year, monthly counts of newly-targeted brands hovered around 20 to 25 per month, indicating a slowdown in the attack rate of new targets.

US Bank Types Attacked

The number of phishing attacks targeting U.S. credit unions in August nearly doubled, from 10% to 19%. The portion of attacked brands among the other two sectors decreased – regional U.S. banks decreased 3% and nationwide banks decreased 6%. August 2011 marked a two-year high for U.S. credit union brands being targeted since hitting the 24% mark in August 2009.

Top Countries by Attack Volume

The US and UK remained the top two countries most targeted by phishing in August, accounting for 73% of the world’s attacks. Brazil, Canada, and South Africa all remained in the top half.

Top Hosting Countries

The U.S. hosted 63% of all phishing attacks identified in August. The UK and Germany both accounted for hosting 4% of global phishing attacks followed by France, Canada, the Netherlands, Brazil, Russia, and Australia. In the last year, the countries that have consistently hosted the highest portions of phishing attacks have been the U.S., UK, and Germany.

Top Countries by Attacked Brands

The top five countries whose brands were most targeted by phishing in August, the U.S., UK, Australia, India, and Canada – accounted for 60% of attacks. U.S.

The full report can be found here.

See the RSA August Report Summary here.


The Freedom of Information Act. Power to the people or a tool for busy bodies?

The Palace of Westminster at night as seen fro...

I understood the Freedom of Information Act was a mechanism for me to check what activities my government was doing under my name.

Then I came across a link containing the requests received by the government under the Freedom of Information Act (FOIA) during 2011 and I realised the FOIA has been hijacked by people who seem to be obsessed with the costs of wigs and whether there are any rats in the House of Commons – please insert joke here.

The entire list of 2011 requests is below and whilst they are not all concerned with trivia far too many are, so I decided to see if it was my translation of the FOIA that was wrong and tracked down the definition on the Parliament web site:

“Members of the public have a right to request access to information held by public authorities. The House of Commons and the House of Lords are separate public authorities. Requests for access to information should be directed to the relevant House which may hold the requested information.”

Freedom of Information Act 2000 (FOIA) The House of Commons and the House of Lords are required under the Freedom of Information Act to make information that they hold available to the public.

1. Information must be made available proactively via publication schemes that have been approved by the Information Commissioners Office (ICO).

2. Anyone is entitled to make a request for access to information held by either House that is not already publicly available. The requested information must be disclosed unless an exemption applies.

  • General information on the Freedom of Information Act •
  • Specific information regarding the House of Commons and the Freedom of Information Act
  • Specific information regarding the House of Lords and the Freedom of Information Act “

This means I am wrong, anyone can request information about anything no matter how trivial and no matter how costly gather and produce the information was.

Form the 2011 list there are potentially two dozen examples I would consider trivial or not worth the tax payers money to find out, for example

  • How much is spent on water and what brands are used. This disclosure is here.
  • Instances when pest control services have been requested. One of the several disclosures can be found here.
  • Details of expenditure on language courses. Surely avoiding the usual British thing of pointing and shouting is a good thing if we want our representatives to communicate with our European neighbours. This disclosure is here.

Some items were of interest:

  • On average 13o knives a year are confiscated from staff and visitors to Parliament. This  disclosure is here.
  • MPs who have not paid in full the money that the Legg report said they had to repay. This disclosure is here.

It is almost 50/50, in my opinion, between questions of merit with real public benefit and questions that only affect those with nosy habits or vested interests.

But see for yourself by reading the full list of FOIA Requests for 2011 below, newest first.

FOIA Disclosures October – December 2011 up to 23rd November 2011

  • Banqueting 2010-2011. Details of event and function bookings made by Members on behalf of outside organisations.
  • Claims of Racial Discrimination against the House of Commons administratio.n Details of racial discrimination cases brought against the House of Commons.
  • Details of 14 Tothill Street. Accommodation details of the parliamentary property at 14 Tothill Street
  • Grievances filed against the House of Commons administration by its staff. Details of grievances filed against the House of Commons since 2009.
  • Information about MyUK. Details of the MyUK online learning resource.
  • Items confiscated from staff and the public visiting the House of Commons. A list of items confiscated from members of staff and the public visiting the House of Commons from January 2009 to September 2011.
  • Management Board Papers 2007-2011. All agendas, minutes and related papers of the House of Commons Management Board.
  • Proposed building works on Cromwell Green and Speaker’s Green. Details of proposed building works on Cromwell Green and Speaker’s Green.
  • Select Committee expenses 2010-2011. Details of Select Committee expenses for 2010-2011
  • The amount paid by the House of Commons in relation to employment disputes with MPs staff. Total amount paid by the House of Commons in relation to employment disputes with MPs staff for the last 5 years.

Below is the list of FOI disclosures published by the House of Commons between July and September 2011:

  • Bars in the House of Commons. Details of bars within the House of Commons and their operating costs.
  • Compensation for criminal activity or personal injury. The cost of compensation paid to any victims of a criminal act or personal injury on the Parliamentary estate.
  • Compensation for criminal activity or personal injury. Compensation paid to staff and members of the public due to criminal activity or personal injury on the parliamentary estate.
  • Details of language classes provided to MPs and Parliamentary officials. Language classes provided to MPs and Parliamentary officials.
  • Details Of Mr Speaker Bercow’s official events since taking office. All official events held by Mr Speaker Bercow.
  • Details of spending on procurement cards issued to House of Commons’ staff, 2010 – 2011. Details of all spending on the cards for the last calendar year to May 2011
  • Ethnic monitoring in the House of Commons. Ethnic monitoring in the House of Commons
  • Expenditure on ceremonial garments. Details about ceremonial garments and the costs involved.
  • Financial details of parliamentary catering and retail service.s Revenue, profits, costs and subsidies for parliamentary catering and retail services.
  • House of Commons buildings used as office space. Details about House of Commons buildings primarily used as office space.
  • House of Commons post holders earning a basic salary of £65,000 or more to March 2011. House of Commons post holders earning a basic salary of £65,000 or more to March 2011
  • Inflation index used for MPs pensions. Which inflation index was used to determine the increase in MPs pensions.
  • Instances when pest control services have been requested. The number of times that pests have been found on the parliamentary estate.
  • IT equipment issued to Members 2011. Itemised breakdown of IT equipments issued to Members following 2010 election to 1 February 2011
  • Items reported stolen in the House of Commons in 2011. A list of all the items reported stolen in the House of Commons in 2011
  • MPs who have not paid in full in line with the Legg report. MPs who have not paid in full the money that the Legg report said they had to repay.
  • Reports into the leaning of Big Ben clock tower 2011. The effects of the Jubilee line extension on Big Ben clock tower.
  • Rules for MPs use of stationery. The rules for the use of stationery and pre-paid envelopes.
  • Select Committee expenditure on water. Details about the brand used and cost of water used by Select Committees.
  • Taxable benefit of the Speaker’s accommodation. The taxable benefit of the Speaker’s official residence.
  • The cost of recalling Parliament on Thursday August 11 2011. Some of the costs involved in the recall of Parliament on Thursday August 11.
  • The structural soundness of Portcullis House. Reports carried out into the structural soundness of Portcullis House.
  • The use of social networking media. The use of social networking media by MPs.

Below is the list of FOI disclosures published by the House of Commons between April and June 2011:

  • Cost and vintage of wines 2011. The vintage dates and purchase price of wine stocked in the House of Commons
  • Crimes reported 2009-2011. Details of all the crimes reported within the House of Commons from 2009-2011
  • Details about the trees in Portcullis House. Costs and ownership details of the trees in Portcullis House.
  • Duchy of Cornwall. The procedure determining whether the consent of the Duchy of Cornwall needs to be signified to a bill
  • Expenditure of The Clerk of The House 2011. Expenditure which has been made by the House of Commons relating to the Clerk of the House’s travel, subsistence, entertainment in an official capacity, and other professional and miscellaneous costs.
  • Former Members in receipt of an award from the Resettlement Grant. 1 April 2011 Table showing Former Members who left the House of Commons at the 2010 election and who are in receipt of an award from the Resettlement Grant and Former Members who have not been paid Resettlement Grant.
  • Former Members in receipt of an award from the Resettlement Grant. 5 April 2011 Amounts awarded to each former MP from the Resettlement Grant
  • Funding of the W4MP website. Details of the last 5 years of funding for the W4MP website.
  • House of Commons consultancy costs 2010-2011. How much The House of Commons spent on external consultants during the financial year 2010-2011
  • House of Commons recruitment costs 2010-2011. Recruitment costs for The House of Commons during financial year 2010-2011.
  • House of Commons Wine Stocks 2011. The top highest valued wines in the House of Commons stock and the total value.
  • List of wines stocked in the House of Commons wine cellar 2011. A list of all the wines currently stocked by the House of Commons
  • Members’ comments about IPSA. Members Survey of Services Comments on IPSA made by MPs responding to the Members Survey of Services 2010
  • MPs Expenses repayments 2011. List of Members of Parliament’s outstanding expenses repayments
  • Non British Nationals Research Assistants & Interns 2011. Number and nationality of non-British national researchers who have worked at the House of Commons over the last 15 years.
  • Number of security passes lost or stolen 2008-2011. The number of House of Commons security passes that have been lost or stolen.
  • Palace of Westminster – Condition Survey Report 2008-2010. A report on the outcome of a condition survey carried out over the period 2008-10 during which each space in the Palace of Westminster was subject to a visual inspection.
  • Pest control costs 2008-2011. The costs of pest control across the parliamentary estates from 2008-2011
  • Speaker’s accommodation 2011. Updated list of costs incurred to furnish the Speaker’s accommodation in the Palace of Westminster between 2009 and 2011.

Below is the list of FOI disclosures published by the House of Commons between January and March 2011:

  • Catering and retail prices 2011. Copies of restaurant menus, bar tariffs and other catering tariffs, souvenir price list
  • Catering sales and lists containing drink prices 2011. List of drinks, prices and sales in House of Commons bars and cafeterias
  • Details of all crimes reported in the Palace of Westminster 2008-2011. details of all crimes reported in the Palace of Westminster in the past three years
  • House of Commons Management Board official expenditure 2008-2010. an itemised breakdown of expenses claimed by each member of the Management Board for financial years 2008/09 and 2009/10
  • How much has been spent on 14 Tothill Street premises. The total amount spent on 14 Tothill Street until 28 February 2011.
  • Items reported as missing or stolen 2006 -2010 All items and their assumed monetary value which have been reported as missing or stolen from the Parliamentary Estate
  • Items reported stolen or missing from the Parliamentary Estate 2005-2011. A description of each item reported stolen and/or missing to the Crime and Investigation Unit from the Parliamentary estate
  • Lists of former Members of Parliament and Industry and Parliament Trust pass holders 2011. Names of pass holders – Former Members of Parliament and Industry and Parliament Trust as at 24 January 2011
  • Management Board Papers 2007-2011. Minutes, agendas and associated papers of House of Commons Management Board meetings since its establishment in October 2007
  • MPs and Lords replaced IT equipment. It equipment replaced since 2006
  • New Year’s Eve event 2010/11. Details of the New Year’s Eve event held at the House of Commons.
  • Overseas visits by Transport Committee members. Details of overseas visits by members of theTransport Committee from 01 January 2010 until 10 February 2011.
  • Parliamentary IT and Communication systems, office layouts and access Repayments made by Members 2010. The list of repayments of parliamentary allowances made by current and former Members of Parliament which were received between 19 December 2009 and 12th April 2010
  • Speaker’s Office Budget 2008-2011. Details of the Speaker’s Office Budget and Expenditure 2008-2011

The link to all the disclosures can be found here.


The U.S. Leads the World in Credit Card Fraud

In the Nilson Report: Global Credit Card Fraud Losses they reveal that the U.S. currently accounts for 47% of global credit and debit card fraud even though it generates only 27% of the total volume of purchases and cash, according to the Nilson report: Global Card Fraud.

Payment card fraud losses totaled $3.56 billion last year in the U.S. from all general purpose and private label, signature and PIN payment cards.

“The U.S. has a disproportionate percentage of the global total losses for two reasons, U.S. banks have been slow to adopt newer technologies such as EMV chip cards, and issuers are reluctant to decline card authorization from merchants because they don’t want to alienate their cardholder,” said David Robertson, publisher of The Nilson Report.

“Competition among U.S. issuers, which has resulted in the average cardholder having four credit cards in their wallet, makes any issuer reluctant to decline an authorization. The consumer will just pull out a competitor’s card,” said Robertson.

Institutions across Europe, Latin America, the Middle East, Africa and Asia have introduced security processes and technologies to reduce fraud for example Chip and PIN.

Global card fraud worldwide as a percentage of total volume has decreased. In 2010, total fraud losses equaled 4.46c per $100 in total volume of purchases and cash, down from 4.71c per $100 in 2009.

Total global fraud losses, at $7.60 billion, however, increased in 2010 by 10.2% compared to the prior year, because the rate of spending is outpacing losses.

The payment card industry is expected to continue to grow sales volume at a faster pace than thieves can compromise the system.

The Nilson Report is a highly respected source of global news and analysis of the credit, debit and prepaid card industry. The subscription newsletter provides in-depth rankings and statistics on the current status of the industry, as well as company, personnel and product updates. Nilson Report Publisher, David Robertson, is a recognized expert in the field, and is a frequent speaker at industry conferences.


7,200 peoples’ personal information discovered in a skip

Coat of arms of Southwark London Borough Council
Image via Wikipedia

Southwark Council breached the Data Protection Act by misplacing a computer and some papers containing 7,200 peoples’ personal information which were discovered in a skip earlier this year, the Information Commissioner’s Office (ICO) said today.

The computer and papers were mistakenly left at one of the council’s buildings at the Spa Road Complex in Southwark when it was vacated in December 2009. They were then discovered in June of this year and disposed of by the building’s new tenant. The information stored on the computer and featured in the papers included details of peoples’ names and addresses, along with other information relating to their ethnic background, medical history and any past criminal convictions.

The breach was reported to the ICO on 3 June 2011 shortly after the information was discovered in the skip. The ICO’s enquiries found that, while the council did have information handling and decommissioning policies in place, the policies were not followed when the offices were vacated. The council also failed to make sure the information stored on the computer was encrypted.

The authority has now agreed to take action to keep the personal information it handles secure. This includes introducing new processes governing the transfer and disposal of personal information and making sure that all portable devices used to store sensitive information are fully protected.

The council has also agreed to an ICO audit in the new year to help them improve their compliance with the Data Protection Act.

Sally Anne Poole, Acting Head of Enforcement said:

“The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case.

“Southwark Council has committed to putting changes in place and we look forward to completing an audit next year to help them to identify further improvements.”


QC has unencrypted laptop stolen and is sanctioned by the ICO

The Information Commissioner’s Office has reported on the case of a Scottish Advocate having an unencrypted laptop stolen.

The laptop was stolen from the home of Ruth Crawford QC in 2009 when she was away on holiday. It contained personal data relating to a number of individuals involved in eight court cases the advocate had been working on. This included some details relating to the physical and mental health of individuals involved in two of the cases. The device has not been recovered; however, most of the information compromised would already have been released as evidence in court papers.

The breach was only reported to the ICO on 30 August 2011 when the last case relating to information held on the laptop was concluded. The ICO’s enquiries found that, whilst Ms Crawford had some physical security measures in place at the time of the theft, she failed to ensure that either the device or the sensitive information stored on it was appropriately encrypted.

The QC has now agreed to put the necessary changes in place to ensure this type of incident does not happen again. This includes locking away any personal information stored at her home and following any future data protection guidance issued by the Faculty of Advocates or her stable.

Ken Macdonald, Assistant Commissioner for Scotland said:

The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.

“As this incident took place before the 6 April 2010 the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 – it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court.

“The ICO would also like to assure the legal profession that any information reported to this office will not be disclosed unless there is specific legal authority for us to do so. Therefore all breaches should be reported to our office as soon as practically possible.” 


Big increase in communications fraud

CIFAS, a UK’s Fraud Prevention Service, has reported on frauds recorded by its 260 member organisations during the 9 nine months of 2011.

The report reveals a 34% increase in fraud related to communications products, when compared with the same period in 2010.

CIFAS conclude that some “communications” products, for example smartphones like the iPhone handsets are viewed as essential items rather a luxury items which infers an entitlement to commit fraud.

CIFAS have also seen:

  • 93% increase in impersonation of the victim at their current address, also known as current address fraud
  • 85% increase in the use of completely fictitious
  • 64% surge in identity fraud individuals trying to gain a obtain products or services
  • 20% increase in misuse of facility cases

CIFAS Communications Manager, Richard Hurley, notes:

“The rise in current address fraud alarms because it signifies either that fraudsters are becoming increasingly sophisticated (as it is more difficult to impersonate someone at their address and then try to intercept goods or paperwork), or it demonstrates that friends, family and co-habitees are involved. Allied to the similarly enormous increase in the use of completely false identities, this surely indicates that communications products have become so essential that fraudsters not only obtain goods or handsets to sell on but will also attempt to use any identity in order to avoid becoming liable for bills.”

“nearly 100% of this increase can be accounted for by regular payment fraud, where fraudulent direct debit instructions are given in an attempt to evade the payment of bills. The reality of the situation is that the communications product, device or service has become so embedded in our lives that many of us seem unable to do without them. With sacrifices having to be made by most individuals and households, these figures depressingly indicate that many people feel that, economically, they have no choice but to attempt fraud in order to continue receiving such services.”


  1. CIFAS is the UK’s Fraud Prevention Service, a not for profit Membership organisation with over 260 cross sector Members including banking, credit cards, asset finance, retail credit, mail order, insurance, telecommunications and the public sector. Members lawfully share information on frauds in the fight to prevent further fraud.
  2. The following tables show a summary of communications fraud cases recorded by CIFAS Members, broken down by the type of fraud identified. Definitions are given below the table.
Jan to Sept 2010 Jan to Sept 2011 % Change
Application Fraud 3,679 4,347 18%
Facility Takeover Fraud 5,292 4,330 -18%
Identity Fraud 12,673 20,842 64%
Misuse of Facility Fraud 3,430 4,125 20%
Total 25,074 33,644 34%

PCI Security Standards Council announces winners of Special Interest Group elections

The PCI PCI SSC today announced the results of the PCI Council election for Special Interest Groups (SIGS).

Special Interest Groups (SIG) leverage the expertise of more than 600 PCI SSC Participating Organizations and provide a vehicle for incorporating their ideas and input into the work of the Council.

Almost 500 votes were cast by merchants, financial institutions, service providers and associations for the initiatives they want to prioritize in 2012.

The three elected groups will focus on:

  • Cloud
  • eCommerce Security
  • Risk Assessment

Participating Organizations were allowed three votes on a shortlist of seven topics that were the result of 13 proposals by the community.

Successful project proposals represent a cross section of the PCI SSC community from around the globe and include active participants from CyberSource, HyTrust, Sense of Security Pty Ltd., SISA Information Security, The UK Cards Association, Trend Micro and TSYS.

This is our first SIG election and I’m really pleased with the turnout, with a quarter of all of our Participating Organizations voting. Most impressively, a third of our votes came from outside North America showing that involvement in the Council’s activity and development of PCI Standards and resources to help secure the payment chain is truly a global endeavor,” said Jeremy King, European director, PCI Security Standards Council.

I’m looking forward to close collaboration between the Council and SIG membership.”

Special Interest Groups are a critical forum for industry participation in Council initiatives to increase payment card security. SIGs focus on providing recommendations to the Council which often results in guidance for interpreting and implementing the PCI Standards. To date SIG participants have made significant contributions to Council resources on topics such as wireless security, EMV chip, point-to-point encryption and virtualized environments.

The Council invites any members of the PCI SSC community interested in participating in one of these SIG projects to indicate their interest by emailing before November 30th. Following this, Council SIG leads will convene each group to formalize the group charter and precise scope of work project. This will be shared with the Community by the end of the year, with SIGs anticipated to start work in the beginning of 2012.

We’re delighted that risk assessment has been selected by our peers to move forward as a 2012 SIG project. I’d like to encourage anyone with expertise or interest in this topic area or the other final selections to get involved,” said Dharshan Shanthamurthy, chief consultant at SISA Information Security.

 “Council SIGs are a great opportunity for professional development, networking, and contributing to something that will benefit the entire industry.”


Reputation damage could cost more than PCI Compliance or Data Protection Act fines

Experian HQ in Nottingham
Image via Wikipedia

A Ponemon Institute and Experian survey of almost 850 executives reveals that on average it can take up to a year for an organisation to restores its reputation.

Reputations have always been difficult to value as they change with market demands, styles and presentation. This research is interesting as it does place a value on reputation and on the possible impacts of damage.

There is advice on what to do and whilst it is at a high level it is useful for those who only have a few seconds to think about the possible impact before they more on to their next meeting.

The survey reveals that the average loss in brand value ranges from $184 million to more than $330 million.

The minimum brand damage was a 12%, increasing to nearly a ¼ loss of their brand value in some instances.

“A solid reputation is a company’s greatest asset, and it is therefore imperative that business leaders take precautionary steps to protect themselves, their customers, their employees and their intellectual property against data breaches,” said Ozzie Fonseca, director at Experian Data Breach Resolution

“The way business protocols worked five years ago, even two years ago, has drastically changed, and we must prepare ourselves for the new threats to data and privacy. Data breaches are happening to all businesses, small, medium and large, and no industry is immune.”

43% of the companies surveyed had not instituted a data breach incident response plan prior to having a breach.

“The loss or theft of sensitive customer data, as our study quantifies, can have a serious impact on the economic value of a company’s reputation,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute

“We believe this study makes a powerful point about the importance of taking steps to reduce the likelihood of a data breach.”

Experian offers the following advice:

Create an incident plan so your organization is prepared to readily respond to a breach should it happen. Outline exactly what steps you will take if or when a breach occurs. Build your company’s response team in advance, including members with expertise in legal, public relations, compliance and risk management. Communication to consumers and government officials should be done simultaneously, so make sure to dedicate adequate resources in your company plan. Conduct data breach simulations and hold regular security training sessions with employees to review the company’s policies about data protection.

Be proactive instead of reactive. Start with prevention and assume that at some point you will experience a breach and not one that you are likely to discover until the damage has been done.

Here is what can be done now to help secure and protect the information your company is responsible for:

  • Segment sensitive data and restrict access
  • Wipe physical media and shred paper documents
  • Demagnetize external media and overwrite hard-drive data

If you do not have the internal resources or know-how to cover the likely aspects of fallout from a potential breach, call in a third-party specialist to partner with your company through the breach resolution process. Having an expert on hand can help expedite the resolution, limit legal liabilities and increase customer satisfaction. Being prepared before a security breach occurs can mean a big difference to both your company’s bottom line and its reputation.

For more information on Experian and their survey, click here. Survey conducted in October 2011 by the Ponemon Institute.

Businesses should always think about IT Security as an integral part of their business risk management processes because the odds are that a “cyber” incident will happen and are statistically more likely to happen that most other incidents.


Only 21% of merchants were compliant and other startling PCI DSS facts from the coal face

Image representing Verizon as depicted in Crun...
Image via CrunchBase

Verizon have recently launched their 2011 Payment Industry Compliance Report, which draws on their experiences as a Qualified Security Advisor (QSA) company, and their previous annual reports.

Below are exerts from their report:-

Unchanged from last year:-

  • 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC)
  • 78% of organisations met all test procedures at the IROC stages
  • 20% of organizations passed less than half of the PCI DSS requirements
  • 60% scored above the 80% mark

Organizations struggled most with the following PCI requirements:

  • 3 (protect stored cardholder data)
  • 10 (track and monitor access)
  • 11 (regularly test systems and processes)
  • 12 (maintain security policies)

The PCI Requirements showed the highest implementation levels:

  • 4 (encrypt transmissions over public networks)
  • 5 (use and update anti-virus)
  • 7 (restrict access to need to know)
  • 9 (restrict physical access)

Verizon concluded that organizations do not appear to be prioritising their compliance efforts against the PCI DSS Prioritized Approach (The Prioritized Approach is a free spreadsheet that can be download from the PCI Security Standards Council site, find it here).

Organizations that suffered data breaches were less likely to be compliant than a normal population of Verizon PCI clients.

In the pool of assessments performed by Verizon QSAs included in this report:

  • 21% were fully compliant at the completion of their IROC
  • This is just 1% less than in their last report, and effectively the same number

The lack of change disappoints Verizon, as many in the industry were hoping to see an increase in overall compliance as PCI DSS became more familiar to an increasing number of organizations.

79% of organizations were not sufficiently prepared for their initial assessment

Having established that only 21% “passed the test” the next question becomes “what was their score?”

  • 78% met of all test procedures defined in the DSS at the time of their IROC
  • This is down 3% from Verizon’s last report

Verizon deduce that another common Achilles heel of merchants and service providers in the PCI assessment process is overconfidence. “It was painful, but we made it through last year, so this year should be a breeze,” is a typical sentiment with which many organizations approach the yearly assessment. That can be a costly mistake.

When the QSA arrives on-site, a mere 1/5th of businesses are found to be compliant, even when given the extra time between the on-site visit and completion of the IROC.

Verizon believe that complacency and fatigue are two additional drags that make maintaining compliance year over year difficult.

Too many businesses approach PCI from the point of view that “what was good enough last year will be good enough this year.”

When examining the percentage of organizations passing each requirement at the IROC phase

  • Some requirements show percentages dipping below 40%, while others exceed the 70% range
  • Six of the twelve show an increase over last year, and the average is up two points
  • However, the average number of test procedures met within each requirement is down 4%
  • None of these numbers is indicative of a clear change given the size and makeup of the dataset, but it certainly reinforces the notion that organizations continue to struggle (at varying degrees) in all areas of the DSS

How do organisations perform against the 12 Requirement? The four highest rated Requirements are:

  • 4 (encrypt transmissions)
  • 5 (AV software)
  • 7 (logical access)
  • 9 (physical access)

Requirement 10 (tracking and monitoring) boasted the highest gain+13 %

Requirement 5 (AV software) may lose its place in the top three, which is an odd development, since AV software has for so long been among the most basic and widespread of security controls.

The improvement in compliance to Requirement 4 (encrypt transmissions) may indicate that administrators are deciding it is easier to direct all Internet traffic containing credit card data over SSL.

The small improvement in Requirement 7 (logical access) if significant at all could mean more strict attention is being paid to who is given access to cardholder data.

Requirements 3 (stored data) and 11 (regular testing) are once again in the bottom tier, while Requirement 12 (security policies) ousted 10 (tracking and monitoring) from the bottom. This suggests that the encryption of data at rest continues to be a major headache for organizations, especially the more detailed portions, such as annual key rotations.

Requirement 1 remains virtually unchanged since last year

  • 44% were compliant
  • 46% in the last report
  • Only 63% of companies met Requirement 1.1.5 regularly

The entire report can be found on the Verizon web site here.


Gambling takes on a new meaning when someone steals your personal information

A former gambling industry worker who unlawfully obtained and sold personal data relating to over 65,000 online bingo players has been found guilty of committing three offences under section 55 of the Data Protection Act.

Marc Ben-Ezra, of Finchley, was given a three year conditional discharge and ordered to pay £1,700 to Cashcade Limited as well as £830.80 costs at Hendon Magistrates Court today.

Information Commissioner, Christopher Graham, said:

“This case shows that the unlawful trade in personal information is unfortunately still a thriving and lucrative activity. Mr Ben-Ezra sold people’s personal details on an industrial scale, making in the region of £25,000 at the expense of the tens of thousands of bingo players whose privacy he compromised, and who he exposed to the nuisance of being approached by rival betting websites and, at worst, the risk of identity theft.

“I am grateful to Cashcade Limited and Gala Coral for their work in exposing this unlawful practice. However, we still don’t have a punishment that fits the crime. The ICO continues to push for the government to activate the 2008 legislation that would allow courts to consider other penalties like community service orders or the threat of prison.”

The offences were first uncovered in May 2011 when Mr Ben-Ezra sent a series of emails to a number of contacts within the UK gaming industry offering customer data for sale. The emails were sent under the pseudonym Malcolm Edwards and contained a sample data set relating to 400 Foxy Bingo customers.

Cashcade Limited, which provides marketing services for the Foxy Bingo brand and is the data controller for its customer information, was concerned and wanted to know how its customer data had been obtained. The company instructed an investigative services company to conduct a test purchase of the data – which contained over 65,000 Foxy Bingo customers’ personal details – and paid Mr Ben Ezra £1,700 cash for it. Cashcade Limited then handed this information to the ICO and co-operated fully with investigators to find out who was responsible.

Cashcade Limited believe that the acquired test data, which did not contain customers’ bank account details, was unlawfully obtained in 2008 and sold to Mr Ben-Ezra, who was working for a poker company in Israel at the time. Attempts by Cashcade to identify the perpetrators of the 2008 breach have so far been unsuccessful but remedial action to prevent a recurrence has been taken. The company is continuing to pursue the other perpetrators.

The data that was acquired contained customers’ names, addresses, email addresses, telephone numbers and usernames. Cashcade Limited has assured the ICO that no customer accounts were compromised.

The email sent to the investigative services company by Mr Ben-Ezra also included customer information relating to 404 Gala Coral customers from 2008. The data controller – Gala Coral Group – has confirmed that they believe that the information was unlawfully obtained from their management information system.

Mr Ben-Ezra was exposed as the individual behind the offences in August 2011 when the ICO’s investigators traced the email address which was found to be registered to the business address of Mr Ben-Ezra’s father-in-law. After enquiries were made at that address, Mr Ben-Ezra contacted the ICO and during his meetings with officers co-operated fully and handed over the laptops containing the data. During an interview under caution he admitted the offences and stated that the practice of buying and selling customer data was widespread during his time working in the gaming industry in Israel. He told officers that he kept the data which he had obtained whilst in Israel and, on moving to London, he sold it as a way of paying off his gambling debts.

The ICO has not received any complaints from the customers on the lists. Foxy Bingo and Gala Bingo have proactively contacted affected customers to assure them that their account information is secure.

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.


midata kicks off with the support of government and businesses

The UK Government has announced a ground-breaking joint venture with 26 organisations to empower consumers to have more control over their personal data.

midata, launched on the 3rd November 2011, is a voluntary scheme that will allow consumers to access their data in a safe and secure way and make better decisions reflecting their personal wants and needs. New services made possible by midata will further assist consumers, whether it be in getting the best deal on their mobile phone contract or energy tariff, or managing their lives more efficiently.

Launching the midata vision, Consumer Affairs Minister, Edward Davey said:

“Currently, most consumer data is held by service providers, meaning only one side of the customer-business relationship is empowered with the tools of information management. midata seeks to redress that balance.

“This is the way the world is going and the UK is currently leading the charge. We see a real opportunity here, but others, including the US and EU, are also showing real interest in the programme and the economic benefits it can deliver. So if we want to continue leading the way, we need to develop a platform upon which the innovation and services that drive growth can be built. midata aims to do just that.

“I’m delighted that so many organisations are supporting our vision and I look forward to working with them closely as the programme progresses.”

The midata programme marks a non-regulatory approach to consumer empowerment and is in keeping with the Government’s broader focus on transparency and openness.

The next step will include setting time lines and developing online ‘personal data inventories’ (PDIs) in each sector, which will describe the types of data an organisation holds about each customer.

Protocols will also be established to handle any issues relating to privacy, data security and consumer protection. midata is also working with companies to develop common approaches that will allow customers to access their data including their contact details, current tariffs and contracts, etc and update basic information about themselves.

The PDI and access work will precede the release of data back to customers in an electronic format. The goal is to enable the first releases in the first half of 2012.

Businesses and organisations that have so far committed to working in partnership with Government to achieve the midata vision are:

  • Avoco Secure
  • billmonitor
  • British Gas
  • Callcredit
  • EDF Energy
  • E.ON
  • Garlik
  • Google
  • Lloyds Banking Group
  • MasterCard
  • Mydex
  • npower
  • RBS
  • Scottish Power
  • Scottish Southern Energy
  • The UK Cards Association
  • Three
  • Visa

The other organisations involved are made up of government agencies and consumer groups

The Government’s vision for midata
Consumer Data Empowerment midata is a voluntary partnership between the UK Government, businesses, consumer groups, regulators and trade bodies to create an agreed, common approach to empowering individuals with their personal data.

midata recognises and supports the principle of individuals using their own customer information to gain an insight into their own behaviour, make more informed choices and better decisions, to manage their affairs more efficiently, and to obtain the products and services that best meet their needs.

midata is part of the Government’s growth agenda. It will help achieve economic growth by improving information sharing between organisations and their customers, sharpening incentives for businesses to compete keenly on price, service and quality, building trust and facilitating the creation a new market for personal information services that empower individuals to use their own data for their own purposes.

Organisations can help realise the goals of midata by providing customers with the ability to access and re-use their ‘customer data’ – including data about customer transactions, interactions and usage behaviours that organisations collect.

The aim of the midata project is for organisations that collect, store and use customer data to endorse and work towards the following goals and principles.

Organisations collecting, using and holding customer data should:

Maintain and make available to customers accurate and up-to-date descriptions of the types of personal data they hold about these customers. (Consumer Data Transparency)

Develop, support and promote ways to release customers’ data back to them in a safe, privacy-friendly, portable and re-usable manner. This data should be made available to them online for free and to use as they see fit. (Consumer Data Access) minimise risks of data breaches and invasions of privacy.  This includes

a) working to ensure that all personal information is accessed and released safely and securely

b) helping to create a personal data environment that enables individuals to hold, use and share their data in ways they understand and can trust, which protects their interests and empowers them to use their data for their own purposes. (Consumer Data Security) • work with other organisations via the midata project to encourage the innovation of new consumer information services that deliver midata goals. (Consumer Data Innovation)

Consumer Data principles

The following principles will guide the project:

  1. Data that is released to customers will be in reusable, machine-readable form in an open standard format.
  2. Consumers should be able to access, retrieve and store their data securely.
  3. Consumers should be able to analyse, manipulate, integrate and share their data as they see fit – including participating in collaborative or group purchasing.
  4. Standardisation of terminology, format and data sharing processes will be pursued as far as possible across sectors.
  5. Once requested, data will be made available to customers as quickly as possible.
  6. The focus will be to provide information or data that that may be actionable and useful in making a decision or in the course of a specific activity.
  7. Organisations should not place any restrictions on or otherwise hinder the retention or reuse of data.
  8. Organisations will work to increase awareness amongst consumers of the opportunities and responsibilities that arise from consumer data empowerment.
  9. Organisations will provide customers with clear explanations of how the data was collected and what it represents, and who to consult if problems arise.


PCI Security Standards Council adds PCI PIN Security requirements to PTS standard

The PCI Security Standards Council (PCI SSC)  has announced that the Council is expanding the PTS standards to encompass the PCI PIN Security Requirements, formerly administered by Visa and MasterCard, to provide organizations with one set of criteria for the protection of PIN data.

After officially taking over management of the requirements earlier this year, the PCI SSC solicited feedback from the PCI community to make updates to the standard. Today’s release contains a complete set of reqirements for the secure management, processing and transmission of personal identification number (PIN) data at ATMs, and attended and unattended point-of-sale (POS) terminals. The PIN Security Requirements will be included in current PTS security requirements.

The updated PTS program requirements and detailed listing of approved devices are available on the Council’s website here.

“Point of sale continues to be a security hotspot as criminals are using more advanced techniques to steal PIN and cardholder data,” said Bob Russo, general manager of the PCI Security Standards Council. The requirements are specifically geared toward protecting not just the devices that accept PINs but also the people and processes surrounding them.”

The PCI PIN Security Requirements provide one set of criteria for protection of Primary Identification Number (PIN) data. For merchants – examples of common vulnerabilities for PIN theft that the requirements address include:

  • PINs that are not protected by a secure PIN block
  • Failure to use approved cryptographic devices for PIN processing
  • Cryptographic keys that are non-random, not unique, and never change
  • Few, if any documented PIN-protection procedures
  • Audit trails or logs that are not maintained

“With this addition to the PTS requirements, we hope to strengthen POS security at merchants around the globe,” noted Russo.

The Council will also host a Webinar for Participating Organizations and the public outlining the newest updates to the PIN Transaction Security program, including the PIN Security Requirements, followed by a live Q&A session.

Register for the November 8 session here.

Register for the November 10 session here


Council breaches the Data Protection Act by losing a memory stick

The Municipal Offices of the Metropolitan Boro...

Rochdale Metropolitan Borough Council has breached the Data Protection Act after losing an unencrypted memory stick containing the details of over 18,000 residents.

The memory stick, lost in May,  included, in some cases, residents’ names and addresses, along with details of payments to and by the council.

The device did not include any bank account details. The information had been put on a memory stick to compile the council’s financial accounts.

The memory stick has not been recovered

The ICO’s investigation found that the council’s data protection practices were insufficient. The Council specifically failed to make sure that memory sticks provided to its staff were encrypted.

The council also failed to provide employees with adequate data protection training. As well as requiring the council to put all of the changes in place by 31 March 2012, the ICO will follow up with the council to ensure that the agreed actions have been implemented.

Acting Head of Enforcement, Sally Anne Poole said:

“Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable. This incident could have been easily avoided if adequate security measures had been in place. Luckily, the information stored on the device was not sensitive and much of it is publicly available. Therefore, the incident is unlikely to have caused substantial distress to local people. 

“Our investigation uncovered a number of failings at Rochdale Metropolitan Borough Council – that’s why we will follow up with the council, to ensure they’re doing everything they can to prevent this type of incident happening again.”


UK Cards Association warns of growing Credit Card fraud phone scam targeting the over-60s

Basic creditcard / debitcard / smartcard graph...

The UK Cards Association has warned about an old-style phone scam that is increasingly being used by fraudsters across the UK.

The scam involves unsuspecting cardholders being called and duped into handing over their debit or credit card, and revealing their PIN, by a fraudster pretending to be from their bank, card company or the police. Just this year more than £750,000 has been lost to this type of fraud, with the criminals responsible stealing an average of £10,000 per incident.

The scam begins with the fraudster phoning up, typically claiming to be from the prospective victim’s bank, and saying either that their systems have flagged up a fraudulent transaction on their card or that their card is due to expire and needs replacing. By seeming to offer assistance, the fraudster tries to gain the victim’s trust. In most cases the victim is then asked to ‘activate’ or ‘authorise’ the replacement card in advance by keying their PIN into their phone’s handset.

The fraudster or an accomplice then poses as a bank representative or a courier to pick up the customer’s card from them at their home, sometimes also giving the victim a replacement card (which is a fake). In some cases a genuine courier company is hired to pick up the card, which the victim has been asked to place in an envelope. Once they have the victim’s card and the PIN the fraudster uses them to withdraw cash and go on a spending spree.

Top tips to avoid this scam:

  • Your bank will never ring you and tell you that they are coming around to pick up your card, so never hand it over to anyone who comes to ‘collect it’.
  • Your bank will never ask you to ‘authorise’ anything by entering your PIN into the telephone.
  • Never share your PIN with anyone – the only times you should use your PIN is at a cash machine or when you use a shop’s chip and PIN machine.

If you think you may have been the victim of a fraud or a scam of this nature you should call your bank or card company immediately.
DCI Paul Barnard, Head of the Dedicated Cheque and Plastic Crime Unit (DCPCU), the special police unit established by the banking industry to fight fraud, said:

“You should never hand over your bank card to someone who turns up on your doorstep, however convinced you are that they are genuine. Likewise, you should never give anyone your PIN or punch the number into your phone as a result of someone contacting you out-of-the-blue – wherever they claim to be from. If you have any doubts when approached in this way you should hang up the phone and call the organisation back on a number that you know is correct. If you think you have already been a victim of this scam, contact your bank or card company immediately. If you are the innocent victim of card fraud you will not suffer any financial loss.”


PCI Security Standards Council invites industry input during next phase of standards development

 The PCI Security Standards Council has launched its formal feedback period on version 2.0 of the PCI DSS and PA-DSS, inviting Participating Organizations and assessors (QSAs) to provide suggestions and commentary on the development of the next PCI Standards.

The PCI Council works on a three-year lifecycle to update the PCI Standards. Feedback from Participating Organizations representing merchants, banks, processors, vendors, security assessors and those across the payment chain is the foundational element of this process. The feedback period takes place a full year after the new versions of the DSS and PA-DSS were released, giving organizations the opportunity to provide input based on their experiences in implementing the standards. As of December 31, 2011, version 1.2.1of the PCI DSS and PA-DSS is retired and all validation efforts for compliance must follow version 2.0.

Beginning today, PCI stakeholders can submit input through a new online tool that automates and makes feedback easier to supply. All feedback will be reviewed by the Council and included in discussion for the next iteration of the PCI Standards.

In the Council’s last feedback cycle, hundreds of comments were received, with more than 50 percent coming from outside the U.S.

 “With the Council’s Participating Organization base having grown substantially in Europe over the last year, and particularly with increased global representation on our Board of Advisors, we’re really looking forward to receiving input from our stakeholders around the world,” said Jeremy King, European Director, PCI Security Standards Council. “In a changing payments environment, it’s this input that will help us maintain a global standard that ensures the protection of cardholder data remains paramount.”

Feedback submissions will be grouped into three categories – Clarifications, Additional Guidance and Evolving Requirements – and shared for discussion with Participating Organizations and the assessment community at the 2012 PCI Community Meetings.

“Our community is made up of experts from across the payments chain, around the world and from organizations of every size, each dealing with different aspects of the PCI process,” said Bob Russo, general manager, PCI Security Standards Council. “We rely on their feedback and unique experiences to help us continually improve these standards for the protection of cardholder data.”

The online feedback tool can be accessed at online here.


Blog at

Up ↑

%d bloggers like this: