Brian Pennington

A blog about Cyber Security & Compliance


February 2012

Personal Information is under threat from “social engineering”

This week as uncovered two more breaches of the Data Protection Actafter action was taken by the Information commissioner and the Serious and Organised Crime Agency (SOCA) against individuals who used social engineering for profit.

The more criminal of the two cases involved “private detectives” blagging confidential information for their clients to use.

SOCA defines blagging as “Blagging is the art of bypassing security measures through skilled persuasion and impersonating someone else

SOCA said of the case

SOCA’s focus during the investigation was criminal conspiracy. However in recognition of the fact that the operation might also uncover information relevant to other authorities, SOCA worked in partnership with a number of bodies including the Information Commissioner’s Office. SOCA will now hand over any such information to its partners to determine whether further action is appropriate

The Information Commissioner said:

“The scourge of data theft continues to threaten the privacy rights of the UK population. Whilst we welcome today’s sentencing of the private investigator, Graham Freeman, and his three accomplices, the outcome of the case underlines the need for a comprehensive approach to deterring information theft.  If   SOCA had been restricted to pursuing this case solely using their powers under the Data Protection Act then these individuals would have been faced with a small fine and would have been able to continue their activities the very next day. This is not good enough.

“Unscrupulous individuals will continue to try and obtain peoples’ information through deception until there are strong punishments to fit the crime. We must not delay in getting a custodial sentence in place for section 55 offences under the Data Protection Act.”

In the second example a letting agent tried to obtain details about a tenant’s finances from the Department for Work and Pensions (DWP) was found guilty of an attempt to commit an offence under section 55 of the Data Protection Act and the Criminal Attempts Act.

Pinchas Braun, of Tottenham, was fined £200 and ordered to pay a £15 victim surcharge and £728.60 prosecution costs by Highbury Magistrates.

The ICO’s investigating officers identified the caller as Pinchas Braun. Further enquiries found that Braun worked for a property management and rental business called Manor West Estates and that he was responsible for rent collection. The DWP account that Mr Braun had targeted belonged to one of his employer’s tenants.

Information Commissioner, Christopher Graham, said:

“The Department for Work and Pensions hold important information about each and every one of us. We are very pleased that a DWP staff member was alert to this attempt to blag information and that the call was halted before it was too late.

“The motive behind Mr Braun’s action was financial. He knew that such an underhand method of obtaining the tenant’s personal information was illegal but carried on regardless.

“This case shows that unscrupulous individuals will continue to try and blag peoples’ details until a more appropriate range of deterrent punishments is available to the courts. There must be no further delay in introducing tougher powers to enforce the Data Protection Act beyond the current ‘fine only’ regime,” Mr Graham said.

“The contrast is striking in the penalties available for blagging under the Fraud Act on the one hand and under the Data Protection Act on the other. On the same day, prison sentences were handed down in one court with chicken feed fines being imposed in another – all for the same activity”

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a financial penalty of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court. This also applies to attempts under the Criminal Attempts Act. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.

Both examples show how important it is for all organisation to be aware of the threat to their customers from “blagging” or “social engineering” for example in the Braun case above he was unsuccessful because he didn’t know the middle name of the victim.


PCI SSC announces formal training in Europe (London)

The Payment Card Industry Security Standards Council (PCI SSC) has announced three formal courses in London.

The three courses are:

Qualified Security Assessor (QSA) Training

The PCI Security Standards Council operates an in-depth program for security companies seeking to become Qualified Security Assessors (QSAs), and to be re-certified each year. The five founding members of the Council recognize the QSAs certified by the PCI Security Standards Council as being qualified to assess compliance to the PCI DSS standard.

  • PCI SSC QSA Date(s):  April 28 2012 – April 29 2012
  • Location:  London, United Kingdom
  • Fee:  3,000.00 USD

Payment Application Qualified Security Assessor (PA-QSA) Training

The PCI Security Standards Council operates an in-depth program for security companies seeking to become Payment Application Qualified Security Assessors (PA-QSAs), and to be re-certified each year. The five founding members of the Council recognize the PA-QSAs certified by the PCI Security Standards Council as being qualified to assess compliance to the PCI PA-DSS standard.

  • PCI SSC PA-QSA Date(s):  April 22 2012 – April 23 2012
  • Location:  London, United Kingdom
  • Fee:  2,000.00 USD

Internal Security Assessor (ISA) Training

The PCI SSC Internal Security Assessor Program (”ISA Program”) provides an opportunity for eligible internal security audit professionals of qualifying organizations to receive PCI DSS training and certification to improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls.

  • PCI SSC ISA Date(s):  April 26 2012 – April 27 2012
  • Location:  London, United Kingdom
  • Fee:  3,595.00 USD

Find the details here.


Is the Information Commissioner having a purge on breaches?

Flag of Cheshire EastIt seems that the Information Commissioner’s Office is releasing, on a daily basis, details of organisations that have breached the Data Protection Act.

Every day some employee has done something they should not have done posted to the wrong place, not used the correct system, etc. which means the common cause is human…

The latest involves Cheshire East Council, who in May 2011 breaches the Data Protection Act when a council employee contacted the local voluntary sector co-ordinator to alert voluntary workers that the Police had concerns about an individual who was working in the area.

Instead of sending an email via the council’s secure system, the employee sent an email to the local voluntary sector co-ordinator via her personal email account. This simple error cost the council £80,000.

Stephen Eckersley, Head of Enforcement, said about the Cheshire East breach:

“While we appreciate that it is vitally important for genuine concerns about individuals working in the voluntary sector to be circulated to relevant parties, a robust system must be put in place to ensure that information is appropriately managed and carefully disclosed. Cheshire East Council also failed to provide this particular employee with adequate data protection training. The highly sensitive nature of the information and the need to restrict its circulation should have been made clear to all recipients.

“I hope this case – along with the fact that we’ve handed out over one million pounds worth of penalties since our powers came into force – acts as a strong incentive for other councils to ensure that they have sufficient measures in place around protecting personal data.”

Two other recent incidents involving the Information Commissioner: 


Another bad day for councils but this time there were costs attached – £180,000!

Today the Information Commissioners Office has notified two councils of monetary fines for breaching the Data Protection Act.

  1. Croydon Council has been handed a penalty of £100,000
  2. Norfolk County Council has been served with an £80,000

Croydon Council

The Croydon Council breach was the result of an unlocked bag belonging to a social worker being stolen from a London pub. The worker was taking papers, including information about the sexual abuse of a child and six other people connected to a court hearing, home for use at a meeting the following day. The bag and its contents have never been recovered.

The ICO’s investigation found that while Croydon Council did have data protection guidance available at the time of the theft, it was not actively communicated to staff and the council had failed to monitor whether it had been read and understood. The council’s policy on data security was also inadequate and did not stipulate how sensitive information should be kept secure when taken outside of the office.

Norfolk County Council

The Norfolk County Council breach was the result of another social worker sending a report to the wrong address. The report contained confidential and highly sensitive personal data about a child.

The ICO’s investigation found that the social worker had not completed mandatory data protection training and that the council did not have a system in place for checking whether training had been completed.

Stephen Eckersley, Head of Enforcement said:

“We appreciate that people working in roles where they handle sensitive information will – like all of us – sometimes have their bags stolen. However, this highly personal information needn’t have been compromised at all if Croydon Council had appropriate security measures in place.

“One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient. Norfolk County Council failed to have a system for this and also did not monitor whether staff had completed data protection training.

“While both councils acted swiftly to inform the people involved and have since taken remedial action, this does not excuse the fact that vulnerable children and their families should never have been put in this situation.”


Bad day at the office for UK Councils as several breach the Data Protection Act

Today the Information Commissioner has notified five councils after they breached the Data Protection Act.

Information Commissioner, Christopher Graham said:

“At a time when councils are increasingly working with community partners, when data is shared it is vital that they uphold their legal responsibilities under the Data Protection Act. Failures not only put local residents’ privacy at risk, but also mean that councils could be in line for a sizeable monetary penalty.

“We must also consider the detrimental impact these breaches continue to have on the individuals affected. Disclosing details about someone’s social housing status can be upsetting and damaging for those affected. To help tackle this issue I’ve submitted a business case to the government to ask for them to extend my compulsory audit powers.”

The five data breaches at local authorities all relate to incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure.

  • Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing.
  • In July 2011, an employee of Brighton and Hove Council emailed the details of another member of staff’s personal data to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee. The Council has now committed to ensuring that the personal information they process is secure, including making sure that all portable devices used to store personal data are encrypted.

The other councils affected are

  • Dacorum Borough Council
  • Bolton Council
  • Craven District Council

Additionally an enforcement notice has been issued to Staffordshire County Council over its mishandling of a subject access request.

Two other organisations also had actions taken against them

  • Youth charity Fairbridge
  • Healthcare provider Turning Point


Report on Malware Activity for the last 6 months 2011 – M86

M86 a web and email security company has released its review of the last 6 months of 2011.

The report has some excellent screen shots of malicious attacks, particularly phishing and spam attacks.

The screenshots should be shown to all school pupils and college students so they do not make the mistakes. Equally all organisations should distribute the images as part of their internet usage training because a lot of social media activity takes place during the working day.

M86 said of their report:

“We already know that cybercriminals have become adept at circumventing mainstream security solutions, and as we find more fraud perpetrated through social networking sites and mobile devices, it is imperative for organizations to educate their users and complement their reactive protection with proactive, real-time technologies to enhance their security posture,” said Bradley Anstis, Vice President of Technical Strategy, M86 Security. “Many of the trends we forecast in our 2011 predictions report, such as the increased use of stolen digital certificates in targeted attacks, have occurred. Our goal is to help organizations preempt these complex attacks before malware has a chance to infiltrate networks and cause very real damage.”

Key Findings of the Report:

  1. Targeted attacks became sophisticated and pursued a wider range of organizations, including commercial, national critical infrastructure and military targets.
  2. Use of stolen or fraudulent digital certificates has become more common, especially as part of targeted attacks.
  3. In several targeted attacks, malware was hidden by embedding itself in various file formats—with a few cases of multiple embedding layers. This method can evade security software that fails to scan deep enough.
  4. Blackhole has become the most prevalent exploit kit in the second half of 2011 with a huge margin over other exploit kits. Some of the exploit kits which were active in the past are rarely used now or were practically abandoned.
  5. Newer versions of Blackhole are being deployed first in Eastern Europe. Its authors increased its update frequency and added new exploits and tricks to evade detection, such as checking the software version on the client machine before attempting to exploit it.
  6. Fake social media notifications are now a mainstream way for spammers to dupe users into clicking links.
  7. Facebook continues to be a conduit for spam and malware, as many campaigns are spreading virally by enticing users to share posts that promise gift cards or other rewards.
  8. Hacked, but otherwise legitimate, websites played a major role in distributing spam and malware by redirecting browsers to the ultimate destination.
  9. Malicious Web content currently exploits more than 50 vulnerabilities in various software products. The most commonly exploited products are Microsoft Internet Explorer, Oracle Java, Adobe Acrobat Reader, Adobe Flash and Microsoft Office products.
  10. The overall volume of spam continued to decline in 2011, reaching a four-year low in December 2011.
  11. Eight spamming botnets were responsible for 90% of the spam monitored by M86 Security Labs. All of these botnets are familiar and have been established for some time.
  12. The proportion of malicious spam rose in the second half of the year from less than 1% to 5%, including a massive spike in malicious attachments in August and September. Later in the year, the focus shifted from malicious attachments to malicious links that led to exploit kits, in particular, the Blackhole exploit kit.
  13. Some noticeable wins by law enforcement authorities and researchers against cybercriminals, botnets and affiliate programs like fake AV and rogue online pharmacies, took place this year.
  14. Malicious Web content hosted in China targets mostly older versions of Internet Explorer, which is popular in that country.
  15. Almost half of the global malicious Web content is hosted in the U.S. The states hosting most malware are Florida, California, Texas and Washington.

Expanded details on some of the key findings

Critical national infrastructure is targeted

As targeted attacks become more sophisticated, cybercriminals are pursuing a wider range of organizations, including commercial, national critical infrastructure and military targets. Confirmed attacks in 2011 include RSA, Lockheed Martin and the Asia-Pacific Economic Cooperation (APEC). Dutch company DigiNotar, for example, detected an intrusion that resulted in the fraudulent issuance of hundreds of digital certificates for a number of domains, including Google, Yahoo, Facebook, the CIA, the British MI6 and the Israeli Mossad.

Stolen digital certificates are increasingly used in successful targeted attacks

Stealing or faking digital certificates has become an important component of a targeted attack. Digital certificates are used to confirm and assure a user that the downloaded application truly is from the trusted vendor. With the stolen certificates cybercriminals can distribute malware and sign it with a legitimate company certification, thus tricking users to confidently download the application.

The Blackhole exploit kit dominates the exploit kits market

In late 2011, Blackhole established itself as the most successful exploit kit. Its authors increased its update frequency and added new ways to evade detection, such as checking the software version on the client machine before attempting to exploit it.

The volume of malicious spam escalated in 2011

Though overall spam volume decreased as of December 2011, the proportion of malicious spam rose in the second half of the year from less than 1% to 5%, with a spike in malicious attachments occurring in August and September. As noted previously, there was a shift from malicious attachments to the use of embedded links to infected content later in the year.

Social media is a haven for fraudulent posts and scams

It is now mainstream practice for spammers to use bogus social media notifications to dupe users into clicking on infected links. Perhaps even more troubling is the success with which cybercriminals capitalize on user trust and familiarity to make Facebook, for example, a conduit for spam and malware propagation. Many of these campaigns are spread virally by enticing users to share posts for “rewards” or “gift cards” with their friends.

The full report and those screen shots can be found here.


PCI Security Standards Council invites payments community to input on PIN Transaction Security

The  PCI Security Standards Council (PCI SSC), has announced the launch of a 30-day period to solicit feedback from PCI Participating Organizations on the next version of the  PCI Hardware Security Module (HSM) security requirements.

Hardware security modules (HSM) are non-cardholder facing devices used in connection with the protection of sensitive data, such as cardholder data (e.g. PINs), and the cryptographic keys that protect or authenticate that information.  For example, HSMs are used with PIN translation, payment card personalization, data protection and e-commerce. Requirements for testing and approving these devices fall under the PCI PIN Transaction Security (PTS) program that also tests and validates Point of Interaction (POI) devices to ensure they comply with industry standards for securing sensitive data.

The PCI SSC has made a number of modifications to version 1.0 aimed at providing greater alignment between the PCI Hardware Security Module (HSM) security requirements  and those introduced with version 3 of the PTS Point of Interaction (POI) security requirements.

The Council requests input from Participating Organizations on these changes. All feedback will be reviewed and considered in finalizing the revised requirements for publication in the  spring.  Organizations should submit feedback using the online tool here by March 09, 2012.

 “Because the Council is comprised of organizations ranging from merchants to acquirers to processors we have a unique opportunity to create standards based on feedback from across the payments spectrum. We rely heavily on active participation by our members. This industry feedback and expertise is critical to our mission and our business,” said Bob Russo, general manager, PCI Security Standards Council. “I would like to encourage each organization to take the time to provide us with input during this period.”


PayPal, Payments and PCI

The logo of Ingenico SA

Ingenico has announced a partnership with PayPal which will enable merchants with Ingenico POS devices to accept PayPal payment options, read the press release here.

Ingenico and PayPal have each made statements on the relationship:

“Today’s savvy shoppers want the option to choose how they pay for goods and are agile enough to easily switch between multi-shopping platforms. Our goal, as one of the key POS device and solutions providers, is to equip merchants with a versatile secure platform capable of accepting and handling diverse forms of payment,” said Thierry Denis, president of Ingenico North America. “By working with PayPal to bring their payment solutions to offline retail, we will naturally empower both the merchant, by providing a better way to connect with its shoppers to generate incremental sales, and the shoppers by adding speed and convenience at the checkout combined with expanded payment options. This relationship enables us to offer the most advanced solution for today’s practical shopper”

“PayPal’s vision for the future of shopping includes people making purchases anytime, anywhere and over any device. Ingenico is helping PayPal realize this vision by putting PayPal in stores and at the point of sale,” said Don Kingsborough, vice president of retail and pre-paid products. “Millions of PayPal users will soon have several innovative ways to make purchases at many of their favorite retailers, including using Ingenico terminals to swipe their PayPal payment cards or to enter the mobile phone number and pin associated with their PayPal accounts.”

Walt Conway a prominent QSA and manager at 403Labs commented:

The first question is, if a PayPal card triggers a transaction on an underlying Visa or MasterCard, might that PayPal account be considered a “high-value token” and, therefore, be in scope for PCI? The follow-up question is, if the PayPal account is in scope, is it necessarily a big deal?

I read the piece about Home Depot letting shoppers pay in-store using PayPal:

“On the payment front, this is also a test of Home Depot accepting a rectangular magstripe card that doesn’t say MasterCard, Visa, American Express, Discover or Home Depot on it.”

Separately, I saw where Ingenico launched a new PayPal offering. It enables PayPal users to make retail purchases (using Ingenico terminals, of course) by swiping their PayPal payment cards or entering the mobile phone number and PayPal PIN. Because many (although not all) PayPal accounts are tied to an underlying payment card, which is in scope for PCI, and because using such a PayPal account ultimately triggers a payment-card transaction, would PayPal in this case fit the PCI Council’s definition of a high-value token?

A high-value token is a new concept the PCI Council introduced and defined in its PCI DSS Tokenization Guidelines. Specifically, the Council defines a high-value token as one that “could potentially be ‘monetized’ or used to generate fraudulent transactions.” The guidance goes on to say: “Additionally, tokens that can be used to initiate a transaction might be in scope for PCI DSS, even if they cannot directly be used to retrieve PAN or other cardholder data.”

PayPal accounts were not designed to be tokens. However, because a stolen or compromised PayPal account could be used to generate fraudulent transactions, that PayPal account appears to act like not just any old token but a high-value token. The PCI Council states that high-value tokens may be in scope for PCI and, at the least, they require “additional controls in place to detect and prevent attempted fraudulent activities.”

Let’s move on to the second question. If a retailer (or its acquirer or QSA) considers PayPal accounts to be high-value tokens, does it matter? For many merchants, the PayPal transactions will use the same devices, networks and procedures that are already in scope for PCI.

Therefore, there might be no significant impact of PayPal acceptance for a retailer with a PCI-compliant POS system. Things might get complicated when the merchant stores the cardholder data, in which case the PayPal account information may expand the scope of data to be protected.

Thank you Walt for permission to use your excellent work.

Can Tokenization help to reduce the risk of fraud involving Credit Cards?

When it comes to protecting sensitive data, especially credit card data, an organisation needs protection in place because it is a constant battle against a variety of attacks with the two greatest foes being:

  • Social Engineering (e.g. preying on employees or customers)
  • Technology (hackers, viruses, etc.)

Social Engineering can be addressed by implementing regular training, professional management and monitoring, but Technology is a different story.

Technology is an on-going battle with thousands of new attacks being developed every week, e.g. viruses, Trojans, code breaches (e.g. SQL injections), etc.

New attack vectors require new defences, just like in fencing as one fencer makes a move the other needs to counter.

Security moves and counter moves cost time and money, especially when you consider that potential weakness could be in any device on the network e.g. phone systems, servers, BYOD, printers, etc. In a flat or non-segmented network one breached device could potentially lead to the breaching of all devices.

If multiple devices and applications require access to credit card data, e.g. CRM and Customer billing, the scope of risk is far greater which is why reducing the scope of the risk is so important.

Tokenization can dramatically reduce the scope by changing credit card data, and other sensitive information, into usable data that contains no Personally Identifiable Information (PII) or Credit Card data. The original data is then stored in a “data vault” which has strong encryption wrapped around it.

For some companies Tokenization has reduced the risk-points from several dozen to one and if placed in the “cloud” could place the organisations technology and infrastructure out of PCI DSS’s scope.

For details on reducing the scope of PCI DSS see my other post Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data

For a copy of the guide “Tokenization for Dummies” click here.


E*Trade Securities Ltd falls foul of the ICO after losing customer records

In April 2010 E*Trade Securities Ltd discovered that 608 customer records were lost at a UK based storage facility and despite an investigate were unable to recover the records.

E*Trade Securities Ltd did not have a formal agreement to store the customer information securely and subsequently informed Information Commissioner’s office in December 2010.

E*Trade Securities Ltd has now agreed to take action to keep the personal information it holds secure. This includes implementing written agreements with UK contractors storing client personal data on its behalf and making sure that appropriate audit trails are in place to record where client files are being sent and stored at all times.

Head of Enforcement, Steve Eckersley, said:

“This breach was caused by the company failing to have the necessary security measures in place to keep their clients’ information secure. 

“The fact that customer records are being archived in a storage facility and not regularly accessed does not give businesses license to forget about them. This case demonstrates how important it is to stipulate in writing how long personal information needs to be kept, how regularly it should be reviewed and when it can be securely destroyed.”


Fortnum and Mason fail PCI DSS requirements after a phone call…

It was reported that Fortnum and Mason’s had a Payment Card Industry Data Security Standard (PCI DSS) issue resulting from an employee asking a customer to email their credit card details so that a dispute could be resolved.

Fortnum & Mason

“We have now fully investigated the claim that a customer was asked for their credit card details via email and we can confirm that

“We apologise for causing concern for this genuine, human error, done with best intentions to aid the customer. It is against our procedures and we have taken action to ensure that this will not occur again.”

Fortnum & Mason said in a statement

Human error whether it is trying to help a customer or trying to finish on time is often the weakest link in the security chain.

If the credit card details had been emailed or the phone call recorded it could have a huge impact on an organisation’s compliance posture because all those systems involved and the connected systems will fall into the scope of PCI DSS.

For example:  The email could potentially put many systems into the scope of PCI DSS that were previously out-of-scope,

  • the customer service person’s desktop maybe storing emails locally
  • the email server
  • the email back-ups and other back-up systems is the data is shared across tapes/drives/SANs/etc.
  • the CRM solution if the email systems is integrated e.g.
  • etc.

Education and technology can reduce the chances of this happening but it requires constant management and monitoring.

An older post of mine contains a lot of advice for organisations that wish to address the non-IT issues facing organisations that operate a call centre or deal with customers over the phone orders or disputes.

The post “Call Centre Security and PCI Compliance” is here.


Blog at

Up ↑

%d bloggers like this: