Brian Pennington

A blog about Cyber Security & Compliance


October 2013

A summary of the 2013 PCI SSC North America Community Meeting by Matt Getzelman

The most valuable technical information was presented during the ‘Assessors Only’ session on Tuesday afternoon.  The SSC covered the upcoming changes to the PCI DSS and PA-DSS standards.  There was an open Q&A session with excellent insight on the industry’s concerns and the SSC’s intent with many of the proposed changes.  Some of the key announcements and observations were:

  • ASV Changes – A lot of information was presented about upcoming changes to the Approved Scanning Vendor (ASV) baseline (which is currently in progress).  The SSC has created a task group to deal with the issue around “Scan Interference”.  The task force will deal with this issue and communicate clear expectations to the rest of the industry.  A number of “hints” were dropped with regard to web-based vulnerabilities and how they will play a bigger role in ASV scans (and the revised baseline) going forward.

  • PCI DSS 3.0 – Business as Usual – Clarifications on this new section within the 3.0 standard in the sense of no assessor validation or documentation will be required.  This is merely a section on implementation best practices for continuous PCI DSS compliance.

  • PCI DSS 3.0 – Template Changes – New to the 3.0 release, the SSC has created a reporting template that they would like all QSA organizations to use.  The reporting instructions had previously been outlined in a separate document.  They are now included within the standard itself.

  • PCI DSS 3.0 – Scope – The SSC made some significant improvements to its intent around PCI DSS scope of validation.  These clarifications were covered again during the assessor and general sessions.  Most importantly the following:  Systems that affect the security of the cardholder data environment should be considered as in-scope for the assessment.  During one of the Open Forum sessions, we asked if this would include A/V servers, patching servers, DNS systems, etc…and the SSC confirmed yes.  It’s important to note that they indicated that this will include originating web-servers for ecommerce outsourcing solutions. 

  • PCI DSS 3.0 – Phase-in Requirements – There are several new requirements that will be considered best practice only until June, 2015.  It’s important to review and analyze these new requirements now to prepare your organization for the upcoming impact to your compliance efforts.  Our favorite is the change to the penetration testing requirements:

Penetration testing must now validate segmentation technologies   

  • Avoid the Silver Bullet – We heard this phrase a lot during the SSC presentations and informal discussions with the card brands.  The SSC wants to dispel the myth that so many merchants seem to be falling prey to.  There is no such thing as a “Silver Bullet” solution that eliminates all PCI DSS scope and responsibility.

  • PA-DSS Template Changes – There was very little content presented on the upcoming changes to the PA-DSS.  We met several key SSC representatives that will allow us to provide direct feedback about the draft standard.  Coalfire has concerns and questions on two major areas in the new draft that we will clarify in the near future:

Hashing requirements for passwords – SDLC guidelines

  • PCI SSC Tokenization Standards – It seems surreal, but the SSC plans on releasing four tokenization standards in 2014. These standards will cover hashing strength and other considerations for using tokenization technologies to reduce scope.  These are not to be confused with the “Tokenization” guidelines recently announced by some card brands.

The original post by Matt Getzelman, PCI Practice Director, can be found here.

The five cloud personas

NTT Integralis have produced a report highlighting the acceptance of Cloud Solutions.  The full report can be found here.  

The report characterises organisations as fitting five cloud ‘personas’ defined by their level of enthusiasm for cloud computing and maturity of adoption.

Ranging from Embracers at one end of the scale (very active in new technologies for over three years) to ‘Controllers’ at the other (characterized by their lack of cloud deployments), the personas also include Accepters, Experimenters and Believers.

The five cloud personas

  1. The Embracer – using cloud for 3+ years, very active in seeking out new technologies, dedicates over half budget and is very likely to see an increase in revenues and profits from cloud
  2. The Believer – very likely to actively seek out new technologies and to have moved the majority of services into the cloud over the next year. Critical to the deployment of services with a third of budget allocated
  3. The Experimenter – likely to experiment with new technologies and to move the majority of services into the cloud in the next year. Used in half or more departments with a quarter of budget dedicated to cloud
  4. The Accepter – adopted cloud in the past two years and most likely to adopt technology when there is a clear business case. Cloud is not central to IT strategy
  5. The Controller – least likely to be using cloud and emerging technologies, more reliant on data centres. Cloud is not currently part of their IT strategy

For them to have completed the survey the respondents must have at least understood the concept of the “Cloud” which is a step in the right direction.

The nightmare of securing your unstructured data in the era of the borderless enterprise

As Big Data and BYOD become the accepted norm this Infographic demonstrates some of the facts about potential data breaches.

Syntec Telecom and Davies Hickman Partners have produced a report on how contact centre leaders are meeting the challenges of PCI DSS and the concerns of consumers to credit card payments over the phone.

Extracts from the report are below.

Consumers demand better card payment security

  • 72% (68% in 2012) say “call centre managers should do more to prevent credit and debit card fraud” 
  • 74% (70% in 2012) say “the banks, credit card and payment companies should do more to prevent fraud

The report believes their research shows that despite years of compliance pressure call centres are adopting one of three methods to deal with the issues:

  1. ‘Head in the Sand’: These organisations are adopting a trust-based approach relying on existing systems and staff, including elements of ‘clean-rooming’, but are unaware of the seriousness of PCI requirements
  2. ‘Segmenting the Problem’: Here, organisations are setting up discrete payment teams to reduce the numbers of agents taking payments
  3. ‘De-scoping payments’: Organisations engaged in PCI compliance are using technology to shield crucial payment card data from the call centre

Key findings from the research showed:-

  • 1% (2013), 3% (2012) of consumers say payment over the phone to a call centre is the most secure method (compared to chip and pin, online and self-service/ATM payments)
  • 16% (2013), 14% (2012) of UK consumers say they are very confident that “Organisations I buy from over the phone will keep my personal and card payment details secure”
  • 80% (2013 & 2012) of consumers say that despite careful recruitment policies, some call centre agents may commit fraud, directly or indirectly, by stealing personal data and credit card payment details taken over the phone from customers
  • 72% (2013), 68% (2012) say call centre managers should do more to prevent credit and debit card fraud.
  • 68% (2013), 58% (2012) of UK consumers say “As a general rule, I don’t think companies should be allowed to keep my credit or debit card details on their databases”
  • 32% of UK consumers say they have seen news stories about credit & debit card fraud in call centres (39% of 18-34 year olds)
  • Twice as many consumers favour using their phone keypad* to enter their card details whilst the agent is still on the call, compared with the solution where the agent simply pauses the call recording. A higher majority of consumers say they would use, and be happy to use, their phone keypad – 58%, with only 27% favouring pausing the call recording.

Do you believe call centre agents may commit fraud directly or indirectly by stealing personal data and credit card details they take from customers over the phone?

  • Yes, often, 16%
  • Yes, sometimes 64%
  • No 6%
  • Don’t know 14%

When making card payments which is the most secure?

  • Chip and Pin 53%
  • Payments over a secure website 18%
  • Self-service Machines (e.g. train tickets) 11%
  • Telephone payments to call centre agents 1%
  • Don’t know 16%

Solving the compliance conundrum

  • Use technology to hide credit card details from call centre agent 45%
  • Only allow selected agents in ‘clean rooms’ 7%
  • Regular audits of calls to monitor fraud 14%

Has the risk of fraud when giving your credit/debit card details over the phone to a call centre made you reluctant to pay for a product or service?

  • Yes 59% (Yes, often 17%, Yes, sometimes 42%)
  • No 21%
  • Don’t make phone payments 19%

Tips for rebuilding trust through card payment delivery in call centres

  1. Build capability by educating your people about risk, fraud and the value of security to customers
  2. Develop processes and procedures so your people can report suspicions confidently
  3. Build relationships with internal and external fraud monitors
  4. Create a compliance strategy which suits your organisation
  5. Keep your eye on changing operational requirements to improve security programmes
  6. Delete basic operational failings such as storage of sensitive information
  7. Choose trusted secure partners
  8. Explore technologies which ‘shield’ the call centre from sensitive payment data.

Simon Beeching, director at Syntec Telecom, said: “There is no question that card payments over the phone to the call centre remain a weak link. Our research clearly shows that an increasing majority of consumers have serious concerns over card payments by phone. Consumers are now saying they will positively favour brands and call centres that can provide tangible reassurance over their card payment security.”

SafeNet and SafeMonk have recently produced the results of a survey titled “Cloud App Usage vs. Data Privacy”.

The survey show the attitude of people, including C-Levels, to cloud storage and data privacy, a summary of the survey  is below.

Do you frequently use cloud based applications (i.e. Banking, business applications, social media, etc.)?

  • 64% Yes
  • 25% No
  • 11% what is a cloud based application…

Do you store any personal or professional data in the cloud?

  • 55% Yes
  • 28% No
  • 14% I think so
  • 3% not sure

Are you worried at all about the security of the cloud-based applications or data stored in the cloud?

  • 55% Yes
  • 32% No
  • 15% Still trying to figure out what cloud is

Of the applications that you use, which are you most concerned about someone hacking into?

  • 52% Banking Application
  • 17% File Storing / Sharing Application
  • 14% Email
  • 9% None of the Above
  • 8% Social Media Account

What system do you use most frequently for file storage?

  • 39% Dropbox
  • 25% The drawers on my desk
  • 24% Google Drive
  • 6% Other
  • 5% Microsoft SharePoint
  • 1%

Reading the above is even more interesting when you see the next question and answers.

What system for file storage and sharing does your company ask you to use?

  • 52% Internal Network
  • 13% Google Drive
  • 12% Microsoft SharePoint
  • 12% Dropbox
  • 7% Other
  • 3% iCloud
  • 1%

When it comes to your data privacy, who are you most concerned with?

  • 46% Government
  • 22% Google
  • 22% I’m not concerned about the privacy of my data.
  • 6% Boss
  • 3% Spouse
  • 1% Mom

Does your company have a policy regarding usage of file sharing applications such as DropBox?

  • 39% No
  • 33% I don’t know
  • 28% Yes

If your company has a policy against usage of applications such as DropBox, do you use it anyway?

  • 79% Yes
  • 21% No

What types of files do you store online?

  • 50% Personal
  • 24% Professional
  • 18% Both
  • 8% None of your business

What keeps you up at night regarding your data and personal information?

  • 52% Nothing keeps me up at night. I sleep like a baby.
  • 29% It will be maliciously exploited
  • 17% The government will have visibility into my private information
  • 2% My peers will know my secrets

What this survey suggests is that cloud app usage and document storage continue to proliferate, and that organizations should re-examine antiquated attitudes towards usage of these apps across the enterprise,” said Tsion Gonen, Chief Strategy Officer, SafeNet, Inc. “It’s clear that top-level executives understand the advantages of cloud app usage, and should enable their companies to leverage these advantages by adopting contemporary security tools and practices

RSA’s September 2013 Online Fraud Report featuring a review of “education in the cybercriminal world”

RSA‘s September 2013 Online Fraud Report discusses the improvement in cybercriminal skills and how education offered online with support of tutors, course work and counselling is increasing the threat to businesses and people alike.

RSA have seen an increase in ads by established criminals advertising courses they commonly carry out via Skype videoconferencing. To add value, “teachers” are offering interesting fraud courses, following those up with individual tutorials (Q&A sessions) after students join their so-called schools.

Fraud-as-a-Service (FaaS) strives to resemble legitimate business models, fraudster trade schools further offer ‘job placement’ for graduates through their many underground connections with other experienced criminals. Interestingly, some of the “teachers” go the extra mile and vouch for students who show “talent” so that they can join the underground communities they would otherwise not be able to access.

Some cybercrime professors even enforce a rigid absentee policy:

  • Students must give a 2 hour advanced notice if they cannot attend.
  • Students who fail to notify ahead of time are fined 50% of the fee, and rescheduled for the next class.
  • Students who fail to pay absentee fees will forfeit the entire deposited fee.

The following section presents some examples of cybercrime schooling curriculums exposed by RSA fraud analysts.

Beginners’ cybercrime classes

The first level is designed for beginners, teaching the basics of online financial fraud. The Cybercrime Course Curriculum:

  • The Business of Fraud – Credit cards, debit cards, drop accounts, how all it works, who are the clients, prices, risks
  • Legal Aspects – How to avoid being caught by the authorities. What can be used against you in a court of law? Building Your Business Where to find clients? How to build a top-notch fraud service
  • Transaction Security – How to avoid getting scammed and shady escrow services
  • Price per lecture 2,500 Rubles (about $75 USD)

Courses in card fraud

Criminals further offer the much in demand payment card fraud classes – one course per payment card type. Card Fraud Course Curriculum:

  • The Business – Drops, advertising, accomplices, chat rules and conventions
  • Legal Security – Dealing with law enforcement: who is accountable for the crime in organized groups, what can be collected as evidence
  • Building Your Business – Invaluable tips that will help develop your service to top level, and help acquire customers
  • Security of Transactions – Common patterns of rippers/ripping, how to identify scams, how to use escrow services
  • Price per lecture 2,500 Rubles (about $75 USD)
  • Price per course 2,500 Rubles (about $75 USD) Both courses 4,000 Rubles (about $120 USD)

Anonymity and security course

Stressing the importance of avoiding detection and maintaining anonymity, this course teaches a fraudster the art of avoiding detection, and how to erase digital “fingerprints”. The tutoring vendor offers practical lessons in configuring a computer for complex security and anonymity features. This course includes a theoretical and a practical section, with a duration estimated at four hours. Anonymity Course Curriculum:

  • Configuring and using Anonymity tools – Antivirus and firewall, Windows security(ports and ‘holes’), virtual keyboards, shutting off browser logging, eliminating history/traces on the PC, applications for permanent data removal, data encryption on the hard drive, Anonymizer applications, VPN – installation/configuration, using SOCKS – where to buy them, hiding one’s DNS server, dedicated servers, TOR browsers, safe email mailboxes, using disposable email, using a cryptic self-destruct flash drive, creating cryptic self-destruct notes, extra advanced topic – tools for remotely liquidating a hard drive
  • Botnets – Independent study (online document/site link provided)
  • Using Chat Channels – Using ICQ, Skype, Jabber, registering Jabber on a safe server, OTR/GPG encryption in a Jabber chat, passing a key and chatting on a secure channel via Jabber
  • Legal – Electronic evidence one might be leaving behind, and that can be used against fraudsters by law enforcement
  • Price per course – 3,300 Rubles (about $99 USD) $35 – additional charge for installing VPN

Mule Herding Course Curriculum:

  • Theory section (2-3 hrs.) – Fundamentals – opening a mule-recruitment service, legal and practical security measures, finding accomplices and partners
  • Practical section (3-5 hrs.) – Receive a prepared transaction to handle, and earn 10% on this initial transaction (if one succeeds). If the student fails, a second transaction will be offered, at a cost of 1,500 Rubles ($45 USD) and no percentage earned.
  • Upon successful completion of the test, fraudsters receive official confirmation by public notice from the lecturer in the community. This part is only open to students who have completed the theory section, and have set up the anonymity and security tools and have the additional tools required for the transaction

One-on-one tutorials and consultations

With a money-back guarantee promised to students, one crime school offers personal one-on-one tutorials and problem solving sessions via Skype. Special tutorial topics:

  • Banking and Credit Cards – “Black and white” credit, fake documents, banking algorithms and security measures (Russian Federation only)
  • Debit Cards – The finer details of working with debit cards and setting up a service (Russian Federation only)
  • Registering and using Shell Corporations – Legal issues and practical problems in using Shell Corporations for fraud (Russian Federation only)
  • Legal Liability Issues – Your legal rights, practical advice on interaction with law enforcement agencies, counselling services even while under investigation (Russian Federation only)
  • Setting up Anonymity – Practical help in setting up anonymity, and answers to questions from the course (any country)
  • Price 2,000 Rubles (about $60) per hour

The school of carding

Approaching the subject that is highest in demand in the underground, vendors have opened schools for carding – teaching the different ways to use payment cards in fraud scenarios. One vendor offers classes on a daily basis, at two levels of expertise, and indicates that he gives his personal attention to each student. The vendor also assures his students that his resources (compromised data) are fresh, personally tested by him, and never before made available on any ‘public’ lists.

School of Carding – Basic Curriculum:

  • Current Working BINs – Credit card BIN numbers that have been verified as successful in carding scenarios.
  • Websites for Clothing, Electronics, etc. – Which merchants make the best targets for carding?
  • Tips and Tricks – Extra insights from personal experience.
  • Price $25 USD

School of Carding – Advanced Curriculum

  • BINs and Banks – Recommended BIN numbers that give best results in carding
  • Tested sites – A list of tested e-commerce sites recommended for carding clothing, electronic goods, and more.

Phishing Attacks per Month

RSA identified 33,861 phishing attacks launched worldwide in August, marking a 25% decrease in attack volume from July. Based on this figure, it is estimated phishing resulted in an estimated $266 million in losses to global organizations in August.

US Bank Types Attacked

U.S. nationwide banks remained the most targeted with two out of three phishing attacks targeted at that sector in August while U.S. regional banks saw an 8% increase in phishing attacks.

Top Countries by Attack Volume

The U.S. remained the most targeted country in August with 50% of the total phishing volume, followed by the UK, Germany and India which collectively accounted for approximately 30% of phishing volume.

Top Countries by Attacked Brands

In August, 26% of phishing attacks were targeted at brands in the U.S., followed by the UK, Australia and India.

Top Hosting Countries

Four out of every ten phishing attacks were hosted in the U.S. in August. Canada, the Netherlands and the UK collectively hosted 25% of phishing attacks.

Previous 3 RSA Online Fraud Report Summaries


PCI DSS and VMware

common denial

PCIAs much as I try to keep Security and Compliance separate because as you know, security and compliance are two totally different things, there are exceptions. You also know, compliance can sometimes help with regard to security. The number one standard where this is true is Payment Card Industry Data Security Standards or also known at PCI DSS. Not only does this requirement focus on security ( It even says it in it’s name… Data Security Standard ) but they have developed a supplemental document focused on PCI DSS Virtualization GUIDELINES. That is right, virtualization guidelines. Some of the items it covers is PCI DSS v2

  • Separation of Duties
  • Dormant virtual machines
  • Immaturity of monitoring solutions
  • Defense in depth (when was the last time you saw a Compliant control that mentioned defense in depth?)
  • Recommendations for cloud computing environments

and of course my personal favorite

  • Guidance for assessing risks in virtual environments

PCI DSS Virtualization Guidelines 2.0


View original post 311 more words

Create a free website or blog at

Up ↑

%d bloggers like this: