jump to navigation

Beating an Old Drum October 27, 2012

Posted by Heather Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

It’s the end of what has already been a tough year for data security.  And the news just got worse.  South Carolina has announced that its Department of Revenue suffered a major breach.  The breach is so massive, in fact that more than 75% of the state’s residents have been affected.  The compromised data consisted of the (unencrypted) social security numbers of more than 3.6 million residents.  Also included in the breach were about 390,000 payment cards.  Most of those were encrypted, though.

This is disturbing on a number of levels.  I find it curious, for example, that while encryption was deployed, it was only deployed on payment cards (and not even on all of those).  Consumers have built in protections on payment cards.  As long as those cards are branded by one of the major card brands, consumers are protected against liability for fraudulent transactions.  The far more sensitive data, the social security numbers, were not encrypted, though.  This defies logic.  Consumers have little to no protection against misuse of SSNs.  Not only can very real financial damage be done, consumers have to spend enormous resources (time, money, emotions) in untangling the identity theft knot that comes with stolen SSNs.

Secondly, in the wake of the breach, Governor Nikki Haley issued an executive order that read: “I hereby direct all cabinet agencies to immediately designate an information technology officer to cooperate with the State Inspector General who is authorized to make recommendations to improve information security policies and procedures in state agencies.”  WHAT?  If I’m inferring correctly, it seems that these agencies didn’t have an information technology officer already?? That is very troubling, particularly considering the types of data that state agencies hold.  After 3.6 million (out of about 4.7 million) residents have had their sensitive data stolen is not a great time to decide that data security and privacy should become priority.

Private sector organizations have been working for years to shore up their data security, and in some cases (PCI DSS, HIPAA/HITECH, GLBA, SOX, state laws) face real consequences for failure to protect that data.  It’s long past time states put forth the same level of protection.  On the plus side, the state did comply nicely with its own data breach notification law.

RoboCop on RoboCallers? October 22, 2012

Posted by Heather Mark in News.
add a comment

RoboCop (c) 1987 Orion Pictures Corporation

Taking a page from web and application companies, the Federal Trade Commission is offering a bounty on Robocallers.  Well, not exactly a bounty, but the FTC is offering a reward for the enterprising soul, or souls, that can figure out a way to combat the infamous robocaller.

The Federal Trade Commission banned automated commercial telemarketing calls in 2009.  However, as most of us can attest, this has not stopped the annoying calls.  To combat this,  the FTC is offer a grand prize of $50,000 for a solution that can successfully block the calls.  The contest opens on October 25, 2012 and has three primary criteria for a winning solution:

1) Does it work?

2) Is it easy to use

3) Can it be rolled out?

Seems fairly straightforward.  The FTC will begin accepting submissions this week, with judging to begin January 17, 2013.  For more information about the contest, visit the FTC’s challenge website.

Mobile Privacy October 12, 2012

Posted by Heather Mark in InfoSec & Privacy, Laws and Leglslation, privacy.
Tags: , , , , ,
add a comment

Smartphones have changed the way we interact with our world.   They’ve introduced a new level of convenience, but they’ve also introduced a new potential threat to our privacy.    As consumers, we should be informed about the choices that we make on our smartphones and how they might impact us.  For example, I upgraded my iPhone to iOS 6 this afternoon. (I know. I’m a little late on that one.)  Anyway, when I was done I got two prompts.   The first asked if I wanted to enable location services.  I said yes, knowing that meant that 1) I could use the “find my phone” app, as well as many other apps that come in handy for a frequent traveler, and; 2) that it meant that Apple would have access to my location data.  The next prompt suggested that Apple could improve its products and services if I just allowed my phone to send occasional reports to headquarters.  That one I declined.  I don’t necessarily want Apple to have access to all of my activities on my smartphone.

Now, I’m not naive enough to believe that my simple selection means that I have safely secured my data and mobile behavior entirely.  There are companies that are taking advantage of the fact that privacy laws have not kept pace with technology.  We know for example, that there are companies that offer device fingerprinting services for fraud prevention that also happen to sell mobile device behavior analytics to marketers.  Consumers don’t have any way of knowing that their behavior is being tracked and they have no way to opt out.

This week, Sen. Franken (D-Minn) and Sen. Blumenthal (D-Conn) introduced a bill designed to protect mobile privacy.  The Location Privacy Protection Act of 2011 is meant to protect consumer privacy by informing users of how and with whom their location data is shared.  There are four primary requirements of the bill.  Distilled to their basics, those requirements are:

1) Gain consumer consent before collecting location data

2) Get consumer consent before sharing that data

3) Assist in understanding and investigating crimes that involve the misuse of location data

and

4) create criminal penalties for those that abuse location services or use so-called “stalking apps.”

While I applaud the move to ensure that mobile users are protected from entities divulging their location without the knowledge or consent of the consumer, I wonder if the law goes far enough in protecting consumer privacy.  What about those device fingerprinting activities?  Do you think the proposed bill goes far enough? Too far?  What would you like to see in terms of mobile privacy protection?

Privacy, Social Media, and Legislation September 29, 2012

Posted by Heather Mark in InfoSec & Privacy, Laws and Leglslation.
Tags: , , , , , , , ,
add a comment

This week marks the opening of a new chapter in the rocky marriage of privacy and social media.  California has passed two laws related to the protection of privacy on social media platform.

In SB1349, the state prohibits public or private post-secondary educational institutions from requiring students to provide the organization with access to the student (or student groups) social media sites.  Nor can the student or group be forced to divulge information contained on those sites.

AB 1844 is similar in nature, but applies to employers.  Specifically, the bill “would prohibit an employer from requiring or requesting an employee or applicant for employment to disclose a username or password for the purpose of accessing personal social media, to access personal social media in the presence of the employer, or to divulge any personal social media. This bill would also prohibit an employer from discharging, disciplining, threatening to discharge or discipline, or otherwise retaliating against an employee or applicant for not complying with a request or demand by the employer that violates these provisions.”

These bills are interesting in that they address a core concern around privacy and labor laws as they relate to social media.  Employers (and potential lenders) are prohibited from making decisions based upon race, gender, religion, politics, sexual orientation.  Most of this information, though, is available on individuals’ private social media profiles.  Amid increasing reports of employers requiring prospective employees to turn over credentials or access their sites in view of the employer, privacy advocates were becoming increasingly, and rightly, concerned that the rights of individuals to protect their personal lives from employers were being diluted.  These actions on the part of California serve to protect those rights.  Frankly, these actions can also protect employers and schools from being accused of discriminatory behavior by not providing them access to this information, which would otherwise be unavailable to them.

It will be interesting to see how quickly other states follow the lead that California has set.  Recall that California was the first state to pass a breach notification law and we now have 46 such laws nationwide.  So the question, to me, is when, not if, we are going to see the trend take shape.

 

 

 

EMV: Payment Security Endzone? September 29, 2012

Posted by Heather Mark in Industry News, PCI DSS.
Tags: , , , , , , ,
1 comment so far

As I’m buckling down for another fun-filled day of college football, I’m drawn to compare the GameDay set to some of the panels I’ve recently seen.  As Kirk, Lee, and the gang try to determine the best strategies for each team in their respective games, I think about my colleagues and myself sitting at the panel tables, trying to envision the best way to secure payment (and other sensitive) data without crushing our bottom lines.  Okay – maybe it’s a bit of a stretch, but I needed a way to work college football into a post.  Mission accomplished.

On a more serious note, though, I recently attended the Western States Acquiring Association conference in Huntington Beach.  It was well-attended and had a number of interesting sessions.  Not surprisingly, much of the talk centered around EMV, of Chip & PIN.  Some wondered whether EMV meant the end of PCI DSS.  Well, the answer to that question is a resounding “no.” The PCI SSC has already been adamant about the fact that the PCI DSS remains relevant, even in the face of advancing security technologies.  (Insert your own commentary here.) In fact, there is legitimacy in the argument that is put forth here.  Simply adding additional layers of authentication doesn’t change the type of data that is collected.  In many cases, as we’ve seen with international adoption of the standard, it simply chases the fraud to other milieus – whether different geographic regions or different acceptance channels.

Additionally, we’ve seen evidence that Chip & PIN may not be as secure as we’d thought.  Brian Krebs recently wrote an article highlighting research on a security flaw in the EMV technology.  Supposition has it that thieves have been “quietly exploiting” this flaw to “skim” the data.  That’s not to say that EMV is useless, but it’s not the exactly the impenetrable defense that some have made it out to be.  Even the best defensive line sometimes gives up the big play.

So – to the question in the title – does EMV represent the winning score?  My thought is that payment security is more like the 2010 Outback Bowl between Auburn and Northwestern.    After a back and forth game that ended regulation play tied, the teams went on for five overtime periods that finally ended only when Auburn managed to wear their opponent down just shy of the goal-line.  It was a long, brutal game and you really couldn’t tell who was going to win.  You just gotta keep putting your best players on the field and keep those trick plays coming.

What do you think of EMV?  Touchdown, fumble, or forward progress?

Follow

Get every new post delivered to your Inbox.

Join 238 other followers

%d bloggers like this: