“Communist Chinese Cyber-Attacks, CyberEspionage and Theft of American Technology” May 13, 2012
Posted by Chris Mark in cybersecurity, Data Breach.Tags: china, Chris Mark, cybercrime, cyberespionage, cybersecurity, InfoSec, IP Theft, malware, mark consulting group, security
1 comment so far
Since it is Mother’s day, I will not ramble on with inane commentary 😉 Instead, here is a link to the report of the same name as the blog title (too lazy to retype)…from the 112 Congress’ Congressional Hearing before the Subcommittee on Oversight and Investigations of the Committee of Foreign Affairs; House of Representatives.  It is very interesting and provides some valuable insight into IP theft. Don’t forget to thank Mom today!
“Doing Time Before Being Convicted?” – Analyist Accuses Merchant of PCI Non-Compliance May 11, 2012
Posted by Chris Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.Tags: bankinfosecurity, Chris Mark, cybersecurity, data breach, Gartner, opening ceremony, PCI DSS, security
add a comment
I wrote this in May 2012. Â Given the current position in the industry if proclaiming victims of cybercrime to be wholly responsible, I thought it appropriate to publish again.
I was reading a an article on BankInfoSecurity.com titled: “Online Retailer Breached”. I am taken aback at the attitude of the quoted analyst. A Gartner analyst took a very bold step of accusing the merchant of “non compliance” then seemingly qualifying his statement by adding: “The attacker was probably able to attack unencrypted card numbers,” he says. “But given the lack of details, it’s hard to say for certain.” (more…)
“Oh the humanity!”- Financial Institution Breached 3 Times in 2 Weeks! April 4, 2012
Posted by Chris Mark in Data Breach, Industry News, Uncategorized.Tags: bank robberies, Chris Mark, data breach, Global Payments, InfoSec, mark consulting group, PCI DSS, risk management
add a comment
STOP THE PRESSES! According to the Patriot Ledger, a financial institution’s security was breached 3 times in 2 weeks and assets were stolen. The media, however, has been quiet on the story. I have not heard a single Gartner or other analyst publicly eviscerate the financial institution for their poor security practices nor has Information Week, CNN, or any other major media outlet opined on the breaches. Why?
The financial institution was a actually a bank branch and the breaches were not data thefts rather they were good old fashioned bank robberies. In 1968, in response to increasingly violent and frequent bank robberies, the US Government passed the Code of Federal Regulations Title 12 part 208.61- Bank Security Procedures. The purpose of the Act is as follows: (more…)
“Blaming the Victim and the PCI DSS is…Passe”- PCI DSS; GlobalPayments & Data Theft April 1, 2012
Posted by Chris Mark in Data Breach, Industry News, InfoSec & Privacy, PCI DSS, Risk & Risk Management.Tags: Chris Mark, cybersecurity, data breach, Global Payments, InfoSec, mastercard, PCI, PCI DSS, visa
add a comment
In an effort beat the “PCI Evangelists”; “wagon jumpers”, “naysayers”, and “PCI Haters” to the punch, I am publishing my post on a Sunday evening. By tomorrow morning the speculation on how the GlobalPayments compromise occurred will be in full swing and no doubt, many will have already condemned the company for “PCI DSS non compliance” or being “sick, lame, or lazy” when it comes to their PCI DSS compliance or information security. Others will have published articles condemning the PCI DSS as ‘ineffective’, ‘irrelevant’, or simply ‘stupid’.
Before they are condemned I want to go on record and say it NOT a PCI DSS compliance issue that caused the compromise. Like Heartland Payment Systems, Royal Bank of Scotland Worldpay and many more before them, GlobalPayments has been held out as the paragon of PCI DSS compliance for years. Now that they have been breached they will be expected to wear a scarlet letter for the foreseeable future. I have no doubt that by the end of next week their status as a “Level 1 PCI DSS Compliant Service Provider” will have either been revoked by the card brands or be under “review”.In the same vein, there will be many who shout from the rooftops that the PCI DSS is “irrelevant”, “outdated” and so on. Neither of these positions are accurate.
Here it goes…(drum roll please)…
The PCI DSS is a solid set of information security controls and represents minimum necessary controls to minimize the likelihood of data compromise through common, identified vulnerabilities. (more…)
What to do if your card was compromised and used… April 1, 2012
Posted by Chris Mark in Data Breach, Industry News, InfoSec & Privacy.Tags: Chris Mark, credit card theft, cybercrime, data breach, mastercard, visa, zero liability
add a comment
I have already read 5 different articles where experienced and well known security evangelists are discussing how their credit card data was exposed and how it exposed them to danger. Here are some things to understand about credit card theft and liability. First, credit card theft is NOT identity theft. Certainly, criminals can make fraudulent transactions but they cannot assume your identity to buy a boat, house, or get further credit.
Second, Under Federal law, consumers are limited to $50 for fraudulent credit card transactions. The major card brands (Visa, MC, Amex, JCB, Discover) all have “Zero” liability clauses. This means that if your card was used fraudulently…you have no liability for transaction that run over their networks. If it is a PIN based transaction (debit, for example) there are other considerations. You can read more on this post. “Signature or PIN? Credit or Debit?…the answers” If the Global Payments breach was limited to track 1 or track 2 data as reports indicate, then the PIN issue is not relevant.
Here is what you should do…
1) check your credit and debit card accounts. Debit cards can be processed as an ‘offline’ transaction which means they run over credit networks. The criminals can use them just like stolen credit cards. If you see unauthorized transactions take the next step.
2) call your issuing bank (bank listed on your card) and inform them of the fraudulent transactions. They will require you to complete an affidavit stating it was not your charge, etc. etc. If you have unauthorized charges on your bank account from the debit card being compromised, read the post here as it is a bit more complex from time to time. Understand that your bank will CANCEL the card and reissue a new card. Make sure you have taken steps to update your bills etc.
3) continue to monitor your accounts for fraudulent activity…that simple.
Hopefully this helps assuage some concerns
Global Security, Privacy, & Risk Management 