jump to navigation

“Money Laundering May Support Drugs and Terror Funding?” – US Senate says of HSBC July 17, 2012

Posted by Chris Mark in Industry News, Risk & Risk Management, terrorism.
Tags: , , , , , , ,
add a comment

According to a US Senate Report issued today and major news outlets including MSNBC, Europe’s largest bank, HSBC, has  “A “pervasively polluted” culture at HSBC allowed the bank to act as financier to clients moving shadowy funds from the world’s most dangerous and secretive corners, including Mexico, Iran, Saudi Arabia and Syria, according to a scathing U.S. Senate report issued on Monday.”  The report, titled: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History  “…examines the anti-money laundering (AML) and terrorist financing vulnerabilities created when a global bank uses its U.S. affiliate to provide U.S. dollars, U.S dollar services, and access to the U.S. financial system to high risk affiliates, high risk correspondent banks, and high risk clients.”   The US Enacted stronger Anti Money Laundering laws as a part of the PATRIOT act passed in the wake of 9/11.  These AML laws were designed to cut of the flow of money to terrorists.  In the case of HSBC it appears many of the rules were ignored potentially allowing drug cartels and terrorist to move and launder money.

In a statement emailed to NBCNews.com, the bank said:

We will apologize, acknowledge these mistakes, answer for our actions and give our absolute commitment to fixing what went wrong. We believe that this case history will provide important lessons for the whole industry in seeking to prevent illicit actors entering the global financial system.

Oil Giants Hacked by Anonymous in “Save the Arctic Phase2” July 16, 2012

Posted by Chris Mark in Data Breach, Industry News.
Tags: , , , , , , , , ,
add a comment

According to CyberWarNews.com Anonymous set its sites on oil giants Shell, BP, Gazprom, and Rosneft in what has been dubbed “Save the Arctic Phase 2”.  This comes on the heels of phase one in which account details including administrator accounts, passwords and other server info was stolen from Exxon and released.

According to the messages posted on pastebin, the account were used to sign the petition on savethearctic.org and, more disturbingly, for phishing attacks.  Hacktivism is a growing concern for all companies.  Whether it be to combat the perceived unfair distribution of wealth of capitalism, support of US defense industry, or environmental issues, hacktivists are increasingly active against corporations.

“NSA Says – Largest Transfer of Wealth…EVER”; CyberAttacks rose 44% in 2011 July 10, 2012

Posted by Chris Mark in cybersecurity, Industry News.
Tags: , , , , , , , , ,
add a comment

Parroting what many in the payments industry have known for years, the NSA released a statement about the dire state of cybersecurity.  According to the head of the National Security Agency cyberattacks increased 44% in 2011 and now account for the largest “transfer of wealth in history”.    According to FoxNews: 

“NSA chief Keith Alexander was speaking Monday at an American Enterprise Institute event in Washington, D.C.  He said that for every company that knows it has been hacked, another 100 do not know their systems have been breached. (emphasis added) The warning came on the same day that thousands of computer users were at risk of losing Internet access, due to malware that spread more than a year ago. Citing public and unclassified statistics, Alexander said Monday there are now 75 million unique pieces of malware on the loose.”

Those of use who have been in the industry for years have said that we are ‘losing the war’. I have personally been chastised for making such doom and gloom statements.  The facts are the facts however.  Hiding our head in the sand will not change the fact that “The criminals are absolutely ripping us to shreds,” and that “We’re losing the battle…That’s the reality of it.” (Chris Mark quoted in Salt Lake Tribune...pic at top).  In yet another push at self promotion..you can read one reason we are losing the battle in the IDGA research brief: “A Failed State of Security”.

“Are You Eating a Rotten Apple?” – Personal Data May have Been Exposed in Global Payments Breach July 9, 2012

Posted by Chris Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy, PCI DSS, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

Let me preface this post by saying this is not intended to take shots at either Global Payments or the PCI DSS.  Rather, this post is intended to generate discussion and discourse on the topic of compliance and risk management.

According to reports, it seems that the Global Payments data breach may have exposed more than payment card data.  n a June 12 update posted to its breach microsite, Global says hackers may have gained access to servers containing personal information collected from a subset of merchant customers.

“The company will notify potentially affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost,” Global says. “The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the company’s U.S. merchant applicants.”

Based upon this statement it seems fair to assume that Personally Identifiable Information (PII) such as Social Security number and Bank Account information may have been exposed, as well.

This situation exposes the danger of using a narrowly focused, static standard as a baseline of security management rather than adopting a risk based approach to data security.   I have personally conducted over 100 PCI DSS audits and have seen first hand the resources consumed by the standard.  Companies often appear so laser focused upon protecting payment card data that other systems and data may take a back seat in the pursuit of “PCI DSS compliance.”  As there are significant penalties associated with non-compliance that it is difficult to blame the merchant or service provider. The penalties are designed to compel compliance with the standard.  As such, companies are going to give precedent to the PCI DSS over any other standard that does not have equivalent penalties associated with non compliance.

As a reminder, the PCI DSS is ONLY focused protection of Cardholder Data.  Surely some are going to say that the PCI should be applied across all systems etc.etc.  This is great in theory but does not happen in practice.  Companies take great pains to minimize their cardholder data environment specifically to lessen the compliance burden.

I am sure we will continue to see breaches of payment card companies having PII exposed as companies focus on PCI to the exclusion of risk based security management.

COMTEC 2012 – Chris Mark Training on PCI & Payment Card Security July 6, 2012

Posted by Chris Mark in Industry News, Uncategorized.
Tags: , , , , , ,
add a comment

2012 is the year for COMTEC once again and the fine folks at TouchNet have invited me to conduct a training on Payment Card Security & PCI DSS at their October COMTEC event.  COMTEC is a great event for TouchNet’s clients.  The name comes from Commerce and Technology..  The session will be titled:

PCI Training: Full Cycle Compliance – Crisis – Recovery

“During this unique pre-conference workshop, you’ll investigate the full spectrum of PCI compliance and readiness. Attendees will better understand everything PCI, from the basics of PCI compliance to planning for the real-world impact of a breach and what to do in its aftermath.”

It is always positive to see that in 2012 there are still organizations that are taking a leadership role to educate their own customers on the importance of information security.