jump to navigation

EMV: Payment Security Endzone? September 29, 2012

Posted by Heather Mark in Industry News, PCI DSS.
Tags: , , , , , , ,
1 comment so far

As I’m buckling down for another fun-filled day of college football, I’m drawn to compare the GameDay set to some of the panels I’ve recently seen.  As Kirk, Lee, and the gang try to determine the best strategies for each team in their respective games, I think about my colleagues and myself sitting at the panel tables, trying to envision the best way to secure payment (and other sensitive) data without crushing our bottom lines.  Okay – maybe it’s a bit of a stretch, but I needed a way to work college football into a post.  Mission accomplished.

On a more serious note, though, I recently attended the Western States Acquiring Association conference in Huntington Beach.  It was well-attended and had a number of interesting sessions.  Not surprisingly, much of the talk centered around EMV, of Chip & PIN.  Some wondered whether EMV meant the end of PCI DSS.  Well, the answer to that question is a resounding “no.” The PCI SSC has already been adamant about the fact that the PCI DSS remains relevant, even in the face of advancing security technologies.  (Insert your own commentary here.) In fact, there is legitimacy in the argument that is put forth here.  Simply adding additional layers of authentication doesn’t change the type of data that is collected.  In many cases, as we’ve seen with international adoption of the standard, it simply chases the fraud to other milieus – whether different geographic regions or different acceptance channels.

Additionally, we’ve seen evidence that Chip & PIN may not be as secure as we’d thought.  Brian Krebs recently wrote an article highlighting research on a security flaw in the EMV technology.  Supposition has it that thieves have been “quietly exploiting” this flaw to “skim” the data.  That’s not to say that EMV is useless, but it’s not the exactly the impenetrable defense that some have made it out to be.  Even the best defensive line sometimes gives up the big play.

So – to the question in the title – does EMV represent the winning score?  My thought is that payment security is more like the 2010 Outback Bowl between Auburn and Northwestern.    After a back and forth game that ended regulation play tied, the teams went on for five overtime periods that finally ended only when Auburn managed to wear their opponent down just shy of the goal-line.  It was a long, brutal game and you really couldn’t tell who was going to win.  You just gotta keep putting your best players on the field and keep those trick plays coming.

What do you think of EMV?  Touchdown, fumble, or forward progress?

Because I Said So September 23, 2012

Posted by Heather Mark in cybersecurity, Industry News, InfoSec & Privacy, Laws and Leglslation, Politics.
Tags: , , , , ,
add a comment

Last week, Democratic leaders made some minor news when they sent a letter to President Obama suggesting that he issue an executive order on Cybersecurity.  Their position is that, since Congress seems to be at loggerheads over the issue, the president should take the opportunity to force action by issuing an Executive Order.  In fact, Secretary of Homeland Security Janet Napolitano told a congressional committee that just such an order was in its final stages.  So what might we see in this forthcoming order?

According to reports, the order will attempt to regulate sixteen “critical” industries.  The guidelines will be voluntary, after a fashion.  Compliance with the standards may determine eligibility for federal contracts.  The White House has not made any secret about its intentions on Cybersecurity.  In fact, the White House website lists  “Ten Near Term Actions to Support Our Cybersecurity Strategy.”  Brevity prevents me from getting into a deep discussion about those actions here, but you can read them and draw your own conclusions.

The questions remain, however – 1) how stringent (read intrusive) will the requirements be?; 2) Will they be relevant to the threats in the landscape?; 3) How will compliance be policed? and 4) How much additional cost are we potentially adding our already stretched budgets?

Another question that merits examination is whether or not the standards will be redundant.  Many industries are already straining under the weight of a variety of infosec requirements – whether industry-regulated or government mandated?  Will another layer of regulation mean increased efficacy of data protection strategies and mandates or will it be just another layer of red tape?

 

 

 

“August 2012 TransactionWorld Magazine” – Chris & Heather Mark’s Articles August 13, 2012

Posted by Chris Mark in cybersecurity, Data Breach, Industry News.
Tags: , , , , , , , ,
add a comment

Chris and Heather Mark both have articles in the August 2012 issue of TransactionWorld Magazine.  Chris’ is titled: “The Impact of the Fortress Mentality  & Today’s Compliance Strategies” while Heather’s is titled: “After the Compromise; Security Incident Response and Mitigating the Damage”

One note.  I apparently forgot to update my bio with the Editor in Chief so the article erroneously references me as the Executive Vice President of Data Security and Compliance for a payment processor.  You can visit Mark Consulting Group at the following: www.MarkConsultingGroup.com

“Money Laundering May Support Drugs and Terror Funding?” – US Senate says of HSBC July 17, 2012

Posted by Chris Mark in Industry News, Risk & Risk Management, terrorism.
Tags: , , , , , , ,
add a comment

According to a US Senate Report issued today and major news outlets including MSNBC, Europe’s largest bank, HSBC, has  “A “pervasively polluted” culture at HSBC allowed the bank to act as financier to clients moving shadowy funds from the world’s most dangerous and secretive corners, including Mexico, Iran, Saudi Arabia and Syria, according to a scathing U.S. Senate report issued on Monday.”  The report, titled: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History  “…examines the anti-money laundering (AML) and terrorist financing vulnerabilities created when a global bank uses its U.S. affiliate to provide U.S. dollars, U.S dollar services, and access to the U.S. financial system to high risk affiliates, high risk correspondent banks, and high risk clients.”   The US Enacted stronger Anti Money Laundering laws as a part of the PATRIOT act passed in the wake of 9/11.  These AML laws were designed to cut of the flow of money to terrorists.  In the case of HSBC it appears many of the rules were ignored potentially allowing drug cartels and terrorist to move and launder money.

In a statement emailed to NBCNews.com, the bank said:

We will apologize, acknowledge these mistakes, answer for our actions and give our absolute commitment to fixing what went wrong. We believe that this case history will provide important lessons for the whole industry in seeking to prevent illicit actors entering the global financial system.

Oil Giants Hacked by Anonymous in “Save the Arctic Phase2” July 16, 2012

Posted by Chris Mark in Data Breach, Industry News.
Tags: , , , , , , , , ,
add a comment

According to CyberWarNews.com Anonymous set its sites on oil giants Shell, BP, Gazprom, and Rosneft in what has been dubbed “Save the Arctic Phase 2”.  This comes on the heels of phase one in which account details including administrator accounts, passwords and other server info was stolen from Exxon and released.

According to the messages posted on pastebin, the account were used to sign the petition on savethearctic.org and, more disturbingly, for phishing attacks.  Hacktivism is a growing concern for all companies.  Whether it be to combat the perceived unfair distribution of wealth of capitalism, support of US defense industry, or environmental issues, hacktivists are increasingly active against corporations.