Wall Street Journal Reporting- Global Payments is Breached March 30, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy.Tags: credit card theft, cybersecurity, data breach, data compromise, Global Payments, InfoSec, mark consulting group, mastercard, PCI DSS, visa
1 comment so far
Updating my last story, the Wall Street Journal is now reporting that the “massive” data breach referenced earlier was Global Payments, Inc. USA Today is also reporting on the issue. According to sources, Dominican street gangs may be involved. Gartner’s Avivah Litan stated: “are seeing signs of this breach mushrooming. From what I hear, the breach involves a taxi and parking garage company in the New York City area, so if you’ve paid a NYC cab in the last few months with your credit or debit card – be sure to check your card statements for possible fraud.”
Visa Issued a statement: “Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet. Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards. … Every business that handles payment card information is expected to protect the security and privacy of their customers’ financial information by adhering to the highest data protection standards. “
MasterCard is: “concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information. If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution.”
BitDefender: “Anonymous is ‘good’ for security” – REALLY?! March 28, 2012
Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation, Risk & Risk Management.Tags: bitdefender, Chris Mark, cybersecurity, mark consulting group, PCI DSS, security, slutwalk
add a comment
A March 14th, 2012 article on ZDNetAsia sums up one of the major problems with security. Specifically, it is the victims that are consistently blamed for the crime and the belief (very arrogant, I might add) that companies simply don’t care about security and this is why they are victimized. According to the article:
“Alexandu Catalin Cosoi, chief security researcher at BitDefender, for one, said that hacktivist group Anonymous has been “good” for security. This is because even though it had disclosed people’s personal information publicly online, the security breaches it organized had a positive impact, he added. Now, more companies are willing to secure their networks and private data, which is good news, he stated.” (more…)
“We Can’t Live in Castles” – FBI Official Concedes; CyberSecurity Policy is a Failure March 28, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy, Laws and Leglslation.Tags: Chris Mark, cybersecurity, deterrence theory, fbi, InfoSec, risk management, US CyberSecurity Policy
add a comment
In my Google alerts today was an article from Foxnews titled: “Retiring FBI Official Says Current US CyberSecurity Strategy ‘Unsustainable'” Shawn Henry, the FBI’s Assistant Director for CyberSecurity refers to the increasing cyber attacks on government and corporate targets and says: “We are not winning”. All I can say at this point is…WOW..again we are beating a dead horse! In 2010, I said the same thing at an InfraGard event in Salt Lake City, and RSA has said the same thing. We sound like broken records at this point. This post will likely be a bit more pointed and blunt than most but my frustration is mounting on the subject. For a shameless plug on my own research brief, please read: “A Failed State of Security” now published by IDGA.
CyberAttacks against corporates, committed by individuals are crimes. Crimes are human acts undertaking by living, breathing, thinking human beings. CyberSecurity, at its core, is about more than building castles to keep the princess protected. It is also about changing human behavior to deter the criminal behavior.
“deterrence is ultimately about decisively influencing decision making. Achieving such decisive influence requires altering or reinforcing decision makers’ perceptions of key factors they must weigh in deciding whether to act counter to (our interests) or to exercise restraint.”[1] (more…)
Now Data Thieves Steal…Credit Reports? March 27, 2012
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: Chris Mark, credit report, cybercrime, cybersecurity, identity theft, InfoSec, MSNBC, PCI DSS, privacy
2 comments
A great story on MSNBC outlines yet another method being used by data thieves to monetize private information. According to the story, data thieves are stealing credit reports and then reselling to identity thieves. The process works like this. A data thief steals credit reports from the credit reporting agencies. Depending upon the score (higher the better) the data thief then resells the report to an identity thief who uses the report to get credit in the user’s name. Because the credit report has so much information, it makes the process of assuming someone else identity very easy. Remember, full credit reports have social security number, banks, loans, mortgages and other information. Much of authentication being used today relies upon the additional personal questions such as: “which is a bank at which you have had an account?” Most of the sites hosting the stolen reports have an .su domain which was used for the Soviet Union. According to the report, the hackers brag about how easy it is to hack into certain sites such as: AnnualCreditReport.com or CreditReport.com. Depending upon the score on the report, each report can command as much as $80 (for higher scores) or have that amount for lower scores.
This adds yet another wrinkle for people to fear.
Risk 102: “Security Ain’t Safefy”; Putting Risk In Context March 26, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management, terrorism.Tags: airline safety, Chris Mark, cybersecurity, mark consulting group, risk, risk management, safety, security
add a comment
In reading through the volumes of blogs, and Linkedin comments on security and risk management a common theme appeared. When talking about risk management at it applies to security there appears to be a temptation to use the same models and methodologies as those used in safety risk management. Make no mistake, safety risk management is critical and both aspects may overlap from time to time. Whether analyzing auto accident risks, designing industrial equipment or other aspect, it is important to understand and analyze the risk of the activity. The difference lies in the catalyst for the events in question. (more…)
Global Security, Privacy, & Risk Management 