jump to navigation

PCI DSS and Piracy January 12, 2012

Posted by Heather Mark in PCI DSS, Piracy & Maritime Security.
Tags: , , , , , , ,
add a comment

I’ve been reading quite a bit on piracy lately. Not the adventurous, swashbuckling tales of pirates flying down the Spanish Main, but piracy in its present form. From a purely detached perspective, its an interesting exercise in cause and effect. Natural disasters, for example, have an impact on the surge in piratical acts. The Christmas Tsunami left many Somali fishing villages devastated and took the last legal means of sustenance from many families that depended fishing for their survival. As a result, they turned to piracy. Of course, that is not to say that Somali pirates are the Jean val Jean’s of their day, the thief with the heart of gold doing only what is necessary to survive.  These pirates are violent and aggressive and should not be coddled.  The interesting comparison to the PCI DSS, in my mind, derives from the impact of the crime on the industry and the global reaction to the phenomenon.

Impact of the Crime

Piracy is a crime that has an impact on all consumers. Higher insurance rates, security contingents, longer routes and therefore higher fuel costs, and similar circumstances that result from piracy mean higher prices for consumers.  Any costs that cannot (or will not) be absorbed by the manufacturer or the shipping company are passed on to the consumer. Similarly, data thieves have very definitely left their mark on the consumer. Those of us involved in the electronic payment industry recognize better than most the increased cost structure that has resulted from trying to achieve and maintain compliance with the PCI DSS and the countless data security, data breach notification and consumer privacy laws at play in the United States. Ongoing compliance and security monitoring, evaluating the threat landscape and the cost of validating compliance can quickly add up for companies.  Organizations that are already seeing their margins get squeezed are required to spend additional resources on security and compliance to ensure the safety of consumers’ data. Those costs can sometimes be passed along to the consumer.

Global Reaction

Data security and piracy were both issues that “flew under the radar” until high-profile instances brought them to the public awareness. In the world of transoceanic shipping, the issues that brought awareness were a couple of kidnappings for ransom and the hijacking of the Maersk Alabama. It’s important to note, however, that even before these incidents, the shipping industry and governments worldwide were working on standards and regulations that would mitigate the problem. The reaction from the industry should sound very familiar to veterans of the PCI DSS compliance world – “The standards are too prescriptive.”  “The standards were written by people that don’t
really understand the issues.”  “How are you going to ensure that everyone is complying with these standards?’ “The cost of complying with the standards are too burdensome for small companies.” These concerns should resonate with payment security professionals. The same questions and concerns are often raised about the PCI DSS.

For the payment industry, the events that really brought public awareness were a couple of high-profile data breaches at well-known retailers. The question really is, though, “What is the alternative?”  If neither industry had done anything to address these growing issues, the constituents in the industry would have raised the alarm about the apparent lack of concern from the powers that be.  The catch-22 of the creation and enforcement of the standards is that even though these standards achieve their objective of raising industry awareness and attempting to mitigate the risk of adverse events, the companies that suffer piracy attacks or data breaches are still often cast as the villian (as opposed to the victim) in the scenario.

What’s the Answer?

That is the crux of the matter – are the issues of data security and high seas piracy “solvable?” There are a variety of issues that drive the increase in both crimes.  Economic stability, the ability of governments to project their authority into these areas, jurisdictional cooperation and other factors drive the growth of both types of crimes.

While I cannot confidently address permanent solutions to either problem, I can suggest a shift in perspective. In the realm of data security and payment security, practitioners often attempt to solve the problem by layering more and more technology in front of the sensitive data.  Tokenization is one example of how a shift in perspective can provide alternative solutions. Extracting value from the data makes significantly less attractive to thieves. So instead of asking, “How can we keep thieves from accessing the data?” one might ask “What can be done in the transaction processing chain to render the data unusable to thieves?” We are currently retro-fitting security onto a system that has been in place for fifty years. If we were to remove any preconcieved notions of what a payment infrastructure should look like, what would we design?

UK House of Commons Report: “Piracy off the coast of Somalia” January 7, 2012

Posted by Chris Mark in Laws and Leglslation, Piracy & Maritime Security.
Tags: , , , , , , , ,
add a comment

The UK’s House of Commons Foreign Affairs Committee (FAC) published a report this week titled “Piracy off the coast of Somalia”.  You can read the report here. The 72-page report set out the findings of the FAC enquiry into the efforts of the Foreign and Commonwealth Office (FCO) and the UK Government to combat the increasing levels of piracy off Somalia.

Tackling the use PASGs, the report concluded that “the evidence in support of the use of armed guards is compelling” (emphasis added) but that the “Government must provide clearer direction on what is permissible and what is not”.

The report also said that the risk to pirates of encountering serious consequences is still too low to outweigh the lucrative rewards, and simply returning suspected pirates to their boats or their land provides little long-term deterrence.

US Navy Rescues 13 Iranians from Somali Pirates January 6, 2012

Posted by Chris Mark in Industry News, Piracy & Maritime Security.
Tags: , , , , , , ,
add a comment

In a move that illustrates the brotherhood of the sea and the disdain for piracy wherever it may be, the US rescued 13 Iranian sailors who had been kidnapped by Somali Pirates.  According to MSNBC, a helicopter from the USS John C. Stennis, responding to a distress call from a merchant ship under attack, chased the pirates to their “mother ship”.  The mothership was an Iranian flagged dhow that had been hijacked earlier.  A counterpiracy team from the USS Kidd then boarded the mothership where they found 15 armed pirates and the 13 Iranian crewmen. The pirates were taken into custody and the Iranians were released in their dhow.  Interestingly, the USS John C. Stennis is the same carrier that Iran had threatened to never allow back into the Persian Gulf.   It is a good day that the Iranian sailors are headed back to their families.

Italian Tanker Hijacked off Oman December 28, 2011

Posted by Chris Mark in Industry News, Piracy & Maritime Security.
Tags: , , , , , , ,
add a comment

An Italian tanker carrying caustic soda was hijacked early Tuesday near Oman.  The ship was carrying 18 people including 6 Italians, 5 Ukrainians, and 7 Indians.   The ship, which wasn’t named, is owned by Manarvi.

Security 101; Authentication December 27, 2011

Posted by Chris Mark in InfoSec & Privacy.
Tags: , , , , ,
add a comment

Recently I found myself in a discussion with a person about a particular feature of payment cards.  When I started discussing the concept of authentication the look on the other persons face told me that I was discussing a completely foreign subject.

While this is not a dissertation on security authentication is a vital component of information security and fraud prevention within the payment card industry and security, in general.  For this reason, it is important to have an understanding of the concept and how it applies to our daily lives.

Authentication is described on wikipedia as:the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true”.

There are three generally accepted factors of authentication.  1) something you know (like a password), 2) something you are (biometrics like fingerprints or iris scans), and 3) something you have (like a token).  Each of these factors alone have some value and may be sufficient to demonstrate with an appropriate degree of confidence that you are the person who is authorized to access the resource.  The degree of assurance necessary and thus the degree of required authentication is predicated upon the sensitivity of the object to which you require access.  More sensitive requires greater assurance and therefore more rigorous authentication.

Access control is defined as the combination of authorization and authentication.  Authorization is simply the approval to access a particular resource.  Consider a work environment where you are required to use a badge reader to enter the building.  As an employee you are authorized to enter the building.  To ensure that it is truly you (the authorized party) entering the building you need to provide some evidence that you are who you say you are.  In many cases, the authentication mechanism is a proximity card that is waved and the door opens.   The proximity card is a token and would be considerd as a single factor of authentication- “something you have.”.

When you get to your desk you need to access your work computer.  As an employee, you are authorized to access your email, and certain applications.  To log into the system you enter a user name (the system knows the person who owns this username is authorized to access certain resources) and then you enter your password.  This password (something you know) is a single factor of authentication that tells the system with some degree of confidence that you are the person that matches the username.

In both of these examples the astute reader has likely identified the vulnerability of single factor authentication.  In the first example a thief may have stolen the badge and may be masquarading as the legitimate user.  In the second example a person may have shared their password with another of the password may have been stolen in which case an ‘unauthorized’ person could also masquarade as a legitimate, authorized user.  When it is necessary to have an increased level of assurance that the authorized person is indeed the one accessing the resource, two factors of authentication can be used.  For the solution to truly be considered two–factor authentication it requires two of the three types of factors to be used simultaneously.  In high security areas it is common to see two factor authentication used.

Consider an example where you bank online.  Due to the sensitive nature of your account (and FFIEC regulations) the bank wants to have assurance that only the authorized account holder is accessing the account.  Since the bank website is accessed over the internet the bank is limited in their ability to confirm the identity of the user.  A password alone is not sufficient as a password can be stolen or shared.  In this scenario a bank would use a second factor of authentication.  While it does not guarantee that the person using the authentication mechanism is the authorized user it provide a much greater level of assurance than a password alone.

Payment cards possess a number of authentication mechanisms.  The objective is to authenticate the transaction or user and reduce the incidence of fraud.  In card not present transactions such as ecommerce purchases the CVV2 number is often used to authenticate the card.  Since the number is only printed on the card and it is against card brand rules (PCI DSS) to store the CVV2, the assumption is that if someone can input the CVV2 they are in possession of a valid card.  Unfortunately, it is this fact that makes CVV2 such a valuable target for data thieves.  More robust authentication mechanisms include 3DSecure (Verified by Visa, MasterCard Secure Code), EMV (Europay, MasterCard, Visa) and the PIN used in debit transactions.  While each of these technologies increase the level of assurnace that the authorized user is making a legitimate transaction it does not guarantee such.

Authorization is a critical component to any information security or fraud prevention system.  Understanding the basics fo authentication can help users better manage the security of their payment cards.