Holiday Shopping Safety! Debit or Credit? PIN or Pen? Check or Cash? November 18, 2020
Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.Tags: Chris Mark, credit or debit, durban amendment, mark consulting group, PCI DSS, PIN
1 comment so far
With the holidays around the corner, it is a hot time for criminals to steal from us all! CyberCriminals are specifically after your money and cards. There is ongoing confusion about whether cards are better than checks are better than cash. While we all have our own opinions, I think the argument is pretty clear that payment cards are the most secure options for consumers. Read below!
For some background, I am a payment card security professional. I have worked at both MasterCard and with Visa, as well as the other card brands. I now work at a major telco overseeing the payment security program. 2020 marks the 15th consecutive year someone has stolen my card at least once (17 times in 15 years) BUT…I wasn’t worried…read below to find out why! (more…)
Chris Mark published in Computing Security Magazine May 21, 2020
Posted by Chris Mark in Uncategorized.Tags: computer security, coronavirus, covid19, cybersecurity, data breach, Exploits, PCI DSS, threats, vulnerabilities
add a comment
Computing Security magazine recently published an article I wrote on COVID19 and Threats, Vulnerabilities and Exploits.
“The suitability of security strategies is relative to the controls implemented to address risks; therefore, security should be viewed as a function of time and resources. Naturally, there can be no guarantee of security when threats are constantly adapting. Adaptive Threats are caused by something that can change its behaviour in reaction to prevention. As defences improve, threat actors adapt and so this cycle continues.
Adaptive Threats react to take advantages of vulnerabilities which are characteristics of design, location, security posture, operation and they render an asset, system, network, or entity susceptible to disruption, existing even if yet unidentified. An exploit is something that takes advantage of a bug or vulnerability and can be used to gain advantage of a susceptibility in a control. However, not all vulnerabilities are of equal risk or severity.
Furthermore, exploits and vulnerabilities are not mutually independent, and one can only exist without knowledge of the other…”.READ MORE!
Equifax’s History of Hacks and Music Majors September 19, 2017
Posted by Chris Mark in Data Breach, Uncategorized.Tags: credit freeze, data breach, Equifax, hack, krebs, PCI DSS, susan maulden, W-2
add a comment
Let me get this out there first. People are making a lot of noise about Equifax’s (no former) CISO (Susan Maulden) being a Music Major in college. So what? Information Security really has only been a ‘profession’ since about 1998 or so. I know MANY CSOs and CISOs that do not have technical degrees. While I am currently working on a Doctorate in CyberSecurity my undergrad was political science and I have an MBA. I think I am a fairly capable security professional. I think Equifax threw Ms. Maulden under the bus by trying to scrub her information from the Internet. Given her prior employment (First Data, SunTrust, etc.) I cannot imagine she would have been given such a role without the requisite experience or knowledge. Until we know more...harping on her college major is simply fishing and projecting blame in the wrong area. What we do know is that Equifax has a history of being breached and has apparently done little to stem the flow of information being stolen.
Next…in keeping with Equifax’s proclivity for telling half truths while selling their own stock, it looks like there was a breach the March prior to the one in July (announced in September 2017). That particular hack included employee tax records. No doubt those execs who dumped their stock were also unaware of that breach (cough, cough).
Interestingly, Equifax provided a cryptic statement that reads: “The criminal hacking that was discovered on July 29 did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event,” ..using my powers of reading comprehension it appears that they are saying that the July 29th “hacking” did not affect the SAME “customer databases” (plural) that were hacked in March. So are we to assume that in both cases customer data was compromised? According to Brian Krebs, well known security expert and researcher, the answer appears to be ‘yes’.
Adding to the fun, according to Forbes: “In one case, it had to change its ways following a class action lawsuit over an alleged lapse in security. That suit related to a May 2016 incident in which Equifax’s W-2 Express website had suffered an attack that resulted in the leak of 430,000 names, addresses, social security numbers and other personal information of retail firm Kroger. Lawyers for the class action plaintiffs argued Equifax had “wilfully ignored known weaknesses in its data security, including prior hacks into its information systems.”
I am sure we will continue to learn more about this breach and others. Stay tuned!
“You Are the Weakest Link! Or Are You”- Guest Post by Dr. Heather Mark June 7, 2017
Posted by Chris Mark in Uncategorized.Tags: Breach, compliance, Data, Ethics, Heather, Mark, PCI DSS, security, technology
add a comment
The incomparable
Dr. Heather Mark (my wife…and compliance expert) has a new blog post…
“If you’ve been in security or compliance long enough (and by that I mean approximately a week), you’ve heard the old adage that our largest vulnerability are our people. Firewalls don’t just randomly open ports. Email clients don’t just decide to send proprietary and sensitive information to third parties. These are actions, sometimes deliberate and sometimes accidental, taken by the human assets within our companies, not the technological ones. Technology is not imbued with the ability to autonomously break laws or divulge sensitive information. Technology largely does what it’s programmed to do. People – these are the elements that cannot really be controlled or predicted. Of course, we can implement technology to mitigate the risk presented by human nature. But at the end of the day, a determined individual can still wreak a lot of havoc. This argument is often made just to make that point that we can’t be complacent. And to a very large extent, it’s correct. But I would posit that people can also be one of our biggest assets with respect to maintaining compliance and ethics programs.I watch a lot of what my husband refers to as “murder shows” – Forensic Files, 20/20, and the like. My favorite, though, is Dateline when the story is presented by Keith Morrison. He has a way of telling a story. Don’t believe me? I give you proof.”…Click here for more from Dr. Heather Mark’s Blog!
SwimOutlet.com Breached in 2016 – 51 days later..and after the holidays…we were notified. January 19, 2017
Posted by Chris Mark in Data Breach, Uncategorized.Tags: Breach, compromise, credit card, CVV2, debit card, dta, fraud, hack, payment card, PCI DSS, swimoutlet.com, yogaoutlet.com
2 comments
This is a post to notify those who may be affected. Yesterday I received the following letter in the mail. It was sent in a nondescript envelope and nearly discarded as ‘junk mail’. Upon opening the letter I was shocked to read that my wife’s credit card data appears to have been compromised at SwimOutlet.com. It should be noted that the same infrastructure is used by YogaOutlet.com. In reading the letter provided to the State of Oregon’s Attorney General, it appears that over 6,200 Oregon residents likely had their data stolen.
Within the letter there is a curious statement that says: “The information at risk as a result of this event includes the cardholder name, address, phone number, email address, card number ,expiration date, and CVV“. For those in the credit card industry the inclusion of CVV is very troubling. Under the card brand operating regulations and PCI DSS standard, it is prohibited for a merchant to retain CVV subsequent to authorization of the charge. This particular type of data (actually the CVV2 or equivalent data) is what is needed to authenticate a transaction. In short, the likelihood of fraud increases exponentially when a criminal captures CVV2 type data. It is certainly curious that this ‘prohibited data’ is listed as an element that may have been stolen.
In reviewing the SwimOutlet.com website I notice a conspicuous absence of any form of notification on their website. Their blog is filled with helpful tips on swimming better and eating better but there is no mention of the fact that their user’s credit and/or debit card data was stolen. A review of their Facebook page has the same conspicuous absence of any notification or information. Their Twitter feed is also absent of any information.
If one looks at the timeline of events, there are some disturbing (to me, at least) items. On October 31st, 2016 SwimOutlet.com “…began investigating unusual activity reported by (our) credit card processor.” On November 28th, 2016 SwimOutlet.com received ‘confirmation’ that their systems were ‘hacked’ yet the notice states that data may have been compromised as late as November 22nd, 2016. I have been involved in numerous data breach investigations and incidents. “unusual activity” notifications by credit card processors are ‘notifications of fraud’. This is a major red flag that the merchant HAS been breached. The notice then provides a qualified statement in saying that the beach: “…may have compromised some customers’ debit and credit card data…” Again, if notified by the credit card processor then the data ‘may not’ have been compromised it almost certainly was compromised.
What is most disturbing to me is that SwimOutlet.com had confirmation on November 28th, 2016 that they were breached. They had confirmation as early as October 31st, 2016 of ‘unusual activity’ yet chose to wait until AFTER the holiday season to notify affected consumers. Criminals are not stupid. They steal credit card data before the holidays to be used over the holidays when the fraud systems are often ‘detuned’ by retailers and the volume of transactions creates noise in which fraud is often harder to identify. By waiting until January 12th (we received the letter on January 17th, 2017) it created a situation in which we were blissfully unaware that our data had been breached. If we had been notified before the holiday season, we could have cancelled the card immediately and been saved the inconvenience and possible cost associated with this situation.
In the notice SwimOutlet.com does: “…encourage (me) to remain vigilant against incidents of identity theft and fraud.” This would have been sage advice BEFORE the holiday season. It begs the question why a major online retailer would wait until after CyberMonday and after the holiday season to notify of a breach?
Finally, SwimOutlet.com reassures the recipient that “We take the security of our customers’ information extremely seriously…” and that: “…you can safely use your payment card at http://www.swimoutlet.com”. In light of the method and delay of notification I am going to personally take my business elsewhere.
Global Security, Privacy, & Risk Management 