jump to navigation

“You Are the Weakest Link! Or Are You”- Guest Post by Dr. Heather Mark June 7, 2017

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , ,
add a comment

The incomparableYATWL Dr. Heather Mark (my wife…and compliance expert) has a new blog post…

“If you’ve been in security or compliance long enough (and by that I mean approximately a week), you’ve heard the old adage that our largest vulnerability are our people.  Firewalls don’t just randomly open ports.  Email clients don’t just decide to send proprietary and sensitive information to third parties.  These are actions, sometimes deliberate and sometimes accidental, taken by the human assets within our companies, not the technological ones. Technology is not imbued with the ability to autonomously break laws or divulge sensitive information.  Technology largely does what it’s programmed to do. People – these are the elements that cannot really be controlled or predicted.  Of course, we can implement technology to mitigate the risk presented by human nature.  But at the end of the day, a determined individual can still wreak a lot of havoc. This argument is often made just to make that point that we can’t be complacent.  And to a very large extent, it’s correct.  But I would posit that people can also be one of our biggest assets with respect to maintaining compliance and ethics programs.I watch a lot of what my husband refers to as “murder shows” – Forensic Files, 20/20, and the like.  My favorite, though, is Dateline when the story is presented by Keith Morrison.  He has a way of telling a story.  Don’t believe me?  I give you proof.”…Click here for more from Dr. Heather Mark’s Blog!

SwimOutlet.com Breached in 2016 – 51 days later..and after the holidays…we were notified. January 19, 2017

Posted by Chris Mark in Data Breach, Uncategorized.
Tags: , , , , , , , , , , ,
2 comments

swimoutletnoticeThis is a post to notify those who may be affected.  Yesterday I received the following letter in the mail.  It was sent in a nondescript envelope and nearly discarded as ‘junk mail’.  Upon opening the letter I was shocked to read that my wife’s credit card data appears to have been compromised at SwimOutlet.com.  It should be noted that the same infrastructure is used by YogaOutlet.com.  In reading the letter provided to the State of Oregon’s Attorney General, it appears that over 6,200 Oregon residents likely had their data stolen.

Within the letter there is a curious statement that says: “The information at risk as a result of this event includes the cardholder name, address, phone number, email address, card number ,expiration date, and CVV.  For those in the credit card industry the inclusion of CVV is very troubling.  Under the card brand operating regulations and PCI DSS standard, it is prohibited for a merchant to retain CVV subsequent to authorization of the charge.  This particular type of data (actually the CVV2 or equivalent data) is what is needed to authenticate a transaction.  In short, the likelihood of fraud increases exponentially when a criminal captures CVV2 type data.  It is certainly curious that this ‘prohibited data’ is listed as an element that may have been stolen.

In reviewing the SwimOutlet.com website I notice a conspicuous absence of any form of notification on their website.  Their blog is filled with helpful tips on swimming better and eating better but there is no mention of the fact that their user’s credit and/or debit card data was stolen.  A review of their Facebook page has the same conspicuous absence of any notification or information.  Their Twitter feed is also absent of any information.

If one looks at the timeline of events, there are some disturbing (to me, at least) items.  On October 31st, 2016 SwimOutlet.com “…began investigating unusual activity reported by (our) credit card processor.”  On November 28th, 2016 SwimOutlet.com received ‘confirmation’ that their systems were ‘hacked’ yet the notice states that data may have been compromised as late as November 22nd, 2016.  I have been involved in numerous data breach investigations and incidents.  “unusual activity” notifications by credit card processors are ‘notifications of fraud’.  This is a major red flag that the merchant HAS been breached.   The notice then provides a qualified statement in saying that the beach: “…may have compromised some customers’ debit and credit card data…”  Again, if notified by the credit card processor then the data ‘may not’ have been compromised it almost certainly was compromised.

What is most disturbing to me is that SwimOutlet.com had confirmation on November 28th, 2016 that they were breached.  They had confirmation as early as October 31st, 2016 of ‘unusual activity’ yet chose to wait until AFTER the holiday season to notify affected consumers.  Criminals are not stupid.  They steal credit card data before the holidays to be used over the holidays when the fraud systems are often ‘detuned’ by retailers and the volume of transactions creates noise in which fraud is often harder to identify.  By waiting until January 12th (we received the letter on January 17th, 2017) it created a situation in which we were blissfully unaware that our data had been breached.  If we had been notified before the holiday season, we could have cancelled the card immediately and been saved the inconvenience and possible cost associated with this situation.

In the notice SwimOutlet.com does: “…encourage (me) to remain vigilant against incidents of identity theft and fraud.”  This would have been sage advice BEFORE the holiday season.  It begs the question why a major online retailer would wait until after CyberMonday and after the holiday season to notify of a breach?

Finally, SwimOutlet.com reassures the recipient that “We take the security of our customers’  information extremely seriously…” and that: “…you can safely use your payment card at http://www.swimoutlet.com”.  In light of the method and delay of notification I am going to personally take my business elsewhere.

Thank You for 1,000,000 Views! January 26, 2016

Posted by Chris Mark in Uncategorized.
Tags: , , , ,
1 comment so far

million

I was just notified that the GlobalRiskInfo blog just had it’s 1 millionth view with over 850,000 visitors!  I want to give a big “Thank You!” to everyone that has taken the time to read my inane drivel and for those who take the time to comment!  This is simply a labor of love and I am grateful for the support.  This started 4 years ago and I have published 404 blog posts. While some have been big hits others have not.  Regardless..thank you!

”Active Responses” to CyberAttacks are Losing Propositions May 22, 2014

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , , , , , , ,
1 comment so far

“Everyone has a plan until the’ve been hit” – Joe Lewis

PiratePicGRIHaving spent numerous years providing armed and unarmed physical security in combat zones, hospital emergency rooms, psychiatric wards, and anti-piracy operations off the coast of Somalia has given me a deep respect for force continuum and the dangers of unnecessarily provoking an escalation by a volatile and dangerous adversary.

As cyberattacks continue to plague American companies as well as the payment card industry, there is a growing voice within the cybersecurity industry to allow and empower companies to take offensive action against cyber attackers.  This is frequently referred to as ‘hacking back’ or ‘offensive hacking’.  Several prominent security experts as well as some companies who have fallen victim to cyber-attacks have begun advocating that ‘a good offense is the best defense’.   On May 28th, 2013 there was an online discussion in which an author of the upcoming book:  The Active Response Continuum: Ethical and Legal Issues of Aggressive Computer Network Defense[1] posted the following excerpt:

“There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems.”[2] (emphasis added) (more…)

“Failed State of Security” Part II; Cybercrime Victim Blaming May 18, 2014

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , , , , , , ,
add a comment

PartIIfailedStaetI am proud to release another research brief that is Part II of my “Failed State of Security” series in which I discuss and analyze victim blaming in the context of data security.  In 2012 I published a research brief titled “A Failed State of Security: A Rational Analysis of Deterrence Theory and The Effect on CyberCrime.” in which I discussed the failing of law enforcement, and cybersecurity to deter cyber events and discussed the theory of deterrence and the need for deterrence within cybersecurity.  You can download the article on IDGA’s website or on my own website here.  This paper is part II of the “Failed State of Security” series.  Started after the Target data breach, this topic is one that has always been close to me.  In April 2009 I wrote an article titled “Lessons from the Heartland Breach” which was published as the cover story by TransactionWorld magazine.

Victim blaming is common in sexual assault, as well as other types of crimes.  A quick Internet search will demonstrate scores of instances in which the victim of a violent is blamed for being victimized.   When we include a large, corporate entity it becomes easier to point the accusatory finger at the organization.  Whether due to Schadenfreude or some other reason, people want to blame companies that are victimized by hackers.  Did the company “cause” the breach?  Were they somehow complicit in the attack?  What do we mean when we say “cause”?  What is a causal fallacy?  These, and many more topics, are discussed in Part II of the “Failed State of Security” series.  I invite you to download “Failed State of Security Part II”; Victim Blaming in Cybercrime.  As always, I welcome any comments or debate on the topic…

%d bloggers like this: