Today at work I was conducting some research on a security product and typed the phrase into Google.  The search results were shown and I clicked on a very relevant link that was a compilation of security blogs.  As I was reading a particular post, I received an error message from my Laptop.  In my taskbar I noticed the very familiar Windows notification icon and when I clicked on it, I was given a warning that my laptops hardrive was failing and I was at risk of losing my data.  All looked very legitimate but I was cautious as it seemed too convenient.   When I tried to open task manager I could not.  This, I knew was not a legitimate issue rather was malicious software.  My system was then shut down and upon restarting, a “Windows Recovery Console” appeared.  It looked like the real console but I knew better.  Before it had a chance to do any real damage, I contacted our very capable Operations Manager Dave and asked him to take a look.  Sure enough, it was a virus that was downloaded onto my system when I visited the SECURITY SITE.  That is right.  I visited a site on data security and was infected with a virus.  Luckily, I was smart enough to disconnect my system and contact support and they were insightful enough to take action.  My system was fixed, no harm-no foul.

The moral of the story is that 1) you have to be very careful on the Internet as even seemingly innocuous websites can be harmful.  2) In spite of our anti-virus and other controls, the malicious code managed to get onto my system.  Finally, and most importantly, 3)  data security relies upon people recognizing anomalous behavior and acting to mitigate the risk.   If you see something that doesn’t quit feel right….have it checked out.  I consider myself a pretty savvy technical and security professional.  Yes, it should have hurt my pride to go to Operations and ask them to check my system.  If I had let my pride take precedence over common sense, I could have infected numerous other systems.    Who knows what could have resulted.

Let this be a lesson for us all.  Nobody is immune to security threats.  RSA was recently breached, Sony was recently breached and numerous other respectable companies have been victims.  Often it is oversight of people that results in data security issues.  Be aware and be safe.  Don’t be afraid to ask for help and if something looks strange, check it out.

Chris Mark

ProPay has published a whitepaper titled Zumogo- The Rise of Social M-Payments.  The whitepaper discusses the aspects of secure, social  mobile payments and provides an overview of the Social M-Payments concept and the Zumogo Platform.  To read the whitepaper please use this link.

I was watching the classic Robert Redford movie Brubaker this evening and it highlighted some good information security concepts.  Those of social engineering, pretexting, and authentication.  So you are likely asking, “what is pretexting and what does Brubaker have to do with any of these concepts?”  Good questions! I will explain.  In the movie Henry Brubaker (played by Robert Redford) is assigned to take over a prison farm as the new warden.  To get a feel for how poorly the prison is being run he enters in disguise as a  prisoner.  Once inside, he then makes the announcement that he is the new warden.

Pretexting is defined as: “… a reason for an action which is false, and offered to cover up true motives or intentions.” In the movie, Brubaker uses the pretext of being a prisoner to cover up his true motives of trying to get some inside (pun intended) knowledge of the prison before he takes over.  In information security we see pretexting frequently from Phishers that try to gain the confidence of people through email in an attempt to defraud them.  In a more traditional sense, we see pretexting every day.  If you have ever seen someone who was caught doing something that they should not have been doing justify it after the fact with a fabricated reason, this is a good example of pretexting.  “Well, I may have done XYZ but the reason I did this was because you did ABC…” ABC, of course being fabricated to simply justify the XYZ.  Good example of pretexting.

Social Engineering- While this is by now common knowledge, the movie provides  good example of social engineering though many would struggle to see the relevance.  While Brubaker is conning prisoners into believing he is a prisoner it still is a form of social engineering.  His life depends upon his being able to convince the prisoners that he is one of them.  Social engineering takes a huge toll on business because people are naturally trusting.

Authentication-  There is a good (and bad) example of authentication in the movie.  When Brubaker is ready to disclose his true identity, he has a guard simply escort him to the warden’s office.  When the various people (warden included) begin to question Brubaker he has no identification. Instead he begins to recite the personnel records of the employees.  At this point they believe he is legitimate (authenticated) and they concede he is the new warded.  While this is a good example of authentication, it is also a very poor example. As we know today from people having their identity stolen it is easy to find personal information.   Using this is a form of social engineering to circumvent the authentication required.

At the end of the day, it is a good movie with some good lessons for you security geeks that want to analyze the movie

Visa announced today that it has released their newly developed Mobile Payment Acceptance Best Practices.  You can read more here. As stated by Eduardo Perez; “Mobile devices that can facilitate acceptance of payments are an important advancement in payments that must balance the promise of an enhanced consumer and retailer shopping experience with enhanced security measures to protect sensitive cardholder information,” said Eduardo Perez, head of global payment system risk, Visa Inc. “As a payment technology leader, Visa is well positioned to provide the industry security guidance for emerging acceptance solutions.”  While the best practices do not include any earth shattering new ideas they do include requirements (well they are actually best practices) that data be encrypted at the card reader level.  This means (or should mean) an end to all of the unencrypted readers floating around the industry. Bravo to Visa for once again taking a stand on a difficult subject and jumping into the deep end!

Heather Mark and Travis Allen are attending the Visa Global Security Summit this week while our EVP of Risk, Lance Rich is at the MasterCard Risk Symposium.  Based on initial feedback both events are outstanding and packed with valuable information.  ProPay applauds the card brands for hosting such valuable events.  Below is a picture of the ProPay booth at Visa’ summit.