Industry News

For those of us in the security space, it’s common to hear about crime rings based out of Eastern Europe that are targeting US companies and consumers.  Stealing the data and selling it to make a fast buck has been something that we prefer to identify as something that happens from abroad.  A recent report from ID Analytics, though, tells us that we have plenty of trouble with that particular crime here at home.

ID Analytics, a leader in consumer risk management, has undertaken a study to identify crime rings in the US that specialize in identity theft.  According to the report,  there are more than 10,000 separate crime rings operating in the United States.  Those rings appear to be most highly concentrated  in Washington D.C.; Detroit; Tampa, Fla.; Greenville, Miss., Macon, Georgia; and Montgomery, Ala.    Another unusual finding of the report was that a large number of these rings were comprised of friends and family working together.  You know what they say.  “The family that defrauds together…”

This report is interesting on a couple of levels.  First, there has been an assumption that Identity Theft is often the work of career criminals.  The report seems to contradict this, pointing out the almost communal nature of identity theft rings.  The individuals work together and even share identity information, like social security numbers, in an effort to get new lines of credits.  Secondly, while we do know that many breaches do originate from abroad, it is important that we not overlook the threat that we face here at home.   Another surprising revelation in the report is the genesis of the crimes.  Again, we tend to think of identity theft as an urban crime.  While most of the victims were city dwellers, the report shows that the crime rings originate largely in rural areas.

It would be interesting to see if longitudinal studies would uncover a relationship between the economic downturn, particularly as it hit these rural areas, and the increase in the formation and activity of identity theft rings.  It is sometimes easy to think of identity theft in the abstract, and that may entice people that wouldn’t be attracted to violent crime as a means of supporting themselves.

It is questionable if all the mechanical inventions yet made have lightened the day’s toil of any human being.  - John Stuart Mill

Last year, California was in the news as a result of an interpretation of a long-standing law, written and passed before the advent of the internet or ecommerce, that limited the amount of data that could be collected by retailers in order to complete a purchase.  The law, Civil Code § 1747.08 (a), expressly forbids retailers from doing the following:

(1) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to write any personal identification information upon the credit card transaction form or otherwise.
(2) Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.
(3) Utilize, in any credit card transaction, a credit card form which contains pre-printed spaces specifically designated for filling in any personal identification information of the cardholder.
Essentially, if the information isn’t required for the fulfillment of the order itself, the retailer is prohibited from collecting the data.  This came to the forefront last year when the California Supreme Court ruled that collecting zip codes for Address Verification Service (AVS) was a violation of the 1971 law.  This year, the California Supreme Court is tackling the law again, this time to determine if the law does, in fact, apply to online retailers.  Retailers are concerned, understandably, that limiting the amount of information that can be collected may increase their exposure to credit card fraud.  This sets up a battle between privacy advocates and retailers that will likely set the stage for many more challenges to come.  Stay tuned to the ProPay Blog for updates on the case…

Barnes and Noble has reported that PIN entry devices in dozens of its stores have been hacked.  According to the company, one device in each of 63 different stores  had been compromised. The company said that its website and purchase made on the Nook were not impacted by the breach.    Reports indicate that the stores involved in the compromise were located in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island. B&N is working with banks to notify affected customers.    The company acted swiftly in disconnecting the devices in all of its more than 700 stores once the breach was discovered. Further, the company altered the process for using a card to a more secure method.  Rather than swiping the card, the consumer will now hand the cashier the card to be swiped, a process the company believes to be more secure.

There are two security issues at play here. The first is the question of physical security.  How many times have you walked into a grocery store, or any store for that matter, and used the PIN pad device without the assistance of the clerk?  While that certainly adds convenience, it can also introduce risk.  The following video demonstrates just how easy it can be to compromise a PIN pad machine.

As you can see, without the proper physical security, attaching a skimming device or tampering with the machine can take just a matter of seconds. If you are accepting cards it is vitally important to think about the physical security of the data, as well as the technical security.  If you use a mobile device, ensure that it is with you at all times.  If it is not with you, it should be locked in a secured location.  If you are using a Point of Sale solution or a PIN pad device, make sure that it is secured to the counter and that you can tell whether or not the device has been altered.  In the video above, the clerk noticed that machine had been tampered with and was able to prevent the theft of data.

The second issue at play here is the technical aspect of security.  This is of particular consequence, because thieves that are able to access full card data can make counterfeit cards and the volume of fraudulent transactions increases significantly.  To counter this, the PCI SSC has drafted a number of documents specifically aimed at protecting PIN pad devices.  You can find all of the PCI SSC security documents on the Library section of their website.

Security of transaction data is not an “online only” problem.  Thieves are able to extrapolate physical theft into credit card fraud.  That means the physical instruments that we use to accept credit card transactions must be afforded the same level of protection as the systems in which we store that data (e.g. databases or POS applications).

October is National CyberSecurity Awareness Month (NCSAM).  This year marks the 9th year that the Department of Homeland Security, the National CyberSecurity Alliance, and the Multi-State Information Sharing and Analysis Center have sponsored a series of events designed to raise public awareness of cybersecurity issues.  This year, the overall theme of the month is “Our Shared Responsibility.”  The intent is to get everyone thinking about how he or she can protect data, not simply relying on businesses to do so.  According to the DHS, “Emerging cyber threats require engagement from the entire American community—from government and law enforcement to the private sector and most importantly, members of the public – to create a safer cyber environment.”

Each week, the DHS will focus on a different aspect of cybersecurity.  The first week focused on general awareness.  To do so, DHS has created a “Stop. Think. Connect™.” campaign.  The idea behind the campaign is to urge consumers to think about how their online actions could impact their privacy and the security of their own personal information.  The DHS website provides consumers with some tools and resources that can be used to increase the security of the online experience.

Week two, this week, focuses on law enforcement efforts to halt cybercrime.  This includes efforts on both the state and federal level to increase resources devoted to catching and prosecuting data thieves that target corporate networks. Importantly, though, it also includes efforts to stop criminals that are targeting consumers through “spearphishing” and social media fraud.

The third week will focus on industry efforts, such as the PCI DSS, to fight cybercrime and to ensure that consumer data is adequately protected. Cybersecurity is also a major concern of small business owners, who struggle to balance the risk associated with a data compromise, with limited resources.  The DHS has provided a list of resources for small business that are looking for help in managing their data protection and cybersecurity efforts.

The last week of NSCAM focuses again on education and awareness.  The twist here, though, is that the focus is on training the “next generation” of cybersecurity professionals.  It includes lesson plans for students in K-12 to help create a cultural and generational knowledge of cybersecurity.  In an era in which states are sponsoring and hiring cyber warfare agents, one can see how becoming a country with bountiful cybersecurity resources can help secure the future.

There is a lot of discussion about security for small businesses, and for the most part that discussion revolves around data security. There is good reason for that focus.  Certainly, the number and magnitude of data thefts is on the rise, even as businesses take greater pains to secure their data.  Additional attention is given to the issue as a result of the growing number of regulatory mandates for the protection of all types of personal information.  Business are well-served to pay attention to their data security strategies.   A recent article in Business News Daily, though, asks just how broad your business’ security plan should be.

If you’re a small business owner, with a storefront or office location, it may be well worth the effort to create a physical security plan to deal with the eventuality of burglary or theft.  Additionally, the physical security plan should work to create a safe working environment for employees and a hazard-free experience for customers.  While we often worry about the relatively esoteric notion of someone hacking a network and stealing data, it is possible to overlook precautions for the far more likely event that someone will simply steal the equipment on which the data is stored.    Protecting that equipment is just as important as ensuring that the network is secured.

It is easy to fall into the habit of using a one-dimensional definition of security.  That is particularly true when the media and our industry are so focused on that one aspect.  But physically securing your business, making sure that your assets, your building, your employees and your customers are secure are all important.  In fact, one could even argue that the physical security of your employees and customers outstrips the other elements entirely.  The point here is to remind ourselves that our businesses are not comprised of just one element and so our security plans should reflect that.

Next Page »