Entries tagged with “Security”.
Did you find what you wanted?
Nov 27 2012
When we talk about the protection of data, particularly sensitive personal information like credit card or social security numbers, we often focus on “digital data.” By digital data, I mean that data that is stored in our networks and computers, our POS systems and other “networked” appliances. It’s easy to lose sight of the fact that copiers, printers, and fax machines are often “networked appliances,” complete with memory. That means that it is conceivable that when you send a fax or make a copy, that appliance could retain that data in its memory. As a result, that appliance now represents a point of vulnerability for the network.
The ability of these devices to store data should also be a consideration with looking to lease or buy previously used equipment, particularly when buying or leasing used POS equipment. You may be introducing someone else’s liability into your secure environment. This is where having proper policies and procedures becomes vitally important. Merchants should have a process for evaluating security options on the device or equipment (does it allow for overwriting or encrypting the data in memory?); security procedures should also be in place to ensure that the device memory is regularly overwritten to avoid data leakage.
The PCI DSS specifically requires that companies “Protect Stored Cardholder Data Wherever it is Stored.” Unfortunately, as our businesses grow, that often means that our cardholder data environment grows along with it. Information security policies and processes become more and more important. It can also be helpful to find strategies for limiting the size of the cardholder data environment.
Nov 14 2012
Posted by hmark
Industry News, identity theft
For those of us in the security space, it’s common to hear about crime rings based out of Eastern Europe that are targeting US companies and consumers. Stealing the data and selling it to make a fast buck has been something that we prefer to identify as something that happens from abroad. A recent report from ID Analytics, though, tells us that we have plenty of trouble with that particular crime here at home.
ID Analytics, a leader in consumer risk management, has undertaken a study to identify crime rings in the US that specialize in identity theft. According to the report, there are more than 10,000 separate crime rings operating in the United States. Those rings appear to be most highly concentrated in Washington D.C.; Detroit; Tampa, Fla.; Greenville, Miss., Macon, Georgia; and Montgomery, Ala. Another unusual finding of the report was that a large number of these rings were comprised of friends and family working together. You know what they say. “The family that defrauds together…”
This report is interesting on a couple of levels. First, there has been an assumption that Identity Theft is often the work of career criminals. The report seems to contradict this, pointing out the almost communal nature of identity theft rings. The individuals work together and even share identity information, like social security numbers, in an effort to get new lines of credits. Secondly, while we do know that many breaches do originate from abroad, it is important that we not overlook the threat that we face here at home. Another surprising revelation in the report is the genesis of the crimes. Again, we tend to think of identity theft as an urban crime. While most of the victims were city dwellers, the report shows that the crime rings originate largely in rural areas.
It would be interesting to see if longitudinal studies would uncover a relationship between the economic downturn, particularly as it hit these rural areas, and the increase in the formation and activity of identity theft rings. It is sometimes easy to think of identity theft in the abstract, and that may entice people that wouldn’t be attracted to violent crime as a means of supporting themselves.
Oct 24 2012
Barnes and Noble has reported that PIN entry devices in dozens of its stores have been hacked. According to the company, one device in each of 63 different stores had been compromised. The company said that its website and purchase made on the Nook were not impacted by the breach. Reports indicate that the stores involved in the compromise were located in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island. B&N is working with banks to notify affected customers. The company acted swiftly in disconnecting the devices in all of its more than 700 stores once the breach was discovered. Further, the company altered the process for using a card to a more secure method. Rather than swiping the card, the consumer will now hand the cashier the card to be swiped, a process the company believes to be more secure.
There are two security issues at play here. The first is the question of physical security. How many times have you walked into a grocery store, or any store for that matter, and used the PIN pad device without the assistance of the clerk? While that certainly adds convenience, it can also introduce risk. The following video demonstrates just how easy it can be to compromise a PIN pad machine.
As you can see, without the proper physical security, attaching a skimming device or tampering with the machine can take just a matter of seconds. If you are accepting cards it is vitally important to think about the physical security of the data, as well as the technical security. If you use a mobile device, ensure that it is with you at all times. If it is not with you, it should be locked in a secured location. If you are using a Point of Sale solution or a PIN pad device, make sure that it is secured to the counter and that you can tell whether or not the device has been altered. In the video above, the clerk noticed that machine had been tampered with and was able to prevent the theft of data.
The second issue at play here is the technical aspect of security. This is of particular consequence, because thieves that are able to access full card data can make counterfeit cards and the volume of fraudulent transactions increases significantly. To counter this, the PCI SSC has drafted a number of documents specifically aimed at protecting PIN pad devices. You can find all of the PCI SSC security documents on the Library section of their website.
Security of transaction data is not an “online only” problem. Thieves are able to extrapolate physical theft into credit card fraud. That means the physical instruments that we use to accept credit card transactions must be afforded the same level of protection as the systems in which we store that data (e.g. databases or POS applications).
Oct 10 2012
Posted by hmark
Data Security, Industry News
October is National CyberSecurity Awareness Month (NCSAM). This year marks the 9th year that the Department of Homeland Security, the National CyberSecurity Alliance, and the Multi-State Information Sharing and Analysis Center have sponsored a series of events designed to raise public awareness of cybersecurity issues. This year, the overall theme of the month is “Our Shared Responsibility.” The intent is to get everyone thinking about how he or she can protect data, not simply relying on businesses to do so. According to the DHS, “Emerging cyber threats require engagement from the entire American community—from government and law enforcement to the private sector and most importantly, members of the public – to create a safer cyber environment.”
Each week, the DHS will focus on a different aspect of cybersecurity. The first week focused on general awareness. To do so, DHS has created a “Stop. Think. Connect™.” campaign. The idea behind the campaign is to urge consumers to think about how their online actions could impact their privacy and the security of their own personal information. The DHS website provides consumers with some tools and resources that can be used to increase the security of the online experience.
Week two, this week, focuses on law enforcement efforts to halt cybercrime. This includes efforts on both the state and federal level to increase resources devoted to catching and prosecuting data thieves that target corporate networks. Importantly, though, it also includes efforts to stop criminals that are targeting consumers through “spearphishing” and social media fraud.
The third week will focus on industry efforts, such as the PCI DSS, to fight cybercrime and to ensure that consumer data is adequately protected. Cybersecurity is also a major concern of small business owners, who struggle to balance the risk associated with a data compromise, with limited resources. The DHS has provided a list of resources for small business that are looking for help in managing their data protection and cybersecurity efforts.
The last week of NSCAM focuses again on education and awareness. The twist here, though, is that the focus is on training the “next generation” of cybersecurity professionals. It includes lesson plans for students in K-12 to help create a cultural and generational knowledge of cybersecurity. In an era in which states are sponsoring and hiring cyber warfare agents, one can see how becoming a country with bountiful cybersecurity resources can help secure the future.
Oct 9 2012
Posted by hmark
Industry News, Small Businesses
There is a lot of discussion about security for small businesses, and for the most part that discussion revolves around data security. There is good reason for that focus. Certainly, the number and magnitude of data thefts is on the rise, even as businesses take greater pains to secure their data. Additional attention is given to the issue as a result of the growing number of regulatory mandates for the protection of all types of personal information. Business are well-served to pay attention to their data security strategies. A recent article in Business News Daily, though, asks just how broad your business’ security plan should be.
If you’re a small business owner, with a storefront or office location, it may be well worth the effort to create a physical security plan to deal with the eventuality of burglary or theft. Additionally, the physical security plan should work to create a safe working environment for employees and a hazard-free experience for customers. While we often worry about the relatively esoteric notion of someone hacking a network and stealing data, it is possible to overlook precautions for the far more likely event that someone will simply steal the equipment on which the data is stored. Protecting that equipment is just as important as ensuring that the network is secured.
It is easy to fall into the habit of using a one-dimensional definition of security. That is particularly true when the media and our industry are so focused on that one aspect. But physically securing your business, making sure that your assets, your building, your employees and your customers are secure are all important. In fact, one could even argue that the physical security of your employees and customers outstrips the other elements entirely. The point here is to remind ourselves that our businesses are not comprised of just one element and so our security plans should reflect that.