DISC InfoSec blogCredit card Archives

Nov 15 2012

Tips for staying safe this Cyber Monday

Category: cyber security,Cybercrime — DISC @ 12:52 pm

Cyber Monday, one of the largest online shopping days of the entire year, is coming November 26. The National Retail Federation estimates that shoppers spent more than $1.2 billion last year, doing more than a third of their holiday shopping online.

The issue? This influx of activity online, often times during business hours on a corporate network, is a holiday in itself for scammers and seasoned hackers.

As much as the bosses may not like it, the shopping on Monday is inevitable. So what should end users be mindful of to protect themselves AND the sensitive data on their personal or corporate networks?

FortiGuard Labs threat researchers, Guillaume Lovet and Derek Manky offer a few security tips to help you stay safe online.

1. Unsolicited e-mails: While it may be tempting to click on an email link that says, “Great Deal on iPads… 50% off!” Be careful! By clicking on that link, you could be taken to a compromised Website that downloads malware onto your computer. That malware can then be used to capture your computer key strokes, download additional malware, such as fake antivirus applications, or simply turn your computer into a spam generator.

What to do: If a deal looks too good to be true? It probably is. If you’re still tempted, simply place your cursor over the link (without clicking on it) and check to make sure the URL listed is where you were intending to go.

2. Nefarious search engine results: Search Engine Optimization (SEO) attacks (also known as search engine poisoning) typically occur during major events and holidays. This time of year, hackers may use search terms such as “Holiday Sale,” “Christmas bargains,” or “Year End Specials.” When a user clicks on the malicious link, they could be taken to a Website where their computer can be immediately compromised.

What to do: Same with the tip above, check the link before you click. Also, make sure if you do go to the site that the content looks relevant to what you searched for, versus lots of keywords globbed together on a page in random sentences

3. Unknown online retailers: If you discover an online store that’s offering unbelievable specials on holiday merchandise, do some digging to make sure it’s a legitimate store and not a false front that will disappear later that day along with your credit card information. And even if they are legitimate, you’ll want to make sure their site hasn’t been unknowingly compromised by SQL injection or other server attacks.

Compromised websites won’t always redirect you to a malicious site, but often will phish or try to surreptitiously install other forms of malware on your computer, such as Trojans, bots, keyloggers and rootkits, which are designed to harm systems and steal personal information.

What to do: Make sure your antivirus system is up-to-date, as well as intrusion prevention to help guard against these exploits. Without them, you may not even know that you’re infected.

4. Beware of friends sharing unsolicited links: Malicious links don’t always come from spam emails. They could come from your closest friend on Facebook or via e-mail whose machine has been unknowingly compromised. The infected machine may have a botnet that’s been programmed to comb through email or Facebook address books and send malicious links to everyone in them. The message might say, “Hey, check out the holiday sale going on here!” or “This place is have a 50% off Christmas sale!” By clicking on the link you could be taken to a malicious Website that installs malware on your system or phishes for your credit card credentials.

What to do: Use common sense. Does your friend normally update you on when sales come up? If you’re not sure, a quick private message or phone call to ask, “Did you mean to send me this?” could save you from compromising your personal (and corporate) sensitive information.

12 Cyber shopping scams of Christmas: Just in time for Black Friday, Cyber Monday shoppers (blogs.vancouversun.com)
Tips to avoid Cyber Monday scams (wxyz.com)

Tags: Credit card, Cyber Monday, National Retail Federation, Online shopping, SQL injection, Website

Comments (0)

Jul 08 2011

How to protect ourselves from Payment Fraud

Category: Cyber Threats,Cybercrime,pci dss — DISC @ 11:26 pm

Some basic advice has been issued by Apacs, and includes:

* Don’t let your cards or your card details out of your sight when making a transaction

* Do not keep your passwords, login details or Pins written down

* Do not disclose Pins, login details or passwords in response to unsolicited emails

* Only divulge card details over the phone when you have made the call or when you are familiar with the company

* Access internet banking or shopping sites by typing the address into your browser. Never enter your personal details on a website you have accessed via a link from an e-mail

* Shop at secure websites by checking that the security icon is showing in your browser window (a locked padlock or an unbroken key)

* Always log out after shopping and save the confirmation e-mail as a record of your purchase

For more advice you can visit:

Spotting and avoid common scams, fraud and schemes online and offline

How the scam works and what you need to do about it.

and

Online payment Security and Fraud Prevention

Tags: Australia, Business, Credit card, Financial services, fraud, Internet fraud, Online banking

Comments (1)

Jun 09 2011

Citi credit card security breach discovered

Category: Security Breach — DISC @ 10:42 am

Image via Wikipedia

“Citigroup says it has discovered a security breach in which a hacker accessed personal information from hundreds of thousands of accounts.

Citigroup said the breach occurred last month and affected about 200,000 customers.”

“During routine monitoring, we recently discovered unauthorized access to Citi’s account online,” said Citigroup, in a prepared statement. “A limited number — roughly 1 percent – of Citi bankcard customers’ accounting information (such as name, account number and contact information including email address) was viewed.”

According to its annual report, Citigroup has about 21 million credit card accounts in North America, where the breach occurred.

The statement went on to say that the customers’ Social Security numbers, dates of birth, card expiration dates and card security codes “were not compromised.”

Well the routine monitoring discovered the Citi Group incident which clearly shows that intrusion was not discovered during the incident but after the incident had happened.
Cyber intrusion cost will increase and depend upon how late the incident was detected. The organizations should change their corporate strategy to more proactive approach where they can maintain, monitor and improve security controls based on the current value of the information asset.

If you’re a Citibank customer, we suggest you take a look at your account and immediately report any irregularities.

Stopping Identity Theft: 10 Easy Steps to Security

http://www.youtube.com/watch?v=KH0zno_6d9M

Tags: Citigroup, Credit card, Customer, Financial Times, Online service provider, PlayStation Network, Security, Social Security number

Comments (1)

Dec 19 2010

Protect your credit card information and avoid Fraud

Category: cyber security — DISC @ 10:51 pm

: Image by Getty Images via @daylife

Essentials of Online payment Security and Fraud Prevention

As we all know that credit card frauds are on the rise and crooks are utilizing more advanced techniques to acquire credit card information. In these circumstances anyone can lose their private and credit card information to crooks. Individual due diligence is necessary to protect credit card information and below are few measures which can help to protect it.

– At least once a year (or preferably every 6 months) report each one of your cards missing, so that your credit card company would issue you a new card. This is because often crooks steal credit card info but they wait to collect many (at least a million) before they sell them and this process typically takes a year (according to FBI) so most of the times your credit card info may be compromised but you don’t know about it until the crook sells it to a buyer and then in a matter of 1-2 weeks you get hit by tons of purchases and before you know it you credit card is maxed and you are stuck with proving it wasn’t you.

– Sign up with www.LifeLock.com, instead of the many identity theft programs that your bank offers. This program costs about $80-$100 a year (similar in cost to what banks like Chase and WFB offer) but this program TRULY covers all the costs of when your identity is stolen and cards are maxed. They do by far MORE than the other programs that banks offer and they cover all the costs that you may incur (including replacing your PC that maybe infected with a virus).

– If anyone calls you (from Visa, MC, AmEx or any credit card company) and told you anything like your credit card has been used, stolen, etc, get their telephone number and tell them you will call them back before you say ANYTHING to them. And then call the 800 number on the back of your card and verify that the phone number they gave you is indeed a valid number. Do NOT give anything, specially the 3 digit off the back of your card to anyone who calls you.

– As always, do NOT enter your ATM card PIN into any email.

– Do NOT open any emails from anyone that you do NOT know. If you do, and there is a .pdf file is attached, make sure it makes sense that the sender has sent you this file otherwise do NOT open the .pdf file. Many viruses are embedded in .pdf files (Not pictures or txt files, just .pdf)

– If you do on-line banking (as we all do) do NOT do bill payment or if you do then once a day check the balance in your account. Also, if possible contact your bank and BAN any WIRE TRANSFERs from your account. Tons, tons of wire transfer fraud has happened during the past year or two and people have LOST THEIR MONEY, the banks have NO obligation to repay even if you can prove you didn’t do the transfer. They say that your computer was hacked and that is YOUR fault not theirs. Check your bank account balances DAILY as with wire transfer you have 24 hours (in most cases) to reverse it but if it is gone then your money is GONE and you may never be able to collect it back.

– NEVER give your laptop for repair or upgrades to anyone that you do NOT know really well. Once your laptop or computer is in the hands of a crook he can install spyware and other programs that will go into the core of your PC and nothing, as in NOT EVEN FORMATTING YOUR HARD DISK, can get rid of the virus or spyware. Your only option is to throw away your PC and buy a new one.

– When online, if you happen to go to a website that had many different items on it; such as “Sarah Palin’s info”, “Earthquake victims”, “Las Vegas Deals”, etc. DO NOT open any files or documents (don’t click on them). These websites are put together by very smart crooks who want to attract people so they have a variety of info posted but each article has a virus/spyware loaded in it and if you click on it the virus will be loaded into your PC and from that point on they can monitor your keyboard entries, even the screens you look at. Avoid any website that has an unusual or strange collection of info on them.

– Have one credit card with a low limit ($1000-$2000) only for use on internet purchases.

– Have another card with even a lower limit ($500) only for use in Gas stations. Gas stations have the highest rate of fraud because the pumps have Readers/Pin pads in them that are really old and do NOT have any security feature in them. So have a very low limit card only for use in Gas stations.

– Have one/more high limit cards that you only use when you purchase something that you SIGN for, and always check your statements at the end of the month.

Prevent Credit Card Fraud With Virtual Credit Cards (applyforacreditcard.com)
Credit Card Processing Companies and Deceptive Business Practices (creditcardprocessing.net)
Tis the Season: How to Protect Yourself from Identity Theft during the Holidays (quizzle.com)
The 12 Scams of Christmas: #6 – Credit Card Refund Fraud (chicagonow.com)

Tags: Business, Consumer, Credit card, Financial services, Identity Theft, Merchant Services, Sarah Palin, Wire transfer

Comments (1)

Aug 23 2010

13 Things an Identity Thief Won’t Tell You

Category: Identity Theft — DISC @ 11:10 am

: Image by CarbonNYC via Flickr

Stopping Identity Theft: 10 Easy Steps to Security

by Reader’s Digest Magazine, on Thu Aug 12, 2010 Interviews by Michelle Crouch

Former identity thieves confess the tactics they use to scam you.

1. Watch your back. In line at the grocery store, I’ll hold my phone
like I’m looking at the screen and snap your card as you’re using it.
Next thing you know, I’m ordering things online-on your dime.

2. That red flag tells the mail carrier-and me-that you have outgoing
mail. And that can mean credit card numbers and checks I can reproduce.

3. Check your bank and credit card balances at least once a week. I can
do a lot of damage in the 30 days between statements.

4. In Europe, credit cards have an embedded chip and require a PIN,
which makes them a lot harder to hack. Here, I can duplicate the
magnetic stripe technology with a $50 machine.

5. If a bill doesn’t show up when it’s supposed to, don’t breathe a sigh
of relief. Start to wonder if your mail has been stolen.

6. That’s me driving through your neighborhood at 3 a.m. on trash day. I
fill my trunk with bags of garbage from different houses, then sort
later.

7. You throw away the darnedest things-preapproved credit card
applications, old bills, expired credit cards, checking account deposit
slips, and crumpled-up job or loan applications with all your personal
information.

8. If you see something that looks like it doesn’t belong on the ATM or
sticks out from the card slot, walk away. That’s the skimmer I attached
to capture your card information and PIN.

9. Why don’t more of you call 888-5-OPTOUT to stop banks from sending
you preapproved credit offers? You’re making it way too easy for me.

10. I use your credit cards all the time, and I never get asked for ID.
A helpful hint: I’d never use a credit card with a picture on it.

11. I can call the electric company, pose as you, and say, “Hey, I
thought I paid this bill. I can’t remember-did I use my Visa or
MasterCard? Can you read me back that number?” I have to be in
character, but it’s unbelievable what they’ll tell me.

12. Thanks for using your debit card instead of your credit card.
Hackers are constantly breaking into retail databases, and debit cards
give me direct access to your banking account.

13. Love that new credit card that showed up in your mailbox. If I can’t
talk someone at your bank into activating it (and I usually can), I
write down the number and put it back. After you’ve activated the card,
I start using it.

Identity Theft Protection (personalbudgeting.suite101.com)
Early Warning Signs of Identity Theft (consumereducation.suite101.com)
You: To protect yourself, think like an ID thief (washingtonpost.com)
Identity Theft: How To Avoid It (forbes.com)

Tags: Automated teller machine, Business, Credit card, debit card, Financial services, Identity Theft, MasterCard, Visa

Comments (1)

Aug 09 2010

Identity theft: How to protect your kids

Category: Identity Theft — DISC @ 10:34 am

: Image by TheTruthAbout… via Flickr

Stopping Identity Theft: 10 Easy Steps to Security

Identity theft that targets children is rising. Here are five steps to protect your family

By Alissa Figueroa

Identity theft has grown into a multibillion-dollar problem. And it’s not only adults who are targeted.

At least 7 percent of the reported cases of identity theft target children. The number could actually be much higher, since many families don’t discover theft until a child applies for credit.

And the problem is likely to get worse before it gets better, the Associated Press reports, as identity thieves steal children’s dormant Social Security numbers and use them to create phony lines of credit and rack up debt, sometimes for years.

The scam, which has popped up only in the last year, is difficult to guard against, says Linda Foley, cofounder of the Identity Theft Resource Center (ITRC), an organization that offers counseling and resources to identity theft victims. The ITRC has seen a notable jump in the number of children identity-theft cases in the last year, reaching about 9 percent of its caseload this month.

“There’s no way to protect your child completely,” says Ms. Foley. That’s partly because these thieves are likely using sophisticated programs that mine for dormant numbers through school or doctor’s offices databases, which often require that children’s Social Security numbers be provided. And partly because tactics for selling the numbers are constantly evolving, making this kind of theft difficult to track.

Since credit issuers do not keep track of the age of Social Security number holders, they cannot alert families when a child’s number is being used. That’s something Foley’s organization has been trying to change since 2005, and a protection she considers vital for preventing child identity theft on a large scale.

There is some advice that parents can follow, though, to reduce the risk of identity theft:

1. Be cautious with your child’s Social Security number. Always ask why an organization needs the number and when possible, do not give it out. Be careful about which individuals, even friends and family, have access to your child’s number. Many identity thieves know their victims. Destroy extra documents that list your child’s number.

2. Talk to your kids about identity theft. Teach children not to divulge their personal information on the telephone and online.

3. Do not check your child’s credit report unless you have reason to believe there’s a problem. A minor should not have a report unless someone has applied for credit using that child’s Social Security number. To order reports unnecessarily can establish a credit report, opening a door to thieves, according to the ITRC.

4. Watch for red flags. If you receive pre-approved credit card offers or calls from collection agencies, run a credit report on your child immediately to see if there has been fraud.

5. Contact an identity theft specialist if you suspect a problem. There are several resources for families concerned with issues of identity theft. Visit the ITRC’s website for facts and information, or call its hotline at (888) 400-5530. You can also find information on the Federal Trade Commission’s identity-theft-prevention website.

Advocates Propose Child ID Theft Prevention Database (informationweek.com)

Tags: Credit card, crime, Federal Trade Commission, Identity Theft, ITRC, Linda Foley, Social Security number, Theft

Comments (2)

Jul 10 2010

FTC Says Scammers Stole Millions, Using Virtual Companies

Category: Cybercrime — DISC @ 11:23 pm

: Image via Wikipedia

100% Internet Credit Card Fraud Protected

by Robert McMillan
The U.S. Federal Trade Commission has disrupted a long-running online scam that allowed offshore fraudsters to steal millions of dollars from U.S. consumers — often by taking just pennies at a time.

The scam, which had been run for about four years, according to the FTC, provides a case lesson in how many of the online services used to lubricate business in the 21st century can equally be misused for fraud.

“It was a very patient scam,” said Steve Wernikoff, a staff attorney with the FTC who is prosecuting the case. “The people who are behind this are very meticulous.”

The FTC has not identified those responsible for the fraud, but in March, it quietly filed a civil lawsuit in U.S. District Court in Illinois. This has frozen the gang’s U.S. assets and also allowed the FTC to shut down merchant accounts and 14 “money mules” — U.S. residents recruited by the criminals to move money offshore to countries such as Bulgaria, Cyprus, and Estonia.

“We’re going to aggressively seek to identify the ultimate masterminds behind this scheme,” Wernikoff said. According to him, the scammers found loopholes in the credit card processing system that allowed them to set up fake U.S. companies that then ran more than a million phony credit card transactions through legitimate credit card processing companies.

Wernikoff doesn’t know where the scammers obtained the credit card numbers they charged, but they could have been purchased from online carder forums, black market Web sites where criminal buy and sell stolen information.

Small Thefts Overlooked

The scammers stayed under the radar by charging very small amounts — typically between $0.25 and $9 per card — and by setting up more than 100 bogus companies to process the transactions.

U.S. consumers footed most of the bill for the scam because, amazingly, about 94 percent of all charges went uncontested by the victims. According to the FTC, the fraudsters charged 1.35 million credit cards a total of $9.5 million, but only 78,724 of these fake charges were ever noticed. Typically they floated just one charge per card number, billing on behalf of made-up business names such as Adele Services or Bartelca LLC.

As credit cards are increasingly being used for inexpensive purchases — they’re now accepted by soda machines and parking meters — criminals have cashed in on the trend by running this type of unauthorized charging scam.

“They know that most of the fraud detection systems won’t detect anything under $10 and they know that consumers won’t complain about a 20 cent fee,” said Avivah Litan, an analyst with the Gartner research firm who follows bank fraud. “What’s different here is the scale, and that they got away with it for so many years,” she said.

Similar Cases Show Trend

In March Alexsandr Bernik of Roseville, California, was sentenced to 70 months in prison for running a similar scam. He put tens of thousands of charges on Amex accounts, each ranging from $9 to $15. Neither federal authorities nor American Express would explain how Bernik obtained his card numbers.

Bernik made his charges on behalf of a fictional corporation called Lexbay Ltd., but in the FTC case, the scammers would mimic legitimate companies — taking real federal tax I.D. numbers and then setting up fake businesses with nearly identical names that appeared to be located nearby. In a move that apparently tricked credit card processors into granting it a merchant account, Adele Services, for example, was set up to mimic a legitimate Bronx, New York group called Adele Organization.

When the scammers tried to register merchant accounts with credit card processors, the processors would do some investigating, but using tricks like these, the scammers were always one step ahead.

In fact, the FTC’s description of their operation reads like a textbook on how to set up a fake virtual corporation in the Internet age.

The criminals used a range of legitimate business services to make it appear to credit card processors as though they were legitimate U.S. companies, even though the scammers may have never set foot in the U.S.

For example, using a company called Regus, they were able to give their fictional companies addresses that were very close to the companies whose tax IDs they were stealing. Regus lets companies operate “virtual offices” out of a number of prestigious addresses throughout the U.S. — the Chrysler Building in New York for example — forwarding mail for as little as US$59 per month.

Mail sent to Regus locations was then forwarded to another company, called Earth Class Mail, which scans correspondence and uses the Internet to deliver it to customers in pdf format.

They used another legitimate virtual business service — United World Telecom’s CallMe800 — to have phone calls forwarded overseas. To further make it seem as though their companies were legitimate, the scammers would set up fake retail Web sites. And when credit card processors asked them to provide information about company executives, they handed over legitimate names and social security numbers, stolen from ID theft victims.

When they had to log into payment processor Web sites, they would do this from IP addresses that were located near their virtual offices, again evading payment processor fraud detection services.

One of the largest payment processors in the U.S., First Data, was a favorite of the scammers. Of the 116 fake merchant accounts the FTC uncovered, 110 were with First Data. The scammers also set up bogus accounts with Elavon and BBVA Compass.

First Data would not comment on the measures it had taken to improve its merchant vetting process, but the company did confirm that it cooperated with the FTC investigation.

Aided by ‘Mules’

To get the money out of the U.S., the scammers had to recruit money mules. These were U.S. residents who were recruited online, often with spam e-mail messages. Under the impression that they were helping offshore businesses, the money mules set up bank accounts and helped the fraudsters move money offshore.

In a letter to the judge presiding over the case, one of the mules, James P. Smith of Brownwood, Texas, says he worked for one of the scammers for four years without realizing that anything illegal was going on. Smith now says he is “ashamed” to be named in the FTC action, and offers to help catch his former boss, who used the name Alex Moore.

The FTC’s Wernikoff believes that whoever is responsible for this crime lives outside of the U.S., but with the money-cashing operation now busted up, the scammers will have to start again from scratch, if they want to keep bilking consumers. And criminal investigators now have a trail to follow.

“Does it prevent the people from ultimately responsible from building up again from scratch?” he asked. “No. But we do hope that this serously disrupts them.”.

Tags: American Express, Business, Credit card, Federal Trade Commission, First Data, fraud, FTC, United States

Comments (0)

Jun 22 2010

Symantec: SMBs Change Security Approach with Growing Threats

Category: BCP,Malware — DISC @ 1:50 am

: Image via CrunchBase

By: Brian Prince

A survey of small to midsize businesses from 28 different countries by Symantec found that companies are focusing more on information protection and backup and recovery. Driving these changes is a fear of losing data.

Today’s small to midsize businesses (SMBs) are facing a growing threat from cyber-attacks, and are changing their behavior to keep up.

In a May poll of 2,152 executives and IT decision makers at companies with between 10 and 499 employees, Symantec found SMBs are now spending two-thirds of their time dealing with things related to information protection, such as computer security, backup and archival tasks, and disaster preparedness. Eighty-seven percent said they have a disaster preparedness plan, but just 23 percent rate it as “pretty good” or “excellent.”

Driving the push for these plans, as well as the interest in backup and recovery, is the fear of losing data. Some 42 percent reported having lost confidential or proprietary information in the past, and all of those reported experiencing revenue loss or increased costs as a result. Almost two-thirds of the respondents said they lost devices such as smartphones, laptops or iPads in the past 12 months, and all the participants reported having devices that lacked password protection and could not be remotely wiped if lost or stolen.

In the past, SMBs would settle for having antivirus technology, said Bernard Laroche, senior director of product marketing at Symantec. Now, however, they are starting to realize the threat landscape is changing, he said.

“If you look at endpoint usage … in most SMBs that’s the only place where the information resides because people were not backing up … so if somebody would lose a laptop at the airport or somebody steals the laptop in the back of car or something, then your information is obviously at risk and that can bring a lot of financial impact to small business,” he said.

The survey also found SMBs are spending an average of about $51,000 on information protection. The financial damage for those who suffer cyber-attacks can be significant. Cyber-attacks cost an average of $188,242 annually, according to the survey. Seventy-three percent said they were victims of cyber-attacks in the past year, and 30 percent of those attacks were deemed “somewhat/extremely successful.” All of the attack victims suffered losses, such as downtime, theft of customer or employee information, or credit card data, Symantec reported.

“The concept of, ‘I’ve got an antivirus solution, I’m fully protected,’ I think those days are gone,” Laroche said.

Detail information on Symantec SMBs Suites:

Symantec Endpoint Protection Small Business Edition 12.0

Symantec Protection Suite Small Business Edition 3.0

Tags: Backup, Business, Computer security, Credit card, Emergency Management, Small business, SMB, SMB suites, Symantec, Warfare and Conflict

Comments (0)

May 18 2010

Taking Credit Card Security Seriously

Category: pci dss — DISC @ 1:33 pm

: Image by Getty Images via Daylife

PCI DSS v1.2: A Practical Guide to Implementation

By David F. Carr @ Forbes

The easiest way for small businesses to address the information security requirements imposed by credit card companies is the wrong way. I’m talking about lying and praying.

In 2004 the major credit card companies got together to define a common Payment Card Industry Data Security Standard (PCI DSS, often referred to as just PCI). They are gradually ratcheting up the pressure on merchants of all sizes to comply. Large companies, and some smaller ones that process a large volume of transactions (particularly if they’re doing it on the Web), are required to have an independent review of their processes and systems by a security professional credentialed as a qualified security assessor (QSA). Most small businesses can instead complete a self-assessment questionnaire, where they essentially grade themselves. That’s where the lying comes in. It’s not so hard to check off all the right answers (“Sure, I review my e-commerce server logs on a daily basis.”) without actually making them true.

If you’re lying, you had better also be praying. If caught, you could be fined for non-compliance, to the tune of tens or hundreds of thousands of dollars–enough to put many a small organization out of business. Expect even harsher treatment if someone hacks your systems and downloads card data you claimed you weren’t even storing.

Most of the requirements are basic security, like making sure there is a firewall between your Internet connection and any system that stores credit card numbers. Factory default passwords on your network equipment must be changed, so that no one can log on as user “admin,” password “admin.” And so on. More specifically, you’re responsible for protecting card holder data, and there’s some data you’re never supposed to store–like the full contents of a card’s magnetic strip.

Many small businesses are still under the impression that the rules don’t apply to them because they’re too small, or because they don’t conduct e-commerce. Actually, the rules apply to any business–and even any nonprofit–that takes credit card payments. You can look for ways to lighten the compliance burden, but you can’t get yourself off the hook entirely. Even if no one has yet compelled you to complete a questionnaire or conduct an automated scan of your networks, you’re still supposed to be locking down your systems.

Some businesses complain this all sounds too complicated and expensive. But they are missing the point, says Anton Chuvakin, author of PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance. The PCI rules really represent the minimum security standards businesses must meet to be fair to their customers, who, after all, are trusting the merchant every time they hand over a credit card number. In the wake of a card security breach, a larger business might suffer from the fines, damages and adverse publicity resulting from a card security breach. By contrast, “a small business is more likely to be GONE,” Chuvakin said. “Businesses that endanger their customers really do deserve to die.”

If your organization is not equipped to handle credit card data securely, maybe you should not be handling it at all. Look for ways to shift as much of the burden as possible onto a service provider that specializes in secure payment processing. Services such as PayPal and Authorize.net let you forward customers to their websites for payment processing; credit card numbers never pass through your hands at all

Small businesses such as restaurants that use an older generation of countertop credit card terminals may be breaking the rules inadvertently because the device stores magnetic stripe data or otherwise violates the PCI requirements. So consider upgrading to a payment device that is certified PCI compliant. Basic terminals capable of encrypting Personal Identification Number (PIN) codes and protecting other sensitive information are available for as little as $100 and might even be offered free by merchant account services trying to win your business. The PCI Security Standards Council publishes a list of approved devices. Just remember that using a compliant device is only one element of making your business compliant.

Even if you’re not storing anything explicitly prohibited, you may be storing more credit card data than you need to. Small merchants typically store a day’s worth of credit card numbers on a card swipe terminal, then process all the transactions in a batch at the end of the day. Bigger retailers may record the card numbers in a centralized database so they can track all a customer’s purchases, and so they can retrieve the number if they need to issue a refund. But do you need to retain those numbers at all?

Possible Solutions
Perhaps not. Martin McKeay, a QSA and author of the Network Security Blog, recommends looking at new strategies for using end-to-end encryption and “tokenization.”

For example, payment processor First Data ( FDC – news – people ) and security software firm RSA Security have developed a product called TransArmor that allows merchants to get authorization for a credit card number and then immediately dispose of the card number, replacing it with a token. The token is another number that acts as a stand-in for the credit card number itself. First Data keeps track of which tokens correspond with which credit card numbers. So if you’re executing previously authorized transactions at the end of the day, you send First Data a batch of tokens, and it relays the card numbers on to the bank. But if the tokens are stolen, by themselves they are worthless to anyone else.

“With this, the only time you need the true credit card number is when you do the authorization,” says Craig Tieken, First Data vice president of merchant product management. “The merchant, in our opinion, no longer needs the card number.” TransArmor is still in beta testing, scheduled for release in the summer of 2010.

PCI DSS v1.2: A Practical Guide to Implementation

Tags: Business, Credit card, First Data, Payment Card Industry Data Security Standard, PayPal, Personal identification number, Qualified Security Assessor, Tokenization

Comments (11)

Apr 28 2010

U.S. businesses face skimming fraud increase

Category: Cybercrime,pci dss — DISC @ 2:29 pm

Image by TheTruthAbout… via Flickr

City woman victim of skimming; Credit card number used for purchases at store in Florida.(City): An article from: Winnipeg Free Press

By Angela Moscaritolo – SCMagazineUS.com

U.S. banks are grappling with a recent increase in skimming attacks, which are being carried out by Eastern European gangs aiming to steal consumer bank account numbers and PINs, according to a Gartner analyst.
These types of attacks are not new, but the scale and the organization behind them is, Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazineUS.com on Tuesday. Over the past six months, fraudsters increasingly have been mounting well-organized and systematic attacks that involve placing skimming devices on not just ATM machines — the most commonly targeted device — but also point-of-sale systems and gas-pump card readers.

Litan said she heard about the increase in skimming at a recent fraud conference attended by numerous financial services companies. There, she learned that skimming is currently one of the top problems with which banks are dealing.

Last summer, Chris Paget, chief hacker for H4RDW4RE, a security consulting company that specializes in hardware and radio reverse engineering and assessment, unknowingly encountered a rigged ATM at the Rio All-Suites Hotel & Casino in Las Vegas. As a result, Paget, who was in town to attend the Black Hat hacker conference, lost $200.

In his case, the ATM contained no signs of tampering and apparently was internally compromised. But Paget, best known for his research around RFID technology, said externally placed skimming devices are becoming more advanced.

“Skimmers are reaching the stage now where it’s impossible to detect them reliably,” Paget said. “In most cases, the externally attached devices are made well enough that they blend in perfectly unless you know what to look for.”

According to a report issued early this month by Javelin Strategy & Research, nearly one in five debit or credit card fraud victims reported having their PIN information stolen in 2009 – which represents a “considerable increase” over 2008. The report also found that 10 percent of all fraud victims had cash withdrawn from their accounts via fraudulent ATM transactions.

And two weeks ago, the U.S. Secret Service in South Carolina issued a warning to consumers to be on the lookout for what authorities believe is an international operation to attach skimming devices to card readers, according to published reports. Authorities located roughly 10 skimmers at various ATMs, prompting the advisory.

In November, industry trade group the ATM Industry Association, which attributes $1 billion in annual global losses to skimming, called for tougher penalties for offenders.

The ATMs of major banks are being targeted with this type of fraud, and it is not only occurring in remote locations, Litan said. For example, skimmers have been placed on ATMs directly outside of bank branch locations in major U.S. cities. In addition, fraudsters have been systematically swapping out U.S. retailers’ point-of-sale systems with their own devices, which have been crafted to steal consumer information.

Banks are taking this issue seriously because they generally have to pay the fraud costs associated with skimming, Litan said. Banks incur skimming costs because they are liable for card-present transactions, or those in which the card and the cardholder are physically present at the time the payment is processed.

As a result, banks have been putting in place additional fraud detection measures and have begun reaching out to clients to educate them in ways they haven’t in the past, Litan said. However, it is often difficult to tune fraud detection systems so they don’t inconvenience customers by rejecting transactions.

“It’s a pretty sad sate all around that the average citizen is powerless to protect against,” Paget said. “You can only hope that your bank protects you when you do eventually get scammed.”

To increase the security of transactions, many countries have already begun or completed the transition to chip cards, which securely store a cardholder’s account number and PIN on an embedded micro-computer chip that is virtually impossible to skim, Litan said. The transition here because of the cost and the high number of banks and retailers that would have to support the initiative.

But the United States may move to chip cards sooner than expected if current levels of skimming fraud continue, Litan said.

2 arrested in ATM tampering scheme (cbc.ca)
ATM skimmers: man, these things are scary (boingboing.net)

ATM Security Breach News Video

Protect Yourself From Fraud In 2018

Tags: ATM, Automated teller machine, Avivah Litan, Bank account, Credit card, credit card fraud, debit card, debit card fraud, fraud, Las Vegas Nevada, Point of sale, United States

Comments (1)

Apr 23 2010

A home computer credit card scam and family loses 9k

Category: Malware,pci dss — DISC @ 3:06 pm

: Image via Wikipedia

DesMoinesRegister.com

Nearly $9,000 was stolen from a Des Moines family’s credit union account after their home computer was hacked. The theft occurred at the end of March.

“My husband was on the computer and he’d just paid a credit card bill,” Nickie Siracusano said. “A pop-up that said PC Shields came up on the screen. It said the computer had received a virus.”

The computer wouldn’t work for a day. Siracusano said her husband, Anthony, worked on it and finally got it running again.

About two weeks later, a representative of the fraud department of Affinity Credit Union called asking if the couple had been out of state. The Siracusanos said they hadn’t left Iowa.

Nickie Siracusano said that’s when they found out someone was spending their money, draining their account. The hackers apparently gained access to the couple’s personal information while their computer was locked up, Nickie Siracusano said.

Des Moines police have heard of a similar pop-up that asks for $39 to get rid of a virus. The owner of the computer is asked for a credit card number. After the victim provides the information, the computer begins working again.

To explore how the fake anti-virus scam works:
Google warns off fake Anti-Virus programs popping up online

“But they don’t really hack into the computer and get personal information,” Detective Terry Mitchell said.

“It just gets you to give them your credit card number and then they use it.”

Nickie Siracusano said that among the charges on their account was a bill for $39 to PC Shield or PC SecurityShield, a computer security company. She said her husband did not provide a card number.

An Affinity Credit Union spokesperson could not be reached for comment.

Siracusano said she was told that thieves paid bills, bought a Greyhound bus ticket and a variety of things in Illinois, Kentucky, Tennessee, Georgia, Arizona, Florida and North and South Carolina.

“For two and a half weeks this person had a lot of fun with our hard-earned money,” Nickie Siracusano said. “It was all gone, just like that.”

The credit union will reimburse the Siracusanos, but in the meantime they must extricate themselves from a financial mess. “This makes you feel like a criminal,” she said. “It’s horrible. You think you’re safe in your own house, but you’re not.”

The Siracusanos have not figured out how they were targeted.

Des Moines Police Detective Ray Carrington said the money came out of the couple’s checking account at the credit union.

A debit card is connected to the checking account, but the Siracusanos said they did not provide that number to the pop-up screen. Nickie Siracusano said the thieves got all the information they needed to get into their account from information stored in their computer.

Nickie Siracusano of Des Moines talks about how a computer hacker stole personal information from her family’s computer and then wiped out her and her husband’s bank account.
Video (D.M. family interview who loses $9,000 to hacker)

Chase Urges Customers To Use Less-Secure Type Of Debit Transaction (huffingtonpost.com)
Identity Theft – Do You Know What it Means to Your Financial Security? (lanechase.net)

Symantec Protection Suite SBE (End to end and multiple layers of protection for Small Business)

Tags: Banking Services, Business, Credit card, debit card, Financial services, South Carolina, Theft, Transactional account

Comments (15)

Apr 12 2010

Healthcare ID theft may rise with digital records

Category: hipaa,Information Security — DISC @ 12:25 pm

By Margaret Collins BLOOMBERG NEWS

Sierra Morgan was billed $12,000 on her health care credit card in November for liposuction, a procedure she never requested or received.

“It’s depressing to know that someone used my name and knows so much about me,” said Morgan, 31, a respiratory therapist from Modesto, Calif.

There were more than 275,000 cases in the U.S. last year of medical information theft, twice the number in 2008, according to Javelin Strategy & Research, a market research firm. The average fraud cost $12,100, Javelin said.

“A trend we’ve seen over the past few years is using stolen information to file false claims,” said Louis Saccoccio, executive director of the National Health Care Anti-Fraud Association, a nonprofit research group.

Criminals set up fake clinics to bill for phony treatments, said Pam Dixon, founder of the World Privacy Forum, a nonprofit consumer-research group based in San Diego, which has worked with more than 3,000 victims. Thieves also may impersonate a patient, as in Morgan’s case, and some medical workers download records to sell, she said.

The economic stimulus bill of 2009 includes $2 billion to create a national system of computerized health records and as much as $27 billion over 10 years in payments to Medicare and Medicaid providers who adopt the technology, according to the Department of Health and Human Services. The digital files will improve care and help lower costs, the government said, without projecting savings.

“Once files are in electronic form, the crime scales up quickly,” said Dixon, whose group analyzed a decade of consumer data from the Federal Trade Commission and medical identity theft cases from the Department of Justice.

“There are cases where someone has walked out with thousands and thousands of files on a thumb drive,” she said. “You can’t do that with paper files.”

Patients’ medical records are altered to reflect diseases or treatments they never had, which can be life-threatening if they receive the wrong treatment or find their health insurance exhausted, Dixon said. A thief may change the billing address for a victim’s insurance so they’re unaware of charges, she said.

“Once you aggregate and put data in one place, it’s easier for you to see it, but it’s also easier for a criminal to see and use it,” said Scott Mitic, chief executive of TrustedID, a consumer data-protection firm. “The digitization of medical records over the next years is certainly going to make this more of an issue.”

Fraud at a high cost

Brandon Sharp, 38, found more than $100,000 of unpaid medical bills on his credit report when he went to buy a home. The charges included $19,501 for a life-flight helicopter trip and emergency room visits he never used, said Sharp, a project manager for a Houston-based oil company.

“I’m as healthy as they come,” he said.

Sharp said he spent six to nine months correcting his medical files, outstanding charges and credit report.

Medical identity theft is about 2½ times more costly than other types of ID frauds, said James Van Dyke, president of Javelin, in part because criminals use stolen health data an average of four times longer than other identity crimes before the theft is caught.

The average fraud involving health information was $12,100, compared with $4,841 for all identity crimes last year, and consumers spent an average of $2,228 to resolve it, or six times more than other identity fraud, according to Javelin.

“It’s becoming the credit card with a $1 million limit,” said Jennifer Leuer, general manager of ProtectMyID.com, an identity-protection service provided by Experian PLC, a credit reporting firm. “If the health insurance is valid, they’ll treat you and not always check your ID.”

Insurers are improving technology to spot false claims, said Tom McGraw, a senior vice president at Ingenix, a subsidiary of UnitedHealth Group Inc. McGraw leads a group focusing on fraud involving Medicaid and Medicare, the two government-sponsored health programs for the poor and the elderly, he said. The company can now track distances between providers and beneficiaries to identify whether physicians are treating patients who don’t live nearby, he said.

Legislation passed last year requires doctors and hospitals to notify patients when their information has been exposed from a security breach, said Randy Sabett, co-chairman of the Internet and data protection practice at Sonnenschein Nath & Rosenthal, based in the law firm’s Washington office.

To read the remaining article

Stealing Your Identity for Liposuction (businessweek.com)
Guard Your Health Insurance Card (bucks.blogs.nytimes.com)
Credit Card Fraud Now Comprises 75% of ID Crime Cases (pindebit.blogspot.com)

Tags: Credit card, Health care, health insurance, identitytheft, medicaid, medicare, National Health Care Anti-Fraud Association, Scott Mitic, Sierra Morgan, Sonnenschein Nath & Rosenthal, UnitedHealth Group

Comments (1)

Mar 18 2010

Mary’s Pizza hit by hackers

Category: Identity Theft,pci dss — DISC @ 3:32 pm

: Image by purpleslog via Flickr

There is a big misconception out there that PCI DSS compliance does not apply to us, we are relatively small company

The fact is PCI DSS must be met by all organizations that transmit, process or store payment card data. Also business owner want to know what is ROI on PCI compliance. It is the total cost of ownership which ensures that you keep earning big money. DISC

By MIKE McCOY
THE PRESS DEMOCRAT

Patrons of Mary’s Pizza in downtown Sonoma will be alerted this week that their credit card numbers may have been stolen by an international computer hacker.

Vince Albano, chief executive officer for the 18-store chain, expects to receive a report by Friday detailing the breadth and timing of the breach.

Once that is known, Albano plans to take out newspaper ads to warn diners who ate at the Spain Street outlet during that period that they might want to cancel their credit cards and get new ones.

Albano said his company doesn’t have the ability to notify potential victims directly because the credit card companies won’t release their names.

The breach was first discovered by the restaurant’s in-house technology expert on Feb. 10 after friends and customers called to complain about errant charges on their credit cards, Albano said. He hired a Chicago-based high-tech forensics firm, Trustwave, to pinpoint the problem.

“Trustwave said they traced it to Russia but I also heard it may be Luxembourg,” Albano said of the suspected location of the hacker.

Albano said his company immediately notified banks and credit card companies of the breach to stop further illegal charges to his customers.

Mary’s may not be the only business hit by the hacker, Albano said. Customers at other businesses in the Sonoma Valley also reportedly have been hit, he said.

“We are addressing the issue but the issue is larger than Mary’s Pizza Shack,” he said.

The Sonoma County Sheriff’s Department is heading up the investigation.

Albano declined to speculate how many of his customers may have had their credit card numbers stolen. Pending Trustwave’s report, he declined to say over what period of time the thefts occurred or how many of the cards were fraudulently used.

But he said his company has invested $20,000 to make the computer systems at all 18 outlets “100 percent protected.”

“We want to do right by our customers. We have been locked down tight since Feb. 23,” he said.

Read more in the Press Democrat.

Here we have another unnecessary credit card data breach in a small organization which resulted in a loss of customers data demonstrating poor baseline security of small organization in this case a restaurant. Small organizations are not ready for PCI Compliance. Checkout why PCI Compliance is essential and why small merchants have to comply. Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.
Contact DISC for any question

PCI DSS Myths 2009: Myths and Reality (slideshare.net)
Who enforces PCI DSS compliance? (startups.com)

Tags: Chief executive officer, Credit card, Payment Card Industry Data Security Standard, Sonoma Valley, Total cost of ownership

Comments (3)

Dec 16 2009

Internet security breach found at UCSF

Category: hipaa,Security Breach — DISC @ 2:38 pm

: Image via Wikipedia

By Erin Allday, SF Chronicle

Hackers may have had access to personal information for about 600 UCSF patients as a result of an Internet “phishing” scam, campus officials said Tuesday.

The security breach occurred in September when a faculty physician in the UCSF School of Medicine provided a user name and password in response to a scam e-mail message. The e-mail had been sent by hackers and made to look as though it came from UCSF workers who are responsible for upgrading security on internal computer servers.

The university is not identifying the physician.

A UCSF audit in October found that e-mails in the physician’s account included personal information about patients, including demographic and clinical data, and the Social Security numbers of four patients. It is unknown whether hackers actually accessed the e-mails.

The patients have all been notified of the security breach.

Phishing scams are designed to get people to reveal private information – such as Social Security numbers, credit card information and passwords – when they reply to e-mails that pretend to come from legitimate organizations.

For years, financial institutions and other corporations have been educating people to be cautious of such scams and wary of revealing private information on the Internet.

In response to the latest scam, UCSF officials said the university has been re-educating employees about protecting their user names and passwords.

Here we have another unnecessary healthcare data breach in a university due to phishing which resulted in a loss of private data demonstrating poor baseline security and lack of security awareness training. Healthcare organizations are not ready for HIPAA (ARRA and HITECH provision) compliance. Checkout why Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.

Considering healthcare standard electronic transaction (compliance date, Jan 1, 2012) and HITECH provision (compliance date, Feb 17, 2010) are in the pipeline for healthcare organizations. Do you think it’s about time for them to get their house in order?

Verified by Visa Phishing Scam (pindebit.blogspot.com)
Sophisticated phishing attack and countermeasures (deurainfosec.com)

Tags: arra and hitech, arra hitech provisions, Computer security, Credit card, Health Insurance Portability and Accountability Act, hipaa, Identity Theft, phishing, social security, Social Security number

Comments (2)

Dec 04 2009

Five ways to lose your identity

Category: Identity Theft — DISC @ 2:42 pm

beconstructive12

By Jaikumar Vijayan
The rush by shoppers to the Web makes the season a great time for online retailers. It’s also a great time for hackers looking to steal data and money from the unwary millions expected to search for great deals online.

Checkout huge savings on Today’s Hot Deals on Information Security Solutions for the holidays

The growth of holiday hackers has annually prompted security analysts, identity theft awareness groups, and various government agencies to come up with lists of precautions that consumers can take to avoid becoming a victim of online fraud. Such lists can prove a benefit to consumers, but unfortunately some people ignore it.

Below are the identity theft awareness tips which can help maximize your exposure to online fraud.

Tip No. 1: Open all attachments from strangers and click on all embedded links in such e-mail messages. Such actions remain one of the most effective ways to provide thieves with personal information and financial data. All a hacker needs to do is find computer users who instinctively open e-mail messages from strangers, even those who write in a foreign language. The action can open the door to keystroke loggers, rootkits, or Trojan horse programs. Crooks can also easily install backdoors to easily steal data without attracting any attention. Once installed, hackers gain unfettered access to personal data and can even remotely control and administer systems from anywhere.

Tip No. 2: Respond to Dr. (Mrs.) Mariam Abacha, whose name is used by many hackers who say they have close friends and relatives in Nigeria who have recently been widowed or deposed in a military coup and need your help to get their millions of dollars out of the country. Users are told they will undoubtedly be rewarded for helping to get their “well-packed trunk boxes” full of cash out of Nigeria. And to make sure to provide bank account information, login credentials, date of birth, and mother’s maiden name so that they can wire the reward directly into a checking account in time for the holidays.

Tip No. 3: Install a peer-to-peer file-sharing client on your PC and configure it so all files, including bank account, Social Security, and credit card numbers, along with copies of mortgage and tax return documents, are easily available to anyone on the same P2P network. Your personal data will stream over the Internet while you check out what songs you can download for free without getting sued by the RIAA.

Tip No. 4: Come up with passwords that are easy to crack. It saves hackers from spending too much time and effort trying to access your PC. Clever sequences such as “123456” and “abcdef” and your firstname.lastname all make fine, easy-to-remember default passwords for you and for hackers. For maximum exposure, keep passwords short, don’t mix alphabets and numerals, and use the same password for all accounts.

Tip No. 5: Avoid installing the latest anti-malware tools and security updates. Keeping operating systems properly patched and anti-virus and anti-spyware tools updated make life hard for hackers. Users can help them out by making sure their anti-virus software and anti-spyware tools are at least 18 months out of date or by not using them at all. Either way, it’s very likely that your computer will be infected with a full spectrum of malware.

For additional tips on how to shop securely on Christmas and holidays season:
How to shop safely online this Christmas
Identity theft tip-off countermeasure and consequence | DISC

Please comment below regarding any other new and emerging threat which needs to be addressed during holiday’s season?

Tags: antivirus, Christmas and holiday season, Computer security, Credit card, File sharing, hacker, Identity Theft, Malicious Software, Malware, Online shopping, Personal computer, Security, shop safely, shop securely, Spyware, threats, trojan, Trojan horse

Comments (1)

Nov 30 2009

Hackers steal credit-card numbers from restaurant customers

Category: pci dss,Security Breach — DISC @ 2:44 am

Here we have another unnecessary credit card data breach in a small organization which resulted in a loss of customers data demonstrating poor baseline security of small organization in this case a restaurant. Small organizations are not ready for PCI Compliance. Checkout why PCI Compliance is essential and why small merchants have to comply. Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.
Contact DISC for any question

By Theodore Decker
THE COLUMBUS DISPATCH

Diners who frequent a popular Downtown restaurant should review their charge-card statements because hackers broke into its computer system to loot debit- and credit-card numbers, police said today.

Between 30 and 50 people have reported fraudulent charges on their accounts, and Columbus detectives said that anyone who used a charge card at Tip Top Kitchen and Cocktails in July or August is at risk.

Detective Wyatt Wilson of the Columbus police fraud/forgery unit said police began linking reports of credit-card fraud in October. Cross-checking the victims’ accounts revealed Tip Top, which is on E. Gay Street, as a common denominator, he said.

The hackers have been traced to an overseas Internet address, and no Tip Top employees are involved, police said. Wilson said the business was as much a victim as its customers were.

The hackers found a weak point in the restaurant’s computer defenses, wormed their way in, and installed “malware” that stripped the numbers, he said.

The restaurant has fixed the problem, but customers who charged anything there in July or August should contact their credit-card companies or banks, cancel their cards and get new ones, even if they haven’t been victimized yet, police said.

New fraud reports have rolled in periodically until a few days ago, Wilson said, indicating that the card numbers are still in criminal circulation.

Elizabeth Lessner, the restaurant’s owner, said she has been told by investigators that the breach might have been the work of high-level hackers in Russia, and she wondered whether it was connected to a global case that surfaced this year.

Most of the small companies have trouble justifying their investments when it comes to security. At the same time PCI DSS for the “brick & mortar” merchants have been a blessing for security firms who sell hardware solutions to small merchants. The problem is these hardware point solution does not address the business issues of a small merchant on daily basis.
This is why small merchants need to build a security program and the in-house expertise with training and help of outside consultant to understand business issues related to information security clearly. You mature this process over time with an ongoing effort and full management support.
Do you think it’s time for small merchants to take information security seriously as a business limiting risk?

Identity theft: Three accused over biggest bank card scam in US history (telegraph.co.uk)
‘China using elite hacker community to build cyber warfare capability’ (deurainfosec.com)
Hackers set new high score for credit card theft at 130M (arstechnica.com)
Visa/MasterCard Telemarketing Scam Uncovered (pindebit.blogspot.com)
100,000 Cards Being Replaced After Car Park Hack in Auckland (pindebit.blogspot.com)
Why Businesses need to be PCI Compliant (wealthyways4you.com)

Prevent and Protect from Credit Card Fraud and Scams

httpv://www.youtube.com/watch?v=YS_jCET-YFA&feature=related

Tags: Banking Services, Business, Credit card, crime, Financial services, fraud, hacker, Information Security, Malware, Payment Card Industry Data Security Standard, Point of sale, Police, Security

Comments (21)

Jul 28 2009

PCI DSS Law and State of Nevada

Category: Information Security,pci dss — DISC @ 12:09 am

: Image by purpleslog via Flickr

45 States followed California when they introduced “SB1386”, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.

Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!

From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

Not only does this effect Navada-based organisations, it affects EVERY organisation that collect or transmit payment card information about any person who lives in Nevada.

Where One leads – others WILL follow!

PCI DSS Misconceptions and Facts (deurainfosec.com)
PCI security rules may require reinforcements (computerworld.com)
PCI compliance is essential and why you have to (deurainfosec.com)

Tags: california, Credit card, Nevada, Payment card, pci dss, privacy, Security, Texas

Comments (4)

Jul 02 2009

Credit Card Primary Account Number and Encryption

Category: Information Security,pci dss — DISC @ 7:24 pm

50 Ways to Protect Your Identity and Your Credit: Everything You Need to Know About Identity Theft, Credit Cards, Credit Repair, and Credit Reports

Primary Account Number (PAN) is a
“12-digit or 19-digit numeric code embossed on the face side of a bank card, and also encoded in the Magnetic Stripe. The primary account number is a composite number containing: the Major Industry Identifier of the card issuer; an individual account identifier, which includes part of the account number; and a Check Digit or code that verifies the authenticity of the embossed account number.”

There are three pieces of information that are included in a financial transaction. Which are PAN, primary identification number (PIN) and card’ expiration date. The PAN is 12 to 19 digit number embossed on the front of the card.
For a successful transaction PIN, PAN and card expiration date are transmitted along with other information from the merchant, the merchant will transmit the information to merchant bank, the merchant bank will transmit the information to service provider (processor), the processor will transmit to the card issuer entity to authorize the transaction.

Credit card authorization process:
1) Creditholder swipes card at merchant. A request is sent to merchants bank
2) Merchants bank “asks” processor to determine the cardholder bank
3) Processing network finds cardholders bank and request approval for purchase
4) Cardholders bank approves purchase and generates a approval code
5) Processor sends an approval code merchants bank
6) Merchants bank sends approval code to merchant
7) Purchase is complete and cardholder receives a receipt

“Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.”

The PIN is protected from malicious activity by encryption from POS terminal to all the way to the cardholder bank; However PAN is currently transmitted unencrypted. Valid PAN in wrong hands increase the possibility of credit card fraud. So the industry has decided that PAN must be protected. Below are the requirements for PAN protection.
cardapproval

Requirements for PAN protection
1. The PAN protection mechanism must support multiple source methods, including manual entry, magnetic swipe, chip, and NFC.
2. The PAN protection mechanism is encryption using an X9 or ISO approved algorithm.
3. Financial transaction message format and protocol standards must be modified to handle encrypted PAN data.
4. Transaction processing systems must be able to access some of the PAN digits.
5. For different transactions, encryption of the same PAN with a given encryption key should not predictably produce the same encrypted value.
6. For transaction routing by an intermediary between a sender and a receiver, the PAN must be translated from the sender’s encryption key to the receiver’s encryption key.
7. PAN translation must reveal some of the PAN digits for the intermediary to process the transaction.
8. PAN encryption keys must be changed periodically using X9 or ISO approved key management methods.
9. PAN encryption keys must only be used for their intended purpose.
10. Different encryption keys must be used for protection of PAN storage and transmission.
11. PAN encryption keys and the associated key encryption key (KEK) must be protected using X9 or ISO approved tamper resistant security modules (TRSM).
12. The customer must be advised in writing of the importance of the PAN with guidelines on the proper use of the card and the PAN.

PAN encryption is a major step forward toward protecting the card holder data.

New standard for encrypting card data in the works; backers include Heartland (computerworld.com)
Credit card authorization process weakness (deurainfosec.com)
PIN Crackers Nab Holy Grail of Bank-Card Security (wired.com)

Fake a Credit Card
httpv://www.youtube.com/watch?v=V3pElQD8UZg

Tags: Bank card number, Credit card, credit card encryption, credit card fraud, credit card privacy, credit card secure, credit card security, credit card theft, credit card transaction, encryption, Financial services, Identity Theft, Magnetic stripe card, Personal identification number, Primary Account Number, secured card, TRSM

Comments (10)

Jun 17 2009

Credit card authorization process weakness

Category: Information Security,pci dss — DISC @ 3:09 pm

: Image via Wikipedia

Credit Repair Kit For Dummies (For Dummies (Business & Personal Finance))

Credit card authorization sequence:

1) Creditholder swipes card at merchant. A request is sent to merchants bank
2) Merchants bank “asks” processor to determine the cardholder bank
3) Processing network finds cardholders bank and request approval for purchase
4) Cardholders bank approves purchase and generates a approval code
5) Processor sends an approval code merchants bank
6) Merchants bank sends approval code to merchant
7) Purchase is complete and cardholder receives a receipt

“Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.”

Weak security enables credit card hacks

Credit Card Fraud Made Easy
httpv://www.youtube.com/watch?v=m5UE5fXRyKs

Help me pay my credit card? (fundable.com)
Why Do Lenders Want You To Use Your Debit Card Like A Credit Card? [Debit Cards] (consumerist.com)

Tags: Credit card, credit card privacy, credit card secure, credit card security, credit card theft, secured card, visa card

Comments (13)

May 28 2009

PCI compliance is essential and why you have to

Category: pci dss — DISC @ 3:18 pm

During this down turn economy organized cyber crime is a booming underground business these days. Most of the security expert and FBI agree that cybercrimes are on the rise and pose a biggest threat to US vital infrastructure. Cybercriminals are thieves in cyberspace who will swipe the sensitive data and sell to other criminals in their community, who might turn around and ask for ransom to keep the data private or perhaps resell to the highest bidder again in the black market. The risk of getting caught is minimized by legal jurisdiction and neglected by huge monetary gains. Motivated by potential gains, cybercriminals are determined to exploit the vulnerabilities of the target rich environment. Another issue to this problem is that our personal and private information has potential to be exploited at various locations such as banks, credit card companies, credit debit card processor, credit report companies and merchants etc…

Level 1, 2 and 3 merchants usually follow security best practice, allocate enough resources and try to maintain PCI compliance. On the other hand level 4 merchant are usually not compliant and have security vulnerabilities which are easy picking for cybercriminals, which is a primary reason why more security breaches happens to level 4 merchants. PCI was apparently created to safeguard the credit card and debit card data. PCI DSS standard are managed by PCI Security Standard Council.

The most significant reason to comply with PCI is because you have to.

PCI DSS address the baseline security for payment card infrastructure and ROI is a total cost of ownership. PCI DSS cannot guarantee absolute security but making organization to adhere to due care security justify its cost and use. As far as liability goes the security breach will be very detrimental in the state of non compliance which will include fines, legal fee and possibly lose the credit card processing ability. To motivate themselves, merchants should also remember that their customer’s data is worth a lot of money to cyber criminals.

The trick is keeping the state of compliance – true security of credit card holder data requires nonstop assessment and remediation to ensure that likelihood and impact of the security breach is kept as low as possible. PCI compliance is not a project; it’s an ongoing process of assessment. PCI assessor utilized defined set of controls objectives to assess the state of compliance. PCI provides an option of doing internal assessment with an officer sign off.
Merchants should monitor and assess to keep compliance on ongoing basis. Implement defense in depth mechanism and apply security control at every layer (network, application, operating system, and data). The idea is to make their job hard enough so the attacker moves on to easier target.

Check my previous posts regarding PCI DSS.
pci-dss-misconceptions-and-facts
pci-dss-significance-and-contractual-agreement

Vulnerability Scanner that scans your machine, reports back on vulnerabilities, and provides solutions to fix them

Recommended books to implement PCI DSS compliance process

Tags: Credit card, defense in depth, level 4 merchant, Merchant Services, pci dss, PCI Security Standard Council, roi, Security, Total cost of ownership

Comments (3)

DISC InfoSec blog

Tips for staying safe this Cyber Monday

How to protect ourselves from Payment Fraud

Some basic advice has been issued by Apacs, and includes:

Protect your credit card information and avoid Fraud

13 Things an Identity Thief Won’t Tell You

FTC Says Scammers Stole Millions, Using Virtual Companies

Symantec: SMBs Change Security Approach with Growing Threats

Taking Credit Card Security Seriously

U.S. businesses face skimming fraud increase

A home computer credit card scam and family loses 9k

Healthcare ID theft may rise with digital records

Mary’s Pizza hit by hackers

Hackers steal credit-card numbers from restaurant customers

Prevent and Protect from Credit Card Fraud and Scams

PCI DSS Law and State of Nevada

Credit Card Primary Account Number and Encryption

Credit card authorization process weakness

PCI compliance is essential and why you have to

Recommended books to implement PCI DSS compliance process

Follow DISC InfoSec blog

DISC InfoSec Titles

>>> DISC InfoSec Facebook Page <<<

DISC online store for recommended InfoSec products

vCISO as a service

Related articles

Some basic advice has been issued by Apacs, and includes:

Related articles

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Prevent and Protect from Credit Card Fraud and Scams

Related articles by Zemanta

Related articles by Zemanta

Related articles by Zemanta

Recommended books to implement PCI DSS compliance process

vCISO as a service