[SecurityRatty] tag: merchants

North America Recap

Thu, 09 Oct 2008 20:00:00 +0000

I was one of the 650 attendees at the recent annual North American PCI Community Meeting. Held at the Omni Champions Gate resort in Orlando, it was great to speak with many of the merchants, banks and service providers in attendance about the challenges they are facing.

"Catch Me, Yes YOU Can": Realized Threats at the Corner Store

Thu, 09 Oct 2008 20:00:00 +0000

just returned from the Payment Card Industry's 2008 Members Council Meeting in Orlando, Florida. We had a blast despite the mood being somewhat dampened as a result of the uncertainty of the global financial markets (heartfelt thanks to those wise souls who've been living outside of their means and taking undue personal and commercial financial risk...). Anyhew, I met so many interesting people from both merchants and from the card brands like Visa, MasterCard, American Express, Discover & JCB International Co., Ltd.

McIrony: An unexpected response from McAfee

Sat, 30 Aug 2008 09:04:00 +0000

Irony: incongruity between what might be expected and what actually occurs.

Right before Black Hat, I put together what I believed was a pretty strong arguement against McAfee Secure - Hacker Safe, at a level heretofore unexplored. I believe it was more damaging than anything I've said to date, and as such, presented potential risk for me. So I ran it by some friends before publishing it. Then a most extraordinary thing happened. I had a long chat with Nate McFeters, who described an awakening he'd recently experienced. He shared with me the belief that a better approach to potentially negative security research might be to try to create a positive outcome, and worry less about press cycles or exposure, the 15 minutes of fame if you will. He pointed to people like Mark Dowd as an example of people who conduct crushingly good research, and steer clear of the petty, ego driven bulls**t.
There I sat, repose like the thinking man, frozen for minutes. "Nate", I said, "I think you're right."
What do I aspire to as an information security professional; more readership or street cred than the next guy, or the respect of my peers for contributing to the greater good? Attention, press cycles, 15 minutes...it all has its allure, trust me on this.
But at the end of the day, I really do want to contribute to the greater good.
So I did something different. I sent my findings to McAfee and offered them an opportunity to respond, rather than publish first, ask questions later.
Here's the real kicker.
They responded.
I had a three hour lunch this past Thursday with two gentlemen from McAfee, who flew up from the Bay Area to Seattle to have a face to face with me. This, all by itself, speaks volumes to me. In addition to meeting with Kirk Lawrence, the new Director of Product Management for McAfee Secure, there I sat with, of all people, Joe Pierini, the very guy who has suffered more than his share of abuse, up to and including the Pwnie. As I have been a direct contributor and participant in heckling Joe, you can imagine our meeting could have been uncomfortable. It was not.
I have had expectations of McAfee and Scan Alert that to date have not been met, or my (your) perception has been that they have not been met.
This meeting was designed as an opportunity to voice some of these expectations, and see if McAfee, in turn, believed there was any merit to them.
Surprisingly, at least as spoken, we weren't all that far apart.
While, as a naive idealist, I believe that security should come before conversions, I am also grounded enough of a realize that the most attainable goal can be a marriage of both. This premise frames my expectations of McAfee.
Can they not be more of a "thought leader" for all the Ma & Pa websites who rely on McAfee Secure, first for a higher conversion rate, then security?
Can they not hold merchants to a higher standard, without alienating them and losing business?
Can they not embrace the security research community in a fashion that McAfee, the security community, the merchants, and consumers can all benefit from?
Can they not be more transparent in their approach, providing more details and feedback about their methods, their findings, and their vision?
I know McAfee Secure - Hacker Safe scans can find vulnerabilities.
I know they report the vulnerabilities to merchants.
What happens thereafter is where things begin to break down.
Can the scan engine be improved to find more vulns? Sure. That's really not that big a deal; technology can always be improved.
But, regarding holding merchants to a higher standard; therein is the whole point of this debate.
Anyone can throw a badge on a site.
But what happens when the site proves vulnerable is the key. I'll be candid here: I don't give a damn about the merchant at that point; it's the consumer who is at risk and needs something better from McAfee and their peers.
So, here begins a different approach. I know that making changes at a company the size of McAfee can be likened to the three miles it takes to turn around an aircraft carrier. I'm willing to work with them, and allow for a positive outcome.
I have been told that, in two or three weeks, we can expect a published standard, that clearly defines exactly what the McAfee Secure product offering adheres to, inclusive of their expectations for merchant remediation timelines, potential badge downgrades for unresolved vulnerabilities, and hopefully even a more clear stance on XSS.
I have been told that I will have the opportunity to discuss this standard, and invite feedback. Any standard is better than no standard.
I have also been told that this is just the beginning of changes that will lead to more of what I have hoped for in my expectations, over the next 6 months or so.
I am hopeful that we can take McAfee at their word, and even if slowly, see a positive outcome.

del.icio.us | digg

New security rules on tap for credit-card handlers

Wed, 27 Aug 2008 20:00:00 +0000

The PCI Security Standards Council is set to release a revised version of its 12-part Payment Card Industry standard, which tackles systems related to storage and processing of credit and debit cards by merchants and service providers.

PCI Compliance: Reaction to the Summary of Changes

Mon, 18 Aug 2008 20:00:00 +0000

On August 18 the PCI Security Standards Council formally announced (http://www.pcisecuritystandards.org/pdfs/08-18-08_2.pdf) forthcoming changes to the Payment Card Industry's Data Security Standard (PCI DSS) as it moves from version 1.1 to version 1.2 in October 2008. The release represents the first major update since September 2006.

What's my take on the summary of changes? Most merchants will be pleased to see that these are relatively minor changes...

A new version?

Wed, 16 Jul 2008 20:00:00 +0000

Yes folks, the PCI DSS's first major update since version 1.1 was announced in September 2006 is on the horizon. Unveiled in May by the PCI Security Standards Council, the new version, called 1.2, is due out in October. Over the past few weeks, I've received a myriad of inquiries from merchants and figured this would be a good forum to share some of them...

Finished? Where should I start?

Mon, 30 Jun 2008 20:00:00 +0000

Many of the merchants I speak with are sharply focused on addressing specific PCI security requirements. While implementing the controls needed to meet the requirements is absolutely critical, I can't stress enough the importance of taking time to aim before firing.

It's no secret that PCI compliance is focused on securing cardholder data and infrastructure. Simply put, you can't secure what you don't manage and you can't manage what you don't know about. Before you go looking for all instances of cardholder data, you must be prepared to find more than expected.

Most merchants are aware of the cardholder data in their database(s). But what about payment applications or payment portals that temporarily store the data? Or customer service reps e-mailing credit card information to confirm or dispute an order?...

Montgomery Ward breached, no notification obligation?

Fri, 27 Jun 2008 19:45:03 +0000

Technorati Tag: Security Breach

Date Reported:
6/27/08

Organization:
Direct Marketing Services Inc.

Contractor/Consultant/Branch:
Montgomery Ward
HomeVisions.com
SearsHomeCenter.com
SearsShowPlace.com
SearsRoomForKids.com

Victims:
Customers

Number Affected:
"at least 51,000 records"

Types of Data:
Names, addresses, phone numbers, card numbers, "security codes", and expiration dates

Breach Description:
"NEW YORK (AP) -- The parent company of Montgomery Ward is admitting that it was hit with a credit card hack, but it didn't inform the customers affected."

Reference URL:
The Associated Press
The Associated Press via WZTV Channel 17 News

Report Credit:
The Associated Press

Response:
From the online sources cited above:

At least 51,000 records were exposed in the breach at the parent company of Montgomery Ward.

The venerable Wards chain that began in 1872 went out of business in 2001, but in 2004 a catalog company, Direct Marketing Services Inc., bought the brand name out of bankruptcy.

Direct Marketing Services' CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December.

By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company's retail properties.
[Evan] The AP story names five of the six Direct Marketing Services retail properties (See Above). I don't know what the sixth is.

It now runs a Wards.com Web site along with six other sites, including three with Sears brands it has acquired: SearsHomeCenter.com, SearsShowplace.com and SearsRoomforKids.com

Milgrom said Direct Marketing Services immediately informed its payment processor and Visa and MasterCard.

Direct Marketing Services closely followed a set of guidelines, issued by Visa, on how to respond to a security breach.
[Evan] This is sad. The Visa documentation regarding breach response is way too narrowly focused to be used as an organizational incident response. Every organization that creates, collects, uses, stores, and/or transfers confidential information should have an incident response policy and accompanying procedures. Take a look at the Visa "What To Do if Compromised" procedures, and judge for yourself.

That included a report to the U.S. Secret Service.

He said he believed by the end of December that Direct Marketing Services had met its obligations.
[Evan] Mr. Milgrom is the president of the company. He really thought that his company had met all of its obligations with respect to this breach? It never occurred to him that he should notify customers, even if he weren't required to by law? Not only was the lack of notification illegal, but I think it is also unethical.

However, those guidelines from Visa are largely technical, and they do not cover a key additional step: that notification laws in nearly every state generally require organizations that have been hacked to come clean to the affected consumers, not just to the financial industry.

Companies that fail to comply can be hit with fines or be sued by affected customers, depending on the state

After being asked about those laws by The Associated Press, Milgrom said Direct Marketing Services now plans to contact consumers.

This hack might have stayed quiet except for online chatter detected in June by Affinion Group Inc.'s CardCops, a group of investigators who track payment-card theft for financial institutions.

In Internet chat rooms frequented by card thieves, CardCops spotted hackers touting the sale of 200,000 payment cards belonging to one merchant.

CardCops then intercepted several hundred of the records, along with the online handles belonging to hackers whose real names remain unknown.

Along with the card numbers, their three-digit "security codes" and expiration dates, the thieves had the cardholders' names, addresses and phone numbers.

The data had been organized in the same way, indicating the numbers likely came from the same database.

CardCops' president, Dan Clements, also noticed that the vast majority of the cardholders were women, a clue that the records came from a merchant catering to a certain demographic.

When he began calling them, the first eight said they had bought things online or through mail order from Montgomery Ward. At that point, Clements realized, "there's a high probability the entire database of Montgomery Ward was breached."
[Evan] This is some good investigative work.

It is not clear to Clements, though, whether the hackers were inflating their claim when they offered 200,000 records or whether Milgrom's number of 51,000 is accurate.
[Evan] According to the article, the "hackers" were able to compromise the information from all six Direct Marketing Services, Inc. properties. 51,000 may be Montgomery Wards customer accounts, and the remainder could be from the other five properties (just speculating).

A spokeswoman for Discover Financial Services LLC, Mai Lee Ua, said her company had addressed the problem by sending new cards to its cardholders who appeared in the compromised records.

Ua said they weren't told which merchant had been breached

Visa declined to comment.
[Evan] Visa always declines to comment. No sense in even seeking one.

MasterCard issued a statement Friday acknowledging it was aware of the breach at Direct Marketing Services, and had notified the banks that issue MasterCards, telling them to monitor the accounts for suspicious charges.
[Evan] Three different card companies, three entirely different responses. Of the three, I think I like the Discover one the best.

Such silence was the norm in the industry for years. But in response to fears of identity theft, 44 states have passed laws that generally require organizations holding consumer data to tell people when their information has leaked

Clements and other security analysts say that despite those laws, many breaches still are kept quiet, judging by the data being hawked in online black markets.

Avivah Litan, an analyst at Gartner Inc., believes unreported data breaches might still outnumber the ones that do get publicized.
[Evan] I absolutely agree. You would be naïve to think that victim notifications go out in all breaches. Too many corporate leaders would rather not notify and hope that nobody notices.

Litan says it especially is the case with online merchants. She believes it happens because of a lack of pressure from credit card companies, which are not responsible for fraudulent charges in "card not present" transactions over the Web and mail order.

Until fraud actually appears on the card, they'd rather avoid the cost of voiding compromised cards and giving consumers new ones, she said.

"What it reveals is the convoluted banking system," she said. "If this had taken place at a grocery store, we all would have heard about it."

In fact, because of the silence that still sometimes follows data breaches, even people who have never been informed one of their records has leaked should assume their information is floating online, Litan said.

"Probably every one of our cards is up there somewhere now," she said.
[Evan] I agree with all of the statements made by Avivah Litan except this one. This is a stretch.

On the Net:
Links to the 44 state notification laws

Commentary:
Is this a case of a company that was caught trying to cover up a breach, or was this a company that didn't know any better? I lean towards the former. Either way, is ignorance of the law any kind of valid excuse?

Let's assume for a second that company really didn't know that they were required to notify victims. If this were true, then this leads me to believe that the company doesn't govern information security well (due care?), probably has no formal information security program, lacks incident response policy and procedures, and doesn't manage risk well.

I could only guess how the "hack" took place. What vulnerability was exploited? Even in this, the company appears to have not detected the attack. Direct Marketing Services, Inc. had to be told of it by Citibank. Does this mean that the company did not use intrusion detection/prevention?

I could go on and on, but in the end I don't have much confidence here.

Past Breaches:
Unknown

Security Briefing: June 26th

Thu, 26 Jun 2008 09:11:27 +0000

OK, the database cluster is back up and playing nice after its petulant episode.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

MoD implements new data security measures | PC Advisor
Do natural human traits make us more vulnerable to computer malware? | Hexus
The staff, the thief, the device and its data | Network World
Credit card firms wave stick at retailers | The Australian
Merchants call credit card industry’s bluff on compliance | The Register
Chairman: Computer Hacking ‘Much More Widespread’ | WYFF 4
Fired Houston organ bank worker accused of hacking into system | Houston Chronicle
PCI standard ‘ignores’ insider threat | vnunet
Student suspended after hacking emails | Stuff NZ

Tags: News, Daily Links, Security Blog, Information Security, Security News

The "E" word

Mon, 23 Jun 2008 20:00:00 +0000

I met with a merchant this morning to talk PCI compliance. Like many of the conversations I've had with merchants, things got a bit more interesting when the discussion focused on cardholder data protection. They joked that the new rev of the PCI Standard, version 1.2 -- due out in October -- would eliminate the data protection requirements. All joking aside, the truth is that data protection isn't going anywhere when it comes to the PCI DSS. While there are other alternatives, such as hashed indexes, truncation and...