Archive for the ‘credit card breaches’ Category

Credit Card Fraud: Why the Payment Card Industry (PCI) Fails Consumers

Wednesday, February 12th, 2014

A reporter asked me last week whether I think the PCI Standards have completely failed consumers and been proven useless — because of the recent breaches — and so should “Rest in Peace.” For those who don’t know about the PCI (Payment Card Industry), they have a “Security Standards Council” that mandates security to every company taking credit or debit cards in the U.S. (at least from all major banks). In order to accept cards, a business must be “PCI compliant.”  The question is, how far do their standards go in terms of protecting us consumers? Some argue that PCI compliance is an unhelpful distraction.

ATM machine keypad

ATM with malware on it. Really!

But before we decide if their requirements are tough enough, let’s consider whether the rules are useful at all. This is an easier question to answer, because anyone in the security field prefers some security to no security. We tend to be in favor of anything that gets people thinking about it. We are also big fans of education, because people’s “security posture” (what they are doing about security as a consumer or a company) usually improves as they learn more about cybercrime and how challenged all of us in cybersecurity are to stop it.

When PCI standards were first implemented, it surely forced a lot of businesses to beef up their security. And that’s good, because too often security is neglected. Although it is essential, security is in competition with other business objectives, because it costs money and it doesn’t add profit. It only prevents loss, and that’s a pretty ambiguous benefit sometimes.

(more…)

Target breach update – how were HVAC passwords stolen?

Thursday, February 6th, 2014

As we learned from Krebs a few days ago in a Target breach update, the original entry point of the malicious software was Target’s HVAC company. Yes, that means the folks who handle their air conditioning and heating. I’m guessing in the aftermath of this admission, scads of large companies are scrambling to ensure there are no “touch points” between “building Maintenance GuyMaintenance Guymanagement” systems and their treasured business networks. It makes sense to me that the building manager would MP900383000Maintenance Guywant to have “heating and lights” right there under the same “pane of glass” as “inventory” but if that’s how companies have been operating, it’s time to rethink it.

Those of us in cybersecurity eagerly await more details. Fortunately we won’t have long to wait since Krebs is on the case. But in the meantime, are there security lessons to be learned from this aspect of the Target breach too (aside from the obvious: keep supplier networks separate)? The big question on everyone’s mind is: how is it that the HVAC company’s password was discovered by the cybercriminals?

Even without knowing any more that we do right now, the answer almost always comes down to the same few possibilities. Here are the six most common ways in which passwords are stolen: (more…)