Archive for the ‘Security in the News’ Category

Credit Card Fraud: Why the Payment Card Industry (PCI) Fails Consumers

Wednesday, February 12th, 2014

A reporter asked me last week whether I think the PCI Standards have completely failed consumers and been proven useless — because of the recent breaches — and so should “Rest in Peace.” For those who don’t know about the PCI (Payment Card Industry), they have a “Security Standards Council” that mandates security to every company taking credit or debit cards in the U.S. (at least from all major banks). In order to accept cards, a business must be “PCI compliant.”  The question is, how far do their standards go in terms of protecting us consumers? Some argue that PCI compliance is an unhelpful distraction.

ATM machine keypad

ATM with malware on it. Really!

But before we decide if their requirements are tough enough, let’s consider whether the rules are useful at all. This is an easier question to answer, because anyone in the security field prefers some security to no security. We tend to be in favor of anything that gets people thinking about it. We are also big fans of education, because people’s “security posture” (what they are doing about security as a consumer or a company) usually improves as they learn more about cybercrime and how challenged all of us in cybersecurity are to stop it.

When PCI standards were first implemented, it surely forced a lot of businesses to beef up their security. And that’s good, because too often security is neglected. Although it is essential, security is in competition with other business objectives, because it costs money and it doesn’t add profit. It only prevents loss, and that’s a pretty ambiguous benefit sometimes.


Has Target Done Enough?

Saturday, February 1st, 2014

My favorite analogy in security is the one which describes each internet defense as a slice of swiss cheese: they all have their holes (weaknesses).  The idea – if we want the best security – is to stack them all up on top of one another and hope the holes don’t line up.  Because if they do – meaning, if any of the inevitable weaknesses in software or hardware align so that there is an opening for strangers to enter – that represents the tunnel through which cybercriminals crawl into our home computer or business network.   MC900441776MC900383606 (2)MC900383606 (2)

What the average citizen may not realize is that in some ways he or she is no different than Target.  Cybercriminals are coming after all of us.  And based on the infection rates of personal computers and mobile devices, a large number of Target’s potential victims have been personally compromised at home already.  So what are customers in such a huff about?  (more…)

Zombies Attack Montana! (US Emergency Alert System Gets Hacked)

Tuesday, February 19th, 2013

Imagine their surprise: a week ago, while Montana residents were innocently engrossed in the show Teen Cheaters Take Lie Detector Tests, they were abruptly interrupted by a broadcast of the Emergency Alert System.  The station was muted as the following voice-over message was recited by a somber-sounding fellow:

Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. Follow the messages onscreen that will be updated as information becomes available. Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”

Meanwhile, a list of the affected counties scrolled across the screen.  Naturally, this worried a few folks.  Many called their local police. (more…)

Katie Holmes: good security secures her freedom from unhappy matrimony!

Tuesday, July 24th, 2012

Katie HolmesOkay, I really love this article where they speculate that Katie Holmes’ use of a disposable cell phone may have been instrumental in keeping the divorce demand a secret from Tom Cruise – and therefore maintaining the advantage of surprise.

Because yes, it’s true: if you tell someone you will call them at 3:15 pm, they will pick up even though they don’t know the number (and I rarely pick up unknown numbers).  I love this because it’s about security in the sense that it’s keeping OUR secrets safe from THEM (whoever THEY are).  And that is the whole point of security, isn’t it?  We decide what information we want to keep private, and sometimes we decide what information other people should NOT keep private (for example, the fact they have other spouses or belong to a freaky cult).  And if we have very good security we can enforce those boundaries.  This is the same reason we should sometimes buy those disposable credit cards at the local drug or grocery store with $100 of credit on them for teens in the household who are making their own purchasing decisions.  If they need a credit card to to “make it happen”, and you don’t want to be charged again every month…think about it.  Sometimes the “this is a subscription” details are in such fine print on the website that it’s not even fair to expect a kid to notice.