Is 3-D Secure Insecure?

John Kindervag

Security Researchers in the UK say that the 3-D Secure (3DS) system for credit card authorization, a protocol that was "developed by Visa to improve the security of Internet payments," has significant security weaknesses. It is used by both of the ginormous card brands, known as "Verified by Visa" and "MasterCard SecureCode."

This could be a big deal.

In a recent paper, the researcher calls out 3-D Secure as a security failure that was pushed on consumers by financially incentivized merchants because, "its use is encouraged by contractual terms on liability: merchants who adopt 3DS have reduced liability for disputed transactions. Previous single sign-on schemes lacked liability agreements, which hampered their take-up."

According to the authors:

"3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We suggest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants, and customers - given a gentle regulatory nudge."

Read more

Q4 2009 IT Market Data As We Expected Shows End of Tech Downturn

Andrew Bartels

The first reports on the IT market in Q4 2009 are now in, and they are in line with our prediction that the tech market recession ended in that quarter (see US And Global IT Market Outlook: Q4 2009). Overall, the tech market in Q4 2009 was more or less flat with the same quarter the year before – an improvement from prior quarter when growth was negative, and evidence that the 2010 tech market will post positive growth. 

  • The US economy was stronger than expected, by 5.7% real GDP is an aberration.  The US Department of Commerce released preliminary data on Q4 2009 economic growth, and the results was a surprisingly strong 5.7% in real GDP, 6.4% in nominal GDP from the previous quarter (on a seasonally adjusted annualized basis).  However, about two percentage points of that growth was due to inventory re-stocking, which will not be repeated in future quarters.  And based on prior GDP reports, this growth rate will probably be revised down as new data comes in.  (In Q3 2009, the growth rate in real GDP started at 3.5%, but ended up revised down to 2.2%.)  Still, this report confirms that the US recession is over, and slower by steady growth is likely for the rest of 2010.
Read more

Leveraging Architecture For Business Impact

Alex Cullen

The Forrester Enterprise Architecture Forum 2010 North America (San Diego) is about two weeks away, and the EAF 2010 EMEA (London) is about five weeks away.

Read more

Categories:

In Amazon vs. Macmillan, Amazon comes off conqueror

James McQuivey

It was a surprising weekend for those of us who had naively imagined that after crossing the River iPad, we might actually get some Elysian rest. But, alas, the fates conspired against us and handed us the curious case of Amazon vs. Macmillan. Or Macmillan vs. Amazon?

For those who actually took the weekend off, let me summarize what happened. John Sargeant, the CEO of Macmillan Books, gave Amazon a wee-bit of an ultimatum: switch from a wholesale sell-through model, where Amazon buys digital books at a fixed wholesale rate and then can choose to sell those books at whatever price it deems appropriate (even at a loss, as it does with $9.99 bestsellers), to an agency model, where Amazon agrees to sell at a price set by the publisher in exchange for a 30% agency fee. Sargeant explained to Amazon that if it did not agree to the switch, Macmillan Books would make its eBooks subject to significant "windowing" wherein new books are held back from the digital store for some period, say six months, while hardback books are sold in stores and possibly, digital copies are sold through the iPad at $14.99.

This is more detail than we usually know about a negotiation like this because of what happened next. Sargeant got off of a plane on Friday only to discover that Amazon had responded by pulling all Macmillan books from the Kindle store as well as from Amazon.com. He then decided to make it clear to the industry (and his authors) that this drastic action was Amazon's fault, in a paid advertisement in a special Sunday edition of Publishers Lunch.

Read more

Virtual Network Segmentation for PCI?

John Kindervag

Several clients have recently been asking about "Virtual Network Segmentation" products that claim to segment networks to reduce PCI compliance. They may use ARP or VLANs to control access to various network segments.  These type of controls work at Layer 2 and the hacker community is well versed at using tools such as Ettercap or Cain & Abel to bypass those controls.  We've recently written about Network Segmentation for PCI as part of the PCI X-Ray series.
While rereading the PCI Wireless Guidance document, I came across this nugget that puts a nail in the coffin of using VLANs as a security control:"Relying on Virtual LAN (VLAN) based segmentation alone is not sufficient. For example, having the CDE on one VLAN and the WLAN on a separate VLAN does not adequately segment the WLAN and take it out of PCI DSS scope. VLANs were designed for managing large LANs efficiently. As such, a hacker can hop across VLANs using several known techniques if adequate access controls between VLANs are not in place. As a general rule, any protocol and traffic that is not necessary in the CDE, i.e., not used or needed for credit card transactions, should be blocked. This will result in reduced risk of attack and will create a CDE that has less traffic and is thus easier to monitor."

Read more

Categories:

Do you require an email address or more before giving out collateral or ROI tools?

Peter O'Neill

I've recently had several interesting discussions about one of the assessment criteria in the Forrester Vendor Positioning Review (VPR). A new VPR on IT Management Software Vendors should be out this time next week (it's been stuck in our Editing dept. for several weeks now.)

Read more

Talking ECEM market evolution with PwC

Chris Mines

The market for enterprise carbon and energy management (ECEM) systems continues its rapid evolution. Since publishing our Market Overview report last November, we have interviewed at least a half-dozen additional systems providers coming into this nascent market.

Last week we talked with Dan DeKemper, a director at Pricewaterhouse Coopers who works with the firm's 800-person-strong sustainability practice on large-scale ECEM implementation projects. Dan told us that PwC sees three industry sectors driving ECEM adoption:

  • Utilities and Energy, the traditional "heavy emitter" industries that are focused on monitoring and reducing carbon emissions for regulatory compliance and public perception reasons.
  • Retail and CPG, two verticals where adoption is now growing faster than Energy. These companies are implementing ECEM on a voluntary basis, looking to improve brand equity and align with sustainability initiatives of some of their customers like Walmart.
  • Public sector organizations, looking to be role models for the private sector and also under executive or legislative mandate to improve energy efficiency.
Read more

The Data Digest: Trending Consumers' Interest In Netbooks

Reineke Reitsma

Netbooks are one of the hottest consumer product categories in the consumer technology industry at this moment - at least from an industry perspective. And yesterday, after Apple's iPad announcement, consumer electronics analysts immediately started commenting and sharing their views via blogs, and twitter.

But what I've been missing is the consumer view. Let's take a look at how interested consumers are in small computers like netbooks in general, and how this has changed in the past year.

Note: I realize that the industry may not see the iPad as a netbook but both the netbook and the iPad serve the same consumer need: an easy to carry, multifunctional mobile Internet device. So consumers are likely to compare and contrast them in the product purchase consideration cycle.

Netbooks

What we see is that consumers are mostly interested in netbooks as a second or third PC that they could use while on the go, or that they consider giving one to their children. Netbooks serve a distinct purpose, for more insight please see the report 'Netbooks Are The Third PC Form Factor' by my colleague J.P. Gownder.

The Future of Online Customer Experience

Moira Dorsey

New technologies follow a pattern. They start by imitating older technologies before they evolve to their true forms. The first automobiles looked like horseless carriages. It wasn't until the Vintage Era of the 1920's that cars evolved to a form that we'd recognize today with features like front-engines, enclosed cabs, and electric starters. Televisions started off copying radios - they looked more like an armoire with a small screen stuck on the front.

In the process of working on my latest piece of research, it became clear that the Web has followed a similar pattern. Early sites imitated a much older medium - paper. And even though 'web page' still dominates our thinking, online experiences have begun to evolve away from the page-based metaphor. In the next 5 years, the evolution of online experiences toward their true form is about to take off at a much faster rate than in the previous 5 years.

Consider that today's default Web platform - a browser running on a PC - is rapidly giving way to diverse online environments. The types of devices we use to connect to the Web are proliferating. In addition to the growth of netbook adoption, there are new devices like the Chumby and the Energy Joule. Portable devices are rapidly getting more powerful - as a result, the tradeoff between mobility and capability is shrinking. And even as the hardware evolves, the interfaces on the devices we use to connect to the Web are becoming more and more customizable. And the reason any of this matters at all is because consumers are already adopting these technologies.

So what are the implications of these trends? What does it mean for the future of online experiences? At Forrester, we've concluded that the resulting online customer experiences of the future will be:

Read more

Do CIOs Blog — And Should They?

Sharyn Leaver

We’ve become curious ever since we interviewed Linda Cureton of NASA a few months ago, when we were a bit surprised to discover that she has an active blog (her Thanksgiving entry implores CIOs to give thanks to their “geeks”). And there’s Rob Carey, CIO of the Navy,  who has been blogging for the past two years.  So we decided to look around to see other CIOs who are actively blogging. Active implies recent — which takes quite a bit of time and thought, and is probably not for everyone. So who else besides Linda takes the time and thought? Here are a few who do, though not always frequently.

Read more