Trends in Mobile Payments Are Frightening

John Kindervag

Question: Do I really want someone with an iPhone taking my credit card info?
Enormous
buzz lately about all of the new players trying to turn iPhones and other mobile devices into credit card swipe terminals. Very scary. Just because someone can create a website does not mean they understand payments.
So many questions:

Read more

Online Shopping Sites May Be Sharing Your Credit Card Data

John Kindervag

The Attorney General of New York is investigating a large group of online retailers to see if they have been sharing your credit card data with third parties without your knowledge or permission. In a press release, the AG's Office details the scheme, including the fact that you may unknowingly be giving someone other than the retailer you are shopping with your credit card number:

"Information about joining the membership program and its ramifications, including the fact that the consumer is agreeing to transfer his or her credit or debit card account information, is buried in fine print and cluttered text."

My gut tells me that this violates the spirit, if not the letter, of the PCI Data Security Standard.  According to the PCI DSS:

"Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third parties with access to cardholder data."

It is probably safe to assume that the business agreement around the data sharing identified by the New York AG's office did not include language surrounding PCI compliance.
An MSNBC story on the investigation puts it this way:

Read more

Categories:

MiFi Pwned!

John Kindervag

Wireless hacking Guru, Josh Wright,has just announced that he has created havoc with a MiFi personal access point.MiFi is a little device that turns 3G wireless signals into WiFi.  The cool thing is that the wireless signal can be shared with other nearby computers.  According to Josh, he has found a way that, "An attacker can recover the default password from any MiFi device." This is big news because anyone who is involved with wireless ne

Read more

Categories:

The changing nature of governance, risk, and compliance

Chris McClean

In my ongoing work with clients, I try as often as possible to stress the importance of flexibility in GRC programs. Internal processes and technology implementations must be able to accommodate the perpetually fluctuating aspects of business, compliance requirements, and risk factors. If GRC investments are made without consideration for likely requirements 1 to 2 years down the road, decision makers aren’t doing their job. And if vendors don’t offer that flexibility, they shouldn’t be on the shortlist.

News outlets over the past year have given us almost daily examples of change in the GRC landscape. The recent stories coming out of Davos have been no exception... giving us some truly fascinating debates on the necessity and detriment of regulations. As quoted in a Wall Street Journal article on Sunday, Deutsche Bank AG Chief Executive Josef Ackermann argued against heavy-handed regulation, saying, "We should stop the blame game and we should start looking forward... if you don't have a strong financial sector to support the this recovery... you're making a huge mistake and you will regret that later on," he said. French President Nicholas Sarkozy summed up the opposing argument in his keynote, explaining, "There is indecent behavior that will no longer be tolerated by public opinion in any country of the world... That those who create jobs and wealth may earn a lot of money is not shocking. But that those who contribute to destroying jobs and wealth also earn a lot of money is morally indefensible."

Read more

Categories:

Is 3-D Secure Insecure?

John Kindervag

Security Researchers in the UK say that the 3-D Secure (3DS) system for credit card authorization, a protocol that was "developed by Visa to improve the security of Internet payments," has significant security weaknesses. It is used by both of the ginormous card brands, known as "Verified by Visa" and "MasterCard SecureCode."

This could be a big deal.

In a recent paper, the researcher calls out 3-D Secure as a security failure that was pushed on consumers by financially incentivized merchants because, "its use is encouraged by contractual terms on liability: merchants who adopt 3DS have reduced liability for disputed transactions. Previous single sign-on schemes lacked liability agreements, which hampered their take-up."

According to the authors:

"3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We suggest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants, and customers - given a gentle regulatory nudge."

Read more

Virtual Network Segmentation for PCI?

John Kindervag

Several clients have recently been asking about "Virtual Network Segmentation" products that claim to segment networks to reduce PCI compliance. They may use ARP or VLANs to control access to various network segments.  These type of controls work at Layer 2 and the hacker community is well versed at using tools such as Ettercap or Cain & Abel to bypass those controls.  We've recently written about Network Segmentation for PCI as part of the PCI X-Ray series.
While rereading the PCI Wireless Guidance document, I came across this nugget that puts a nail in the coffin of using VLANs as a security control:"Relying on Virtual LAN (VLAN) based segmentation alone is not sufficient. For example, having the CDE on one VLAN and the WLAN on a separate VLAN does not adequately segment the WLAN and take it out of PCI DSS scope. VLANs were designed for managing large LANs efficiently. As such, a hacker can hop across VLANs using several known techniques if adequate access controls between VLANs are not in place. As a general rule, any protocol and traffic that is not necessary in the CDE, i.e., not used or needed for credit card transactions, should be blocked. This will result in reduced risk of attack and will create a CDE that has less traffic and is thus easier to monitor."

Read more

Categories:

Growing Concern Over Risks To (And Of) The System

Chris McClean

By the end of this year, we will likely all be sick of the phrase “systemic risk.” Referring to the complex and interconnected nature of risks that brought down the financial services sector, the phrase has been a focal point in the discussions on how to prevent such failures in the future. (And in my experience, this increased attention means that service and software vendors will be using the term in their marketing literature with increasing frequency in 2010.)

Policy makers are recommending systemic risk solutions such as new oversight bodies to assess for systemic risks or penalties for companies that are perceived to threaten the system. European Central Bank president Jean-Claude Trichet even suggested that financial institutions help avoid systemic risks by "putting aside their own profit" and being "moderate in remuneration behavior," in order to reinforce their balance sheets.

Read more

Categories:

Thoughts on EMC’s acquisition of Archer

Chris McClean

What a good way to kick off what should be another exciting year in GRC. Just less than a year ago, Archer Technologies brought consolidation to the IT GRC market with its acquisition of rival Brabeion. The vendor food chain continued today as EMC announced an agreement to acquire Archer into its RSA product division.

Details such as product integration and go-to-market strategy will trickle out slowly of course, but so far, this is a significant deal for a couple of reasons:

  • Archer fills a substantial void in EMC’s product offering, which included many elements of GRC, but no central platform to pull it all together.
  • EMC will introduce the Archer products to a much larger set of potential customers...most notably as a platform to manage security and compliance, but also to customers with requirements for related areas like vendor management or business continuity.
  • It brings another IT heavy-weight fully into the GRC space, with substantial engineering resources to work on product development (but only if Archer continues to be seen as a top priority within RSA).

As we watch this acquisition come together, as well as other upcoming announcements that will make the GRC space even more competitive, here are a few questions to consider:

Read more

Categories:

More Prognostications for 2010

John Kindervag

Several of my Forrester colleagues have already weighed in with their 5_carsoninsightful 2010 predictions. I recently chatted with Shamus McGillicuddy at TechTarget where I shared my thoughts on the upcoming year. You can read the article here.  

2010 is going to be an interesting year with economic concerns impacting the security business. I suspect that businesses will need to regroup and think about their security spend again next year. Companies will probably remain gun-shy and hold budgets close to their vests. This could set up a shootout between increasing security threats and the desire to continue to control costs. Who will win? Your thoughts?

Happy Holidays y'all and here's wishing you a Secure New Year!

The Story of the Risk Manager’s Increasing Value Continues...

Chris McClean

A few months ago I wrote about the rising visibility and responsibility of risk management professionals, linking to articles about the growing demand for risk training and talent. Along that train of thought, I was just able to get to this month’s edition of Risk Management, which along with a great photographic review of the last year in risk management, has an article outlining the progress the profession has made over the last decade. It’s interesting to think that 10 years ago risk management was a much smaller discipline focused on relatively narrow problems like the Y2K software flaw. Things have changed a lot.

Case in point, the SEC announced this week the approval of new rules that will, among other things, require companies to disclose the relationship between their compensation policies and risk management, as well as describe the board of directors’ role in risk oversight.

Understanding what compensation policies have a material impact on an organization’s risk and developing policies for board-level oversight of risk will require guidance from internal and/or external risk experts... good news for any risk experts who appreciate gainful employment. And of course, many additional regulations and SEC rules expected to come together early next year are also likely to continue this trend.

Read more