New PCI Standards Disregard Inside Threats
Starting June 30, new measures inserted in the Payment Card Industry (PCI) standard will be inforced. However, representatives of a database security firm point out that the new additions do nothing to address inside threats.
As Vnunet.com shows in a recent article, the new measures require that companies dealing with stored credit card and other consumer financial data either install firewalls around all internet-facing applications or have all customer application code reviewed for common vulnerabilities.
Secerno representatives showed that the new and “improved” standard does not address real threats effectively:
“The PCI Data Security Standard has the best intentions but, as is the case with many compliance directives, it barely addresses the most immediate and upcoming threats to consumer data,” said Paul Davie, founder of Secerno.
“It is generally inadequate for addressing the sort of internal threat that can be exploited easily, such as by general or privileged users.”
Other than completely ignoring ill willed insiders, the PCI standard also fails to regulate data encryption requirements, database security policies, measures of protecting data on private networks.
Virgin Media Loses Unencrypted CD with Customer Data
Virgin Media, the branch of Richard Branson’s empire operating in the entertainment and communications fields, has recently disclosed the loss of an unencrypted computer disc containing bank account details of 3000 UK customers.
The data loss was discovered on May 29th, and according to Virgin Media, the CD also contained names and addresses of customers. According to Finextra.com, the breach affects customers that signed up to Virgin Media services in Carphone Warehouse stores from January this year. Company representatives don’t know why the data was burned onto a CD to begin with, as the company policy stated that secure FTP transfers should be used instead of CDs.
In a statement a Virgin Media spokesperson says: “We have been working with the Information Commissioners’ Office on this matter and we are in the process of contacting all of the affected customers to ensure we meet our responsibilities and fully support them through this process.”
Virgin Media says it is now conducting a review of its data protection policies and practices.
Insurance Files Found in Dumpster
It looks like insurance companies also fail to rank high when it comes to security. While one would expect any data provided to such a company to remain private, it so happens that in Richardson insurance files may as well be found in the dumpster.
That was the case of an incident taking place a little while ago when hundreds of such files containing names, social security numbers and policy numbers were found in a Richardson dumpster. As WFAA.com who covered the story notes, it was quite a treasure waiting to be discovered by identity thieves.
Who found the files? Two men, one looking for boxes to move and another one driving by, who saw the first one taking pictures of the dumpster in question.
The files were dumped here by a company called Texas Insurance Claims Services which processes people’s claims.
We asked the owner why he threw them away. He wouldn’t go on camera but said he was only required to keep the files five years and could then toss them.
The company says it sometimes uses commercial shredding services but decided not to do so this time. Authorities say it’s not unusual for criminals to dumpster dive to look for ways to get personnel information that they can use to illegally run up huge bills.
Anti-Fraud Collaborative Service Launches in the US
Ethoca, a European service where member businesses share intelligence about fraudulent transactions and other unauthorized online activity they come across, is now operating in the US. The expansion took place quietly, Ethoca representatives deciding not to create much hype about entering a new market.
According to DarkReading, Ethoca already has offices in Dublin, Ireland, and Toronto, Canada. It is a community-based collaborative service for online businesses in retail, gaming, airline, payment processing, prepaid card providers, travel and leisure, and dating services. Ethoca’s biggest customers are powerful names such as thee Royal Bank of Scotland while former U.S. Secretary of Homeland Security Tom Ridge is a member of its board of directors.
Member companies submit their transaction data to Ethoca, which acts as a clearinghouse and fraud assessment hub for all members — they basically get to vet a suspicious online order (address, phone number, credit card, IP address, and buyer name) with the experience of other members. “It’s like how a credit bureau works,” says Andre Edelbrock, Ethoca’s president and CEO, who calls the firm a fraud management services provider.
Sensitive Data of Healthcare and Airline Companies found in Argentina and Malaysia
Researchers at Finjan have recently discovered 500 megabytes of confidential data on servers located in Argentina and Malaysia. The private records contained Citrix single sign-on credentials for accessing patient and financial data at a major U.S. hospital and major healthcare organization and also credentials for accessing a large U.S. airline carrier’s passenger and cargo lists, flight schedules, security measures, and financial data.
According to DarkReading quoting Yuval Ben-Itzhak, CTO of Finjan, the Finjan research findings shows criminals are shifting focus to different data that they can easily steal and effectively sell to the highest bidder.
“It’s supply and demand. The fact is these people are now going after data that’s different from [the standard] credit card and SSN,” Ben-Itzhak says. “A year ago, a [stolen] credit card was $100. Now you can get one for $10-$20 a card.”
But that doesn’t mean cybercriminals still aren’t pilfering credit card data, other security experts argue. “I don’t think there is a shift in cybercriminals stealing data other than credit card numbers. The stolen data from popular and mainstream Trojans is mainly grabbed via keylogging — everything is captured, [and] then the wheat is separated from the chaff,” says Guillaume Lovet, senior manager for Fortinet’s Threat Response Team.
Stolen Laptop Exposes School Employees to Identity Theft
An over-the-weekend laptop theft occuring at a Dickson County school office has exposed employees to potential fraud or identity theft cases. The computer containing Social Security numbers of all school employees of the previous school year, about 850 persons, was taken from the office of Dickson County’s top school official.
According to WSMV Nashville, the laptop belongs to the new director of schools. The local police department has immediately launched an investigation, but found no signs of a break-in and haven’t ruled out someone within the building being the cause of the theft.
There’s No DLP without Encryption
Any enterprise considering to implement data loss prevention technology in the future must keep one aspect in mind: efficient DLP comes hand in hand with a sound encryption strategy. Given this aspect, Dark Reading states DLP solutions are surely moving from quick-fixes aimed at reducing data breaches to being seen as a core strategy with the purpose of identifying corporate sensitive information as such and controlling access to it.
This shift in views over DLP solutions, data loss prevention might be what’s needed to bring pack to life previously designed and now stagnant data encryption projects.
“Every major DLP vendor has, or is developing, encryption capabilities or partnerships,” says Rich Mogull, founder and principal analyst at Securosis, a security consultancy. “File/folder encryption and DLP should be integrated.”
If this prediction is the right one, we have complex and highly effective corporate security strategies to look forward to. As laws don’t stop breaches or identity thefts, nor significantly reduce them, a comprehensive policies might prove to be a much better alternative.
Billing Records of Over 2 Million Utah Patients Stolen
The University of Utah Hospitals and Clinics has recently released information on a data theft involving billing records of 2.2 million patients. The information was stolen from a vehicle after a courier failed to immediately take them to a storage center.
According to Kutv.com quoting Lorris Betz, senior vice president for health sciences, the records, described only as backup information tapes, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years. The Senior vice president also stated people would be notified by a letter, action that will cost $500,000 for stamps and envelopes. The hospital has also pledged free credit monitoring and is now offering a $1,000 reward for the records.
Authorities declined to say how easy or difficult it would be to read the records. They refused to describe the format or whether the information was on a disk. The sheriff believes the thief probably thought the box contained money.
Private Records of 60,000 Standford Employees Stolen
Stanford University has recently announced one of its laptops has been stolen, along with confidential personnel data. The university explained it will not disclose more details about the theft until the ongoing investigation is completed.
According to the Standford news service, the university is sending e-mails and letters to current and former employees whose personal information may have been exposed. They are also posting frequently updated information on the Stanford homepage and sharing new data with the media. Officials estimates state approximately 60,000 people currently or previously employed by Stanford have been put at risk by this theft.
Breach Disclosure Laws are Pointless
Researchers at the Carnegie Mellon University have just released data showing information security breach laws enforced in the US have failed to reduce identity theft. According to the Register, these findings come at a time when there’s an increased demand for similar laws in Europe that would oblige organizations to notify customers in cases where their personal details become exposed.
Research findings were based on a state-by-state analysis of data from the US Federal Trade Commission (FTC). They analyzed identity theft complaints made to the FTC from 2002 to 2006, trying to spot differences after states introduced data breach disclosure laws. California was the first state to introduce such regulations and 43 other states have since followed its lead.
The researchers determned that factors such as changes in average income and population in a state or overall levels of fraud had a much greater impact on fraud rates than these laws, as a Register reproduction of the abstract to the paper shows:
We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.
“There doesn’t seem to be any evidence that the laws actually reduce identity theft,” Sasha Romanosky, a PhD student at Carnegie Mellon and one of three authors of the study, told Computerworld.
