Articles from last posting

Report from RSA Security Conference - San Francisco

Where has all the innovation gone?

MS enters security market: But why?

Who pays for ATM fraud?

Canadians spend $6 million in the US on debit

FTC report identity theft still on the rise

Microsoft accepts EU decision and moves on

UK police exalt cybercrime victims to try civil remedies

Viruses move to the Lexus platform

Debate continues about divulging software vulnerabilities

Interview with ex top US cyber security Tsar

"Why are you all not more like us"? - miffed FBI agent takes pot shot at non US ISPs

US senator's personal data exposed by Bank of America: What next?

Talk about being the author of one's own misfortune.

There is surely no better way to bring legislation on your head than exposing the personal data of US senators to identity thieves.

The ChoicePoint scandal set the stage.

According to a report from the Associated Press (AP), ChoicePoint was formed in 1997 as a spinoff of credit reporting agency Equifax Inc. and has 19 billion public records in a database in its suburban Atlanta headquarters, including motor vehicle registrations, license and deed transfers, military records, names, addresses and Social Security numbers.

The giant, unregulated data warehouser ( as it is not a credit check agency it is not covered by the terms of the The Fair Credit Reporting Act - which gives consumers certain rights over their personal data), admitted, long after the fact , that identity thieves using fraudulent documents such as business licence forms, had opened ChoicePoint corporate accounts and accessed voluminous amounts of consumer data, including Social Security numbers and credit reports, posing as legitimate busineses.

Of course, the real issue is - what right has ChoicePoint to gather, control and sell such data - absent very strict controls- in the first instance? Right now- every right in the world.

Apparently ChoicePoint alerted LA law enforcement when anomalies were spotted in October, 2004- the LA police set up a sting operation with their co-operation, and eventually flushed out the miscreants. Initially only Californians affected were to be notified under Californian law that requires such notification, but intense media pressure and a public outcry resulted in a rapid turnabout- now every victim is to be advised.

AP reported that Choicepoint indicated that 144,778 people may have been affected by the breach, but that California authorities have estimated that up to 500,000 may have been affected across the country.

The thieves were in business for over a year before they were detected - to date it is believed that at least 750 people have been defrauded, possibly without their knowledge. Why did Choicepoint's fraud detection systems and internal controls - to the extent they exist- fail to detect the fraud over such a lengthy time frame?

The CSO of ChoicePoint has eviscerated the media for scare mongering, saying in an interview:' It's created a media frenzy; this has been mislabeled a hack and a security breach. That's such a negative impression that suggests we failed to provide adequate protection. Fraud happens every day. Hacks don't'.

However, the CSO is off base with his characterization of the incident, which was clearly a violation of the US Computer Fraud and Abuse Act by the thieves (no 'hack' is necessary to violate the act- simply some form of unauthorised access to a computer system).  And if it wasn't his fault, whose fault was it?

Such pompous and righteous indignation seems entirely misplaced in any event. Hundreds of American consumers (who presumably never gave ChoicePoint permission for their data to be collected/gathered or sold by them in the first place) face the disconcerting prospect that their identities are at risk from sundry international crooks- and a little more empathy might thus be expected.

Some consumers -especially those whose sons have legal practices- have not taken the matter lying down and have filed suit in LA county in recent days.

And now the revelation that Bank of America (soon to move to two factor authentication for e-banking, according to recent reports) has lost backup tapes containing personal information on 1.2 million federal employees, including some members of the U.S. Senate.

Reports indicate that Bank of America initially lost four of 15 tapes, but recovered two of them. However, BoA would not confirm the exact number lost - 'which contained personal information on federal employees from 30 agencies, including the Senate, and employees that use the General Services Administration’s SmartPay program'.

Bank of America is in the process of sending letters to those affected, and have a toll-free number for agency employees to vent. The Secret Service has been involved throughout.

Sen. Charles Schumer, D-N.Y., said he was told the tapes were likely stolen off of a commercial plane by baggage handlers in December.

But the real rub for the bank is that Sen. Pat Leahy, D-Vt., who played an integral role in getting the Senate Judiciary Committee to look into whether more regulation of companies that buy and sell personal data is needed in the wake of the ChoicePoint fiasco, is amongst the affected group of legislators whose credit card data may have been exposed on the lost tapes.

To date, there is no suggestion that the tapes have fallen into the wrong hands, but as the bank seems to have no idea where they now are- and such data would fetch a high price on the street - the time for undue optimism is not at hand....

Meanwhile Senator Leahy is left pondering his fate... undoubtedly imbued with a new sense of urgency that something must be done.

Expect companies such as ChoicePoint to face legislation in the very near future- and for Senator Feinstein's calls for security breach reporting laws throughout the nation- to fall on newly receptive ears.

There is nothing quite like hitting close to home, to produce whirlwind results.

The perils of not keeping commercial web sites up to date

Don't mess with diners in New Zealand. It appears they take their pre- dinner reconnaisance missions very seriously- and quite literally.

A restaurant in New Zealand was fined $NZ3000 for advertising out of date prices for menu items, and ordered to pay $NZ260 in costs.

The actions appears to have been brought by the NZ Commerce Department after an irate customer complained that some menu items were not available at all, and others were between 17 and 36 per cent more expensive than advertised.

The presiding Judge indicated on sentencing that Parliament had taken a tough line on misrepresentation generally, and that, "It is not enough to allow the restaurant owner to say that the website is outdated for reasons of lack of time or lack of technical knowledge, especially given the growth of this form of advertising and the potential reach of the misleading information."

Canadians to get 'smart' debit cards in 2007

Interac, the sole operator of the debit EFT network in Canada, has indicated that Canada’s debit card issuers will start issuing chip cards by the end of 2006, and that they will complete the first chip enabled transactions in early 2007.

Apparently they have been slaving for the past three years on a chip card migration strategy. This comes as news, as Interac have been tight lipped about any such strategy in the very recent past. It may be that recent bad press about debit card fraud has escalated the timelines for the migration to the more secure infrastructure- and hence the announcement, to assuage fears...

However, the complex change over will take years to complete. In my opinion, Canada, irrespective of the payments medium to be used (chip cards are a marked improvement on magnetic chip cards, but no ' silver bullet' and will also be cloned) - is in dire need of legislation in this space.

The banks, of course, are happy with the current 'clubby' environment, and will leave well alone, unless their hands are forced.

During the changeover, Canada’s debit cards will carry both a chip and a magnetic stripe. The US is one of the few countries in the world with no plans to migrate to chip and PIN. Experts believe, quite credibly, that crime gangs will increasingly target countries that cling to the easily forged magnetic stripe card system.

US consumers have broad legal protection against debit card fraud under existing legislation (unlike Canadians and consumers in many other countries governed by weak 'voluntary code' systems).