Week of January 19, 2006

Last time around

2005- Headfry Security Year in Review

Mary's 2005 wrap up for the Globe & Mail- 'A year of living Dangerously'

E*TRADE to boldly go where no-one has gone before

It may not seem like a big deal, but up until now, US investors were largely on their own when it came to the security of online trading. The SEC has largely left well alone- unlike the US banking regulators, concerned about the safety of online banking and consumer confidence. They have issued various edicts about the need for increased vigilence by member banks and the implementation (by year end 2006) of more stringent authentication methods.

So what is all the fuss about?

E* Trade has announced that it will offer investors '$0 liability for unauthorized use' -with its new Complete Fraud Protection service: ' E *TRADE Securities LLC and E*TRADE Bank will cover any loss that results from the unauthorized use of our brokerage, banking or lending services'

The rub? As is the case with PIN and debit transactions in most places around the world, if you share your E* Trade User ID and Password with anyone else, you are done like dinner - they will consider that you authorized the transaction, and you get no money back.

In the PIN & debit world, most disputes revolve around what is called 'related party transactions', i.e. you give your loving nephew your card and PIN when you are laid up with a broken leg- to get groceries- and the ungrateful dog empties out your account, and moves to Nepal. Even in the US, where Reg. E is more kindly disposed to consumers than the Voluntary Debit Code in Canada, -and elsewhere- you are generally totally out of luck in these rather sad scenarios.

With a close eye on existing credit card zero- liability policies and the terms of Reg. E as it relates to debit transactions, to qualify for the new offering, E* TRADE advises customers to pay attention to its 'Smart Alerts (deliverable by 'email, PDA or mobile phone') and monthly statements for accuracy'.

If you don't, it may be fatal to any hope of recovery, as the footnotes indicate: 'We may impose greater liability if we determine that an unauthorized transaction was caused by your fraudulent action or gross negligence - which may include any delay in reporting unauthorized transactions to us'.

A lot of thought has gone into this new offering. E-Trade's largesse is tempered with a strong nod to what rules apply- and what works- in the existing bankcard domain. And just in case they discover that- shock horror- all their customers are total dummies with PCs laden down with spyware and trojans, they reserve unto themselves an 'out'.

IF you are identified (many ISPs and telecos nowadays will just cut you off) as a problem- and they let you know (here is a real problem- how do they tell you?; when you can't trust emails, even phone calls any more?) AND they tell you to take corrective action, e.g. such as a hard drive clean-up; to change your User ID and password; or 'to install up-to-date anti-virus software'- you better comply.

If you don't, and your accounts are compromised 'within one year of our notice'... they will ' not be responsible for any losses you sustain as a result of any subsequent identity theft or fraud'.

This may sound harsh, but it is really quite reasonable. After all, huge banks such as HSBC are on record as saying they may make consumers liable for online banking losses-without any suggestion they will take the lead. In other words, if your PC is a rat infested Hell Zone and your online banking password is stolen as a result, and you lose money- you are way out of luck, as it was up to you to see it didn't happen in the first place. Way harsh.

But- if you are duly warned about the infestation, it is hard to find fault. You have to take some responsibility for your own safety.

Needless to say, E* TRADE does not intend to give away the bank. They do, after all, have lawyers at E* TRADE, and they have to earn their feed. So you can't expect everything- 'attorney's fees or any special, indirect, incidental, consequential, punitive or exemplary damages' are not covered under Complete Care.

They are not Complete Idiots.

There is a good article in the New York Times about the new initiative. It will be fascinating to see what the other brokers/banks do in its wake. And what the regulators make of it all.

UK MPs credit card details end up in hotel dumpster

It was where Margaret Thatcher and her Cabinet nearly met their end at the hands of the IRA. Captains of industry and heads of state have stayed there. Many famous people still do.

But it seems that lineage does not buy you security- or peace of mind.

Incredulous passers-by outside the Grand Hotel in Brighton, recently spotted an ‘open skip’ full of registration forms and credit card slips for guests who had stayed at the hotel between 1998 and 2000- including ‘ several MPs’. The UK Guardian newspaper reported that the guests impacted by the breach included executives at Esso, Toyota, Ericsson, the BBC, and British Telecom.

Each card had a name, company, home address and credit card number written out ‘in full’ and many also included a home phone number, and ‘in the case of some foreign guests, passport numbers’. The goodies laden skip remained in plain view, according to the Guardian, for a full 24 hours, before being removed by a local company.

It seems that hotel staff had thrown out the sensitive information, in breach of the UK’s Data Protection Act. The UK Information Commissioners Office has started an investigation, and irate MPs are asking questions in parliament to see if more legislation is needed to protect consumers.

Hotel in Bahamas hacked too

But it is not just in the UK that travellers have to be wary. The upscale Atlantis Resort in the Bahamas also recently admitted that hackers accessed a database containing the personal data of 55,000 guests- including credit card, bank account numbers, Social Security numbers, and driver's license numbers.

Why anyone would provide a resort with such sensitive data is beyond us. They should have no right to even request it in the first place. The resort has offered affected customers a free credit-monitoring service for one year, and law enforcement officials in the Bahamas and the U.S have been advised.

Security company exposes highly sensitive data

You would think they would know better. A business that revolves around building trust simply cannot afford to take these kinds of chances.

Especially when members of the judiciary admit into evidence- and accept the findings of their forensic software tools (used to recover and secure data)- because they believe them to be reliable and secure.

But can you trust a company that plays Russian roulette with your (the customers) personal data? It certainly raises a red flag. And it looks very, very sloppy.  

In December 2005, Guidance Software sent a letter to its customers indicating that on December 7, 2005, an unencrypted database had been illegally accessed via the internet. According to eWeek, the database contained ‘the credit card numbers of 3,800 people' (including the highly sensitive 3-digit verification code that was recently implicated in a swath of US retailer security breaches, and enraged the credit card companies, who have rules against retaining this data).

And these unfortunates were no ordinary Joe Soaps. They included ‘investigative professionals from the National Security Agency, FBI and CIA, as well as heads of law enforcement worldwide’- all Guidance clients.

Expect a few raised eyebrows in court in the future when Guidance software is involved. Hardly fair you may say. Hardly relevant. Just the inevitable cost of screwing up.

Competitors will weep for joy. And law enforcement agencies, already miffed at the private sector for not doing more, will take another look at security legislation. 

And one would be forgiven for thinking: where data security is concerned, the blind truly are leading the blind.

Cops' data stolen from police ID tag company

Reevesnamepins.com, a company that manufacturers the name tags worn by US police officers, had its customer database hacked recently, 'exposing credit card and other personal data' for a number of police departments'.

A watchdog group- cardcops. com- that monitor chat rooms where bad guys swop and sell credit card data online, put two and two together when they saw that data from police departments nationwide, including the New York Police Dept. were up for grabs, and did some further digging. Everything pointed to Reeves.

There are two very bad aspects to this story from the Washington Post. One: even the cops aren't safe, and ID theft aside, many officers would prefer not to have their addresses known- if addresses were indeed stolen in this case.

Secondly: Emails from the good guys who spotted the breach- to victims alerting them about the theft - were deleted as spam. And apparently this happens to them all the time.

It is also increasingly a problem for all legitimate businesses trying to warn customers.

Sunny Malaga home to cybercrime ring

Spain is not ordinarily portrayed as a hotbed of cybercrime activity. But times they are a-changing.

According to a statement by the Spanish Interior Ministry, five members of a Spanish gang have been arrested by Spanish police, on suspicion of hacking into a US Defence Department computer in the Point Loma naval base in San Diego- responsible for maintaining nuclear submarines.

Malaga, a favourite vacation spot for EU sun worshippers, seems to be terra firma for at least one of the attackers. Reports indicate that the group ' may have caused security breaches in over 100 computer systems around the world'.

It seems that US naval personnel at least spotted the attack, 'alerted the National Criminal Intelligence Service', and they in turn tracked the source of the attack to Spain.

The Spaniards did not let grass grow under their feet, and the 'cyber-terrorism unit of the Spanish Civil Guard' hot- footed after the bad guys and have them in custody. No doubt the US will want to extradite them, and they will try desperately to remain in Spain.

No doubt there are plenty of willing buyers out there for information on the US nuclear submarine programme. Anyone with even a passing interest in submarine warfare knows that competition between the 'superpowers'- and the contenders to the title- is ferocious under the deep blue sea.

US States swift to adopt security breach notification laws

California started the ball rolling in 2004, and since then approximately 23 US states have passed similar laws, as well as, in some cases, credit report freeze laws (where consumers can block access to their credit reports). On December 7, 2005, New York followed suit with its security breach notification law. As soon as Eliot Spitzer took an interest, it was always a done deal.

Under the Act, if companies expose private information, as defined, they must report to three separate agencies. The law applies to unencrypted data, but if encrypted data is compromised ‘along with the corresponding encryption key’, the incident must be reported.   

The text of the act emphasizes that it simply ‘reflects this good business practice (of notifying consumers)’- but that ‘those that harm this basic trust by not providing proper notification’, may be pursued by the attorney general who can bring an action on an individual`s behalf, and fine the errant party.

A list of states with this type of legislation in place can be found here, and more here. The former seems to be up to date, but check if you need to be sure- the landscape is changing rapidly.

Is there a federal law on the way?

There is pressure on the Feds to adopt a federal law, to pre-empt the state laws, to avoid a scenario where corporations have to comply with multiple disparate laws- the states vary in when the notification obligation is triggered; whether there is an exemption for encrypted data; the level of civil action permitted; the types of fines/penalties provided for, etc.

For now, it may be necessary to adopt one tough version of these laws across the country, and use it as a baseline- an approach adopted by some US multinationals in dealing with multiple EU privacy laws.

Canada

As usual, there is nothing much happening in Canada on this front, although Manitoba's opposition Conservatives have introduced a private member's bill to try to fill the gap.

There is also no federal identity theft law in Canada, although there is much talk about the need for one. Clearly, something needs to be done- preferably this decade. The provinces are not exactly racing to fill the void either.

The Consumer Measures Committee (CMC), a forum of federal, provincial and territorial government representatives, held a public consultation on identity theft from July 6, 2005 to September 15, 2005- to decide what to do.

So far, there seems to be far more talk than action.

Mastercard extends carrot to retailers to improve security

A series of high profile security breach incidents in the US in 2005, i.e. the Polo Ralph Lauren and BJs Wholesale cases, revealed that large US retailers were (they claim' inadvertantly') storing the 3-digit credit card code at point of sale terminals, in breach of credit card company rules.

Now it seems (see the Guidance Software story above), so are software security companies.

indeed, Visa has stated that a mere 15 percent of the 215 biggest US retailers that accept Visa cards can certify that they are fully compliant with current card company security rules.

Although infringers could face fat fines from the card companies- in theory- they do not seem terribly gung-ho to risk alienating customers. Instead, MasterCard is trying to incentivize retailers to improve security practices and play by the rules.

Retailers who adopt the MasterCard SecureCode program- requiring cardholders to enter a security code when they make online purchases- will get a 16% discount- a rate for card-not present transactions that is comparable to what they pay for ‘card- present’ transactions.

They are also offering merchants a free vulnerability scan from five big data security firms, as well as training, to help them comply with the credit card security rules.

However, reports indicate that retailers are not exactly lining up to take Mastercard up on the freebies, as they must pay to implement the additional security and are loath to do so- with margins tight.

Visa and Mastercard are also supposedly talking about working together to improve security standards and compliance by retailers.

Who pays for greater security?

It will be interesting to see what will happen when US banks start to take a hard look (as the regulators require by year end 2006) at 2-factor authentication in the context of online banking.

(See the E* TRADE story above for new developements)

Who will pay the price of implementation and compliance? Consumers? Bank card customers? Retailers? The card companies? Will authenticated banking transactions, for instance, then count as card present transactions, resulting in consumers eating more risk and liability?

Of course, if that happens, they will vote with their feet.