Articles from last posting

Ericsson hacker gets three years

Biometric device costs Malaysian accountant his finger

Update - US banks required to report security breaches

'When the help help themselves'

"Who dunnit? "- possible insider role in UK plot to steal STG 220m from Japanese bank

Key loggers take centre stage

Is 2 factor authentication useless?

MS engineers eat, sleep and breathe security

NYC Citibank customers ripped off by Indian call centre employees

Outsourcing is a hot topic. For all manner of reasons.

The loss of jobs to low cost jurisidictions is a political quagmire. Everyone fears for their jobs, especially in the technology sector, but also in finance, accounting and even in the legal profession. Well trained foreign workers can do many skilled jobs for a pittance of the cost charged in the west.

But what of the risks?

The risk that foreign companies do not have robust risk management skills, processes and procedures in place to protect your investment and trust? The risk that their operations are susceptible to terrorist attack or environmental hazards- such as inclement weather, tornados, floods or fire? The risk that local laws will not protect you if the relationship goes sour?

And what of disaster recovery and business continuity planning? Can you be sure they will not go down when you need them most? These are disagreeable topics often overlooked when businesses make outsourcing decisions. But rest assured: you might end up losing vastly more than you thought you would save in the long run.

And what of customer satisfaction? What price do you place on that precious commodity? It is hard enough to manage your own employees and root out and identify the rogues. But what about the threat from workers you do not know, and can't control?

The recent arrest of 12 plus employees, past and present, of Indian IT services and BPO company MphasiS BFL gives pause for thought. At least for the much beleaguered Citibank management team. CitiBank, you may recall, is well known for its anti ID theft ads on TV - and recent corporate governance challenges.

Reports indicate that numerous BFL call centre employees in India ‘sweet talked’ NYC based Citibank customers out of their PIN numbers, and stole $350,000 from them, between January and March, 2005. These moneys were transferred into bank accounts opened by the rogue employees, using fictitious names possibly taken from rejected home loan applications.

On April 6, the crime branch of the Indian Pune police announced at a press conference the arrest of BFL 12 employees. Some of the stolen funds had been siphoned off from a cyber cafe. Police could not rule out international links to the crime, and indicated that the stolen funds ' could have been used for subversive or anti-national activities'.

The successful CitiBank ad campaign will be little solace to the victims of id theft that result from this incident- irrespective of where the fraudsters were located. The victims will not care, and they will blame Citibank.

The Indian government is well aware of the threat that such unwelcome news poses to the very healthy outsourcing sector in that country, and will inevitably make noises about addressing the issues. Sadly, there is no quick fix. And cultural dissonance can make the quandary all the more difficult to solve.

Ukrainian IT worker fined for revealing management wages

Did the huge discrepancy between his pay and that of management drive him to it?

An apparently disgruntled IT worker at a milk plant, who made USD $250 per month (versus $16,500 for a 'unit manager' - good jobs, those unit managers jobs - if you can get them) posted the hugely disproportionate salaries of management on a web site he aptly titled 'virtual labour union'- and was fined $15 for violating local privacy laws.

It is unfortunate that the hapless defender of the underdog did not reside in countries where public companies must reveal management renumeration, or face the wrath of the regulator. It would not appear in this instance, that 'the regional Office of the Public Prosecutor' has the high moral ground.

As the errant milk worker contemplates the prospect of losing one fiftienth of his salary for telling it like it is, maybe someone should send him an application form for a marginally better paid gig at Eliot Spitzer's office. I hear they are always on the lookout for new talent.

Polo Ralph Lauren; DSW Shoe Warehouse; LexisNexis; Ameritrade: No end in sight to bad news

Who ever said: "don't worry, nothing ever really happens when you go on vacation". Demonstrably not true in the security space. The bad news just rolls on and on, and on.

Ralph Lauren seems to have been responsible for a breach that exposed the data of as many as 180,000 customers of HSBC North America (a division of London-based HSBC Holdings PLC) holding General Motors-branded MasterCards. Visa customers may also have been affected. RL has denied a breach of their systems. Their response, however, suggests sloppy storage procedures - storing far more data than permissible, in an unencrypted format. If true, this fact would expose them to the wrath of the card companies, as a clear breach of their rules of engagement (see below).

HSBC are notifying possible victims and advising them to replace cards- a costy affair for the banks, and something they do not do lightly. The Wall Street Journal identified Ralph Lauren as the retailer responsible for the breach in January 2005.

DSW Shoe Warehouse, a subsidiary of Retail Ventures (RV) (they operate the Value City and Filene's Basement discount stores) started notifying customers affected by a recent data security breach - possibly as many as 1.4 million people- that occurred at 108 stores in 25 states between November and February, 2005. This figure is 10 times greater than DSW initially estimated.

It appears thieves accessed credit card numbers, checking account numbers and driver's license numbers. It is unclear why DSW - a shoe retailer - had possession of the latter.

Around the same time, LexisNexis, a subsidiary of London-based publisher Reed Elsevier Group PLC - well known to all legal eagles everywhere for their legal research services - disclosed that criminals may have breached computer files containing the personal information of 310,000 people (the lawyers will not react well) - yet again a huge increase on the initial estimates of those affected.

Lax password management at Seisint, a data mining company acquired by LexisNexis in September 2004 may have been at the heart of the matter. Reports indicate that unauthorized users breached the system 59 times using stolen passwords. Of course, this begs the question as to what manner of due diligence was conducted by LexisNexis on the purchase.

This spate of bad news is also very concering in that companies such as Acxiom (guilty of recent security breaches), LexisNexis, and Seisint are huge data aggregators, with enormous databases packed full of sensitive data on private citizens - databases shared with US government and intelligence divisions, supposedly to aid in the fight against terrorism.

But If these companies cannot keep their own houses in order, and cannot assure the accuracy, integrity and security of data held by them, in the course of their own business operations, it seems highly ill-advised to rely upon it for intelligence purposes.

And backup tapes continue to fall off the back of lorries..

Ameritrade Inc. has advised 200,000 current and former customers that a computer backup tape containing account numbers, names and possibly Social Security number has been ”likely lost or destroyed." Four tapes were originally missing, but three have been recovered. In February, you may recall, Bank of America (see archives) lost a tape during shipping that included information on 1.2 million customers, including several U.S. Senators.

How hard is it really to transport tape, safely and securely? The mind boggles.

Retailers storing sensitive 3 digit code- against Visa rules- and update on BJ's story

A story in the WSJ (Wednesday - April 27, 2005) by staff reporter David Bank correctly identifies the storage of sensitive credit card data by retailers et al as anathema to good security administration, and exposes it as a practice outlawed by Visa (see below).

He suggests that HSBC has chided Polo Ralph Lauren for a breach that may in part have resulted from the storage of the 3 digit secret code (on the back of credit cards) at RL check out counters at 180 stores. These numbers are necessary to clone credit cards and helpful to social engineers, masquerading as legitimate card holders.

However, this is not a new story and goes way back. The most recent coverarge of the issue dates back to last year, and the BJ's story. In March 2004, the theft of a credit card database from BJ’s Wholesale Club, on the US East coast, left the cards of about 3 million customers at risk of compromise. Numerous East coast banks had to replace cards and increase account monitoring as a result - at huge cost. Some estimates suggest as much as USD 10 million.

The Boston Globe reported that “some of the fraud was committed overseas by Russians, Ukrainians and Asians” - quoting Timothy Buckley, of the New England Electronic Crime Task Force. It is believed that the stolen card details had found their way onto the Net and were used in the US, Europe and Asia. No culprit has been identified, at least publicly, as yet, by the Secret Service or FBI as responsible for the breach.

BJ's is being sued by everyone. In August 2004, Reuters reported that Pennsylvania State Employees Credit Union had sued BJ’s and its merchant bank, Fifth Third Bank, for in excess of USD 98,000 in costs for canceling and reissuing over 20,000 cards. One of the charges against BJ's is that they retained the credit card secret 3 digit code, in violation of Visa’s merchants rules.

The Reuters story suggested that the card companies are going after BJ's to recoup their losses- circa USD 16 million. Weary retailers are well accustomed to having credit card losses passed back to them, but a claim of this magnitude is unusual. BJ's are reported to have a reserve of USD 6 million to pay out claims arising from the incident.

Fighting fire with fire- blame someone else

BJ's is reputedly defending the various claims 'vigorously", and, as David Bank reports in the WSJ, looking for someone to blame for the fiasco and going after their technology suppliers (IBM) in the hope of mitigating their losses. Bank suggests that retailers were often unaware that their software retained sensitive data (such as the 3 digit secret credit card code) and are braying for blood. A massive retailer purge of customer credit card data is in progress.

Visa is reported to have entered the fray and to have met with several software suppliers to point how unhappy they are with the situation- adding an undeniable air of legitimacy to the retailers' claims that the software provided to them is not what it should be.

It's getting ugly out there

So we are left with a situation where the guns are pointed in every direction. The retailers - under siege- blame the software suppliers. The credit card companies blame the retailers, and the member banks, and possibly the software vendors. The member banks blame the retailers- and (see the HSBC story) the banks blame their customers.

But still disingenuous software vendors, lobbyists and legislators will argue that nothing needs to be done - that market forces will arrive at an optimal solution. Maybe, as the irascible Jonathan Swift once pointed out (in his Modest Proposal), everything will be just hunky dory if we eat the poor .....

Credit card companies mandate security for companies handling cardholder data

The card companies are not happy with member banks or retailers and are forcing them to improve their online security practices- by June 30, 2005, or face hefty fines (up to $500,000) and other penalties, including the threat of losing access to their networks.

This move marks an agreement by the major credit card companies to co-ordinate their online consumer fraud- fighting efforts under one 'minimum standard' banner. Previously, they all had their own programmes - now the intention is to endorse a global standard that is known as The PCI Data Security Standard.

Clearly the powerful card companies, not known for their wild propensity to throw money around - especially when it can be avoided - have no desire to have their exposed real ends hanging out over a precipice.

Consumers faced with a Tsunami-esque tide of credit card hack and identity theft stories may start to look askance at the numerous pieces of plastic in their wallets, and envisage them as coated with a liberal dosing of the Ebola virus.

PCI establishes four tiers/levels for compliance, based primarily on the volume of transactions processed annually by a financial institution, merchant or service provider (note: a poor history of security breaches moves you up the hierarchy and makes compliance more complex and costly) - with specific rules and requirements set for each level.

However, in essence the PCI consists of 12 key requirements for protecting cardholder account and transaction information- nothing radical. To prove compliance, covered entities (those that 'store, process, or transmit cardholder data') - must have 'quarterly network scans' conducted by 'independent scan vendor', plus they must complete an annual PCI self assessment questionaire.

The very large payment processors (in tier one) must also conduct 'annual on-site security audits'. The card companies keep a list of vendors that have been certified to the PCI Standard. I note that BCE Emergis (Canada) is CISP compliant since 2004.

Outsourcing won't make it go away

All members remain responsible for any liability that may occur as a result of CISP non-compliance. The banks have to include a CISP compliance provision in all contracts with their merchants and other agents.

Reporting and fines

In the case of Visa, 'a member or the member's service provider, must immediately report a suspected or confirmed loss or theft of any material or records that contain Visa cardholder data'... 'If a member knows or suspects a security breach with a merchant or service provider, the member must take immediate action to investigate the incident and limit the exposure of cardholder data'.

In addition, 'If a Visa member fails to immediately notify Visa USA Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident. Additional fines may be levied for exceptional circumstances where the violation presents immediate and substantial risks to Visa and its members'.

Scary stuff.

Net affect for the consumer

So, while it may remain the case for some time to come that victims of identity theft (or at least persons whose credit card details have been exposed) cannot expect to hear about it, as a matter of course, at least we can take comfort from the fact that Visa, Mastercard et al will definitely know about it.

And who said rule making was ineffective?