- One of the forms I reviewed asks the customer to fill in the "Three Digit Security Code Located on Back of Card:" Bad.
- This same form asks the customer to "Please complete this form and return to email_address_here...". This is also bad.
- The form asks the customer to provide "CREDIT CARD ID: (3 or 4 digit ID on front or back of card)". Bad.
- They go one step further and actually REQUIRE that "a front & back copy of the [credit] card is required for processing. This includes all clients that have made payment in full in advance with a company check." This is beyond bad.
[Source: privacyrights.org Data Breach Database]
Subject: "Don’t miss your free night from Marriott Rewards"AttributesFIRST_NAME : YOUR_NAME_HERECUSTOMER_KEY : ######## (8 digit number that I have removed)MR_NUMBER : ######### (9 digit number that I have removed)MR_NUMBER_ENCRYPTED : (32 character value here also removed)TEST LinksHosted Email Link Using MR_NUMBER : With MR_NUMBER LinkHosted Email Link with out MR_NUMBER : Without MR_NUMBER LinkHosted Email Link with out Jennies Suggestion : With entrypted MR Number & Customer key
"Dear Valued Guest,
Yesterday morning, you received an email from Marriott in error. We were testing functionality to further enhance your online experience. During the testing process, a small number of emails erroneously deployed.
In the email, you may have noticed your name and a reference to your MR number. Rest assured, the information contained therein is private and no information specific to you or your account was shared with anyone else. To reiterate, this email was sent to you in error, but the contents of the message itself pertain only to you and your account.
Marriott is committed to your data security and the protection of your personal information. We apologize for any confusion our earlier email may have caused.Best regards,The Marriott Team"
Four men from Atlanta Georgia were sentenced this week by United States District Judge Orinda D. Evans on charges of bank fraud, credit card fraud and aggravated identity theft.
This is an ad I saw for an after-school program in the Boston area. I've walked by it a number of times and it aggravates me when I see it. I'll tell you why.The advertisers message is that you should not let your child do things like this at home, but instead send them to a place outside of the home (for which you would need to pay) where your child will supposedly be allowed to do such things. But my question is, why not? Why not let them get messy, take chances, be creative, and even make mistakes? And why not at home so family and friends can enjoy? Kids should be given the opportunity to do things like this at home. As Randy Pausch said in his world famous presentation The Last Lecture, "let your kids paint their room".
I completely agree.
Original Tweet: http://twitter.com/idexperts/status/4663639559
For organizations that are not categorized as Level 1 merchants, you need to attest to being in compliance with PCI DSS by completing and submitting the appropriate SAQ and quarterly scan results. Doing ONLY this does not mean you are PCI DSS compliant. It means that you did what was expected of you (at this time) to attest that you are in compliance. KEN
Dear friends of openairboston.net,
Last week marked the 40th anniversary of the first test of the technology that would become the Internet. The engineers working back then could never have imagined the incredible impact that their work would have on our present day world. Internet access has shaped both my career and my personal life. I ask you to take a moment and reflect on the Internet's value to you.
Know that, even in Boston, one of the most innovative cities in America, Internet access is simply unaffordable for the majority of low-income residents and this lack of access has profound and lasting effects. The students in our Boston Public Schools, who without home computers resort to typing assignments on their cell phones, become the job seekers, who without Internet access, cannot complete job applications for even the most unskilled jobs. Without Internet access, these residents rarely find the opportunities to develop the skills they need to succeed in today's workplace.
openairboston.net is a non-profit organization working to erase this inequality and help ALL our residents thrive in an increasingly online world. We bring free Internet connectivity, training and low-cost computers to residents currently left at the sidelines of our connected world. Through our efforts, we have brought an open-source community wireless network in the Fenway and Mission Hill neighborhoods and aim to expand our work to other much-in-need communities. We bring not only connection but also the education necessary to create self-sustaining support and training programs that allow neighbors to help neighbors and fostering true community ownership of these networks.
The word is getting out and our momentum is building. From features in both the Boston Globe Magazine and Mass High Tech to our recognition by the IRS as a 501 c 3 tax-exempt organization, openairboston has both a local and national mandate to expand our work to all the many communities still in need.
Everyone deserves the same opportunity to succeed, to have the access to the technological skills and resources so necessary in today's world. We are working to make this equality a reality and ask for your help in our efforts. Think what it means to you to be connected and consider making a donation to our work. Please consider making a contribution to openairboston with your time as a volunteer to help build our network or train residents, with your connections by forwarding this email to those who may want to join our cause, or with your financial assistance. All donations are welcomed at our website and we encourage you to follow our progress on facebook and twitter.
I hope you will join us. The future of Boston lies before us - let's connect.
This picture is of the commotion near the MGH red line station on Wednesday night after the tunnel fire caused the shutdown of the MBTA red and orange lines.
Original Tweet: http://twitter.com/vcuinfosec/status/4028390977
Sent via TweetDeck (www.tweetdeck.com) Kenneth M. Smith
CISSP CISA GCIH
& Privacy Consulting
Phone: 978-595-1536 (1KEN)
www.Exultium.com Twitter @ken5m1th
I know you get a better exchange rate and all that, but the fact that you ask your customers to write this down on your form means that when it arrives at your location you are now "storing" it, and this is a NO NO. It's intended to confirm card-not-present electronic transactions and the customer themselves should be typing this in. You are putting yourself and your customers at risk by asking for this and storing it.
Not long ago I read this story, "Teller allegedly stole thousands from customers at Peabody bank". I brushed it off at the time. "Jeffrey C. Gautreaux, 25, of Peabody, was indicted in federal court on 17 counts of bank fraud, one count of access device fraud, and two counts of aggravated identity theft for a scheme executed from about July 2005 to June 2006, Acting US Attorney Michael K. Loucks said in a statement." -Source Boston GlobeJust recently I was going though and shredding some older statements and realized that around the time that these crimes allegedly took place, I was the victim of fraud on my Bank of America card. This wasn't a card that I normally used. It had a small balance on it and was rarely used. I remember that the only real 'activity' was that I went to the Bank of America branch (mentioned in the article) and I made a payment with a teller as I didn't want my payment to be late. Then the fun began.It started with missing a statement. When I spoke with their fraud department I was literally interrogated by multiple people on the phone. The were convinced that I was not the owner of the card and were treating me with great suspicion, and finally I found out why. The address on the account, they informed me, was an address in the Bronx. According to Bank of America by account mailing address was changed. It just so happens it was days after I made my payment in person at this branch. Yea, the "change-the-account-mailing-address, wait-for-the-convenience-checks-to-arrive, then-go-spend-those-on-something-expensive scam". The part that didn't make sense is that even if someone were to obtain the account number and expiration date, this isn't enough for them to make an account change like that. Their fraud department insisted that I must have given the information necessary to change the address to someone. This information includes the account number, ssn, birth date, phone number and a few other things that are typical for card accounts. Here's the thing. No one in this world knows the answers to some of the security questions except for me. I can't get into why I know this, but I do.A typical card company fraud department will tell you very little about the possible source of the fraud, other than talking about the fraudulent transaction amounts and merchants. Oh, and they will ask you repeatedly if you have ever been to the city in which the fraudulent transactions took place. I was even asked, "Are you sure you haven't lived at that address?". Ugh. I hate when people don't believe me. I did everything that you should do when you have to deal with a situation like this. Note to Bank of America: Telling your customers to "just sign an affidavit and you're all set" is NOT enough. There is much more to do than that, even if you have only suffered card fraud and not true identity theft. After all was said and done I was still left with a feeling that something was very fishy about this.Once I saw the article I didn't immediately connect the dots, but I came around. Although none of this is concrete, it makes perfect sense that I was a victim of this alleged ex-employee's little scheme. It's over with but what stays with me is the way Bank of America's fraud department made me feel like the guilty party and that this was all my fault somehow. Bank of America, I had a hunch it was you.
You would think that simply creating yourself a local account with fewer privileges would take care of this. Unfortunately, many application on the Windows platform were not developed with this in mind, many assume and require that you have Administrator privileges for them to run. You will quickly tire or trying to run certain apps using RunAs, since this solution doesn't share your lower-privileged user profile. Whatever you do after you have initiated something using RunAs will be stored within that privileged accounts' profile, not the one you initially logged in as.
Fortunately, there are a number of tools to help you deal with this. These tools take one of two approaches:
A. Log in with lower privileges and use a utility to increase privileges when necessary or increase privileges for specific apps.
B. Log in with higher privileges and use a utility to decrease privileges when necessary or decrease privileges for specific apps.
It takes a little time to get one of these solutions working in a way that you can live with every day. Depending on the type of user you are, you may quickly tire of all the tweaking needed and simply give up. I have tested many of the "type A" tools including sudown, sudowin, and Makemeadmin. These tools try to mimic the sudo functionality provided by most UNIX and Linux systems. I have also tested many "type B" tools such as PSExec or Drop My Rights. What did I find? None of them are perfect. And some of them can be dangerous if you are not careful!
For now, on Windows XP systems, I have found that the most realistic thing to do is to log in with the least-privileges needed to do your work (that doesn't break the apps that you use) and reduce the privileges of the processes that access the Internet. For many that might mean continuing to log in locally with administrative privileges. But by running certain applications with reduced privileges, you are making your system less vulnerable to successful malware exploitation. After all of my testing, my opinion is that using something like PSExec or DropMyRights is a good choice.
For many IT folks I feel that the best solution (for now) on Windows XP is going with the type B approach - logging in with higher privileges and using a utility to decrease the privileges of Internet applications (such as Web Browsers, Twitter clients, etc.) and others that you know will work without Administrative privileges. Two that work similarly are PSExec and DropMyRights.
For non-IT and home users, I suggest trying a type A solution to increase privileges when needed. Home users may find it especially challenging to get some games to work (for your kids of course ;-) when using a less-privileged account. The vendors will tell you that you must have Administrative rights, but I have been successful in getting all such apps to run as a Power User account and an understanding of the file system and registry permissions that the application is expecting. I'll tell you more about that in another blog update.
There are some slick commercial tools also available to address this issue, I will write up something on that soon. Whatever you choose, be sure to make a system backup before you start playing with any of these tools. You have backed up your system recently, haven't you?
Why so much credit and "good" publicity for Heartland Mgmt for not practicing proper risk management?
What annoys me is seeing those that were in IT Management (leading up to and at the time of the breach) being put up on a pedestal. Especially those that were ultimately responsible for the information security of the organization. It strikes me as odd that this occurred on their dime and they are now making dollars because of it. I'm not blaming them directly, at least I don't think I am.
Regardless of who ultimately turns out to be "the bad guy" in the whole Heartland breach fiasco, most breaches (the publicly disclosed ones anyways) are ultimately found to be avoidable. Most could have been avoided by having an information security program that's properly aligned with the organizations overall risk management program. The PCI DSS is supposed to promote this model, but many organizations jump right to focusing on meeting the minimum requirements of the DSS. Having a QSA (qualified security Assessor) wave his magical Report-On-Compliance wand and deem you PCI compliant isn't the solution.
First, I highly recommend that everyone read this article "The Anatomy of the Twitter Attack" from techcrunch. It's probably almost 6 pages long, but worth the investment.
What can be done to prevent these continued account compromises?
Set this new email address to forward to your real email account and set this password to something very complex. Write the login ID (email address) and password down and keep it somewhere safe and secure. You should not need to log in to this account often at all. Warning: Don't use an email service that disables your account after a certain period of inactivity. This is how the perpetrator in the latest gmail-twitter hack was able to reset the password of the victims Gmail account. Don't give this email address to anyone. Now, change your login name on the sites in question (webmail) to the one you just created. Remember to only change your login ID and leave the email address set to your primary (public) email address. While you're at it, you may as well change your password to something strong that you will remember.
3. Use a secure password manager. Let's face it, we don't all have amazing memories especially as we get older. Do you really expect users to set a different complex password for each of the sites and services they use and change them on a regular basis to another complex password? It's a pipe dream. Anyone who does this is probably using one of the many available login ID and password management tools available.
One of the great things about such tools is that most of them have a strong password generator built-in. Once you are accustomed to using a password management tool, you will then find it very easy to start doing things like setting unique login ID's for each of the sites or services you use. There are some great solutions that will even synchronize with your mobile phone if you need access to login information when you are away from your PC.
I have tested and used many of these password management tools, and will post a follow-up that will provide an overview of my experiences.
1. Internally 'publicize' some recent incidents to your user community. Reference such things as http://www.privacyrights.org/ar/ChronDataBreaches.htm#2009 and break down how they occurred and where the mistakes were made. Pick some examples that are from companies in the same or similar businesses. Don't get overly technical here. The intent is to get everyone to understand that their actions, no matter how small, contribute to the company being able to stay out of the newspaper. An incident will hurt the company, and therefore could impact their job.
2. Put together some high-level (plain english) training material such as a Frequently Asked Questions on the areas in which you get the most questions from your participants from step 1. Make sure every question is clearly answered.
3. Follow this up with a more formal awareness program to help reinforce good decisions. Host a lunch-and-learn that breaks down your policies in plain english. Make this as interactive as possible. Add some role playing.
Once you do the basics (setup gmail, Google calendar, Google docs if you'de like) you just need to setup Google Sync for your mobile device (for calendar and address book) and configure your device to connect via IMAP with gmail. You should use IMAP instead of POP if you can, it's more secure and more efficient. Now everything is in sync. The only thing that (I don't think) you can sync currently is the todo list.