As you know, I pretty much constantly complain that noone ever does anything to inherently make better the state of data security when it comes to credit cards. The brands are always blame shifting, and merchants get left holding the liability bag and paying for everything.
Well, I'm not going to suggest that First Data has solved all of these problems, but what I will say is that I think they've put a stake in the ground with this new service. Their new, "Secure Transaction Management" service utilizes RSA's tokenization technology on the endpoints to minimize the usage of credit card data throughout the enterprise. Partnering with RSA on this product gives some credence to it. Merchants aren't inclined to trust a payment processor who makes claims about the security of a technology unless a trusted 3rd party gets involved and makes it so.
This obviously isn't my Utopian solution. I think card data needs to be public key exchange based, starting on the card. I realize that this makes me some sort of fringe lunatic thinker. However, given that wholesale changes at Visa aren't likely, First Data's STM seems like a pretty good idea.
The only concerning part of the press release was this:
"The service uses First Data infrastructure by storing credit card data in secure servers for future retrieval by the merchant if necessary, while returning tokens to the merchant for use in their systems, Capellas said."
There's still a certain amount of faith that this product places in the merchant to determine what is "necessary." People like to store things that they're not supposed to, and making the data available to them practically guarantees that they'll find a way to use it inappropriately.
That said, this is the first time I've seen a payment processor take an active roll in providing a product which has a security provision layer as a core part of the offering. Nice work guys.
One piece of advice:
keep an eye on those "secure servers" that store data for "future retrieval."
Wednesday, September 23, 2009
Tuesday, September 1, 2009
Social Engineering Implications - Improper Logo Usage!
Whenever we do a pentest that has a social engineering phase in it, an important part of the test is to consider all of the parties involved, the vector of attack, and the potential outcome of the attack. By doing this, you
Either that, or you trigger an emergency alert scenario that goes out to all credit unions on behalf of the NCUA.
This happened during a penetration test being run by a company called "Microsolved" which was being conducted for a specific credit union.
This is a pretty clear example of how a poorly planned social engineering scenario can backfire, and falsely alert thousands of people to a scenario that doesn't exist, wasting potentially millions of dollars in prep time and execution of incident response plans for an incident that didn't exist.
Don't get me wrong, mock scenarios are great for testing plans. They are however, not that great when they
Furthermore, the guy at the bank who was responsible for the pentest apparently went on vacation while the test was occurring:
"But, on the day the package was received, the person responsible for the test was out of the office. So the employee who received the suspicious letter, which bore a NCUA logo and the bogus signature of former Chairman Michael Fryzel, reported it to the NCUA fraud hot line."
The other part of this story that I found fascinating is the NCUA's response to all of this, which pretty clearly had little to no executive involvement, and wasn't reviewed by anyone with responsibility for security or compliance. They say, and I quote:
“Credit unions are not authorized to create facsimile documents bearing NCUA logos or signatures, or to improperly represent communications from NCUA, even during the legitimate conduct of business, such as a computer security assessment."
Seriously? The federally sponsored organization that supervises federal credit union activity is more concerned with....improper logo usage than they are with the implication that they were tricked into sending out alert letters to nearly 8000 companies.
I guess I'd better take this Kellog's sticker off my sniper rifle. They might get the wrong idea about me being a cereal killer.
only add the necessary amount of risk to the business required in order to demonstrate the vulnerability.
Either that, or you trigger an emergency alert scenario that goes out to all credit unions on behalf of the NCUA.
This happened during a penetration test being run by a company called "Microsolved" which was being conducted for a specific credit union.
This is a pretty clear example of how a poorly planned social engineering scenario can backfire, and falsely alert thousands of people to a scenario that doesn't exist, wasting potentially millions of dollars in prep time and execution of incident response plans for an incident that didn't exist.
Don't get me wrong, mock scenarios are great for testing plans. They are however, not that great when they
exercise plans of companies who are not involved in the penetration test.
Furthermore, the guy at the bank who was responsible for the pentest apparently went on vacation while the test was occurring:
"But, on the day the package was received, the person responsible for the test was out of the office. So the employee who received the suspicious letter, which bore a NCUA logo and the bogus signature of former Chairman Michael Fryzel, reported it to the NCUA fraud hot line."
The other part of this story that I found fascinating is the NCUA's response to all of this, which pretty clearly had little to no executive involvement, and wasn't reviewed by anyone with responsibility for security or compliance. They say, and I quote:
“Credit unions are not authorized to create facsimile documents bearing NCUA logos or signatures, or to improperly represent communications from NCUA, even during the legitimate conduct of business, such as a computer security assessment."
Seriously? The federally sponsored organization that supervises federal credit union activity is more concerned with....improper logo usage than they are with the implication that they were tricked into sending out alert letters to nearly 8000 companies.
I guess I'd better take this Kellog's sticker off my sniper rifle. They might get the wrong idea about me being a cereal killer.
Subscribe to:
Comments (Atom)