Wednesday, December 21, 2011

Happy Holidays, and Thank You

This is a good time to say "thank you," and wish a Happy Holiday and peaceful new year to everyone (both of you) who follows this blog. This has been an interesting year in PCI (we got version 2 rolling) and, unfortunately, information security (for a slide show of the biggest security breaches of the year, click here).

It has also been a great year for the Treasury Institute. We had the biggest PCI Workshop ever in May, and I personally look forward to trying to top that program in 2012 with more great presentations, speakers, and opportunities to network with other schools. I didn't get to attend the annual Treasury Institute Symposium this year, and I won't make this year either (I've already booked for some onsite work), but you should check it out. Charleston should be beautiful.

Personally, it has been the busiest of years. I found myself flying about 100,000 miles (not points, actual miles) this year. That meant I was on the road a lot, and I'm still trying to figure out if my wife thinks this is a good or a bad idea... Somehow, I managed to survive the middle seats, delayed flights, standby anxiety, and TSA security theater. I think next year I'll just buy more caramel corn at the airport to smooth out the travels.

In addition to traveling, I managed to blog more than I ever imagined with posts here, my (almost) weekly column at, and at 403 Labs' own blog. Throw in a week at RSA and really interesting speaking gigs with EDUCAUSE, SACUBO, and a few others, and it was a pretty interesting year.

Thanks to all of you who are clients, thanks to all of you who are not, and thanks to the Treasury Institute for all they do.

See you all in 2012.

Friday, December 16, 2011

The Bad Guys are not Nice Guys

According to the excellent Krebs on Security website, the Manhattan police have released indictments on 55 people who were part of the gang responsible for a string of identity thefts in New York. The details are disturbing for a couple of reasons.

First, a number of them were associated with financial institutions or a charity. That is where they seem to have gotten some of their information. The ring also included everything from money mules to a UPS driver who is accused of diverting cards.

Another disturbing part is that the people were affiliated with criminal gangs, and two of the people under suspicion turned up murdered during the course of the investigation.

As I and others have said before, the people trying to steal payment card data are sophisticated criminal enterprises. They are not all overseas. Protecting the cardholder data and other personal data entrusted to you is important. Those of you securing your systems and protecting the relationships with your students, parents, alumni/ae, and donors are doing good work. Keep it up!

The bad guys (and they definitely are "bad") are not taking the Holiday off. I heard from one school that they are getting people attempting to donate with a credit card that turns out to be stolen. What is happening is that the "donor" is using the school to check out if a card has been reported lost or stolen yet. If the "gift" goes through, my guess is the next step is to the nearest electronics store or online retailer. Naturally, the donation is charged-back by the rightful card owner, but by then it's too late. The school loses the gift and gets to pay transaction costs on the way.

Monday, December 12, 2011

PCI Council's Open Mic Meeting

The PCI Council held an "Open Mic" session today for Participating Organizations this morning. Here are some of the highlights.

  • A major focus was soliciting feedback on the both PCI DSS and PA-DSS. Each PO (and this includes NACUBO, so get us your feedback!) can make up to five comments or requests for clarification/change to the standards. The deadline to submit feedback is April 1. Tom Davis and I will be tracking ideas, and we will provide feedback in time.
  • There was review of the three Special Interest Groups (SIGs) for 2012: Risk Analysis, Cloud Computing, and eCommerce for Level 3 and 4 merchants. Since the eCommerce SIG has the greatest potential benefit for Higher Ed institutions, I joined that SIG. I am looking forward to participating actively and developing some good guidance that will benefit institutions of all sizes. If your school is a PO, it's never too late to join a SIG...I'd welcome the company!
  • Training continues to be a Council priority. There will be two webinars addressing training sessions and schedules early in the new year (January 26 and 31).
  • We can expect to see some more guidance on mobile computing in 2012.
  • We might also see some additional guidance on tokenization. I got the feeling the Council felt that the current documentation was enough, but they would do more based on what they see early in the new year.
  • Lastly, Bob Russo (General Manager of the Council) acknowledged the increased interest in skimming at the POS (see a previous post, here). Bob's advice was that the best defense against skimming is vigilance by front line staff spotting changes or differences. He also pointed out that the Council has an excellent document addressing skimming (click here to download a copy). He noted that it was among the most frequently downloaded documents on the site (and deservedly so, IMO!).
There is a second session scheduled for Wednesday, and the recording of each session should on the Council's website soon. I believe they will be generally available if you want to listen.

Wednesday, December 7, 2011

Top 25 Security Influencers

This morning I saw an interesting list of the Top 25 Influencers in Security You Should be Following put out by Tripwire. It is not a complete list, but it has some really good names there. I follow a number of them, and I actually know a few of them well enough that we talk, email, and occasionally even meet up face-to-face.

I suggest you check your list of blogs or your Google Reader (or whatever reader you might use) and see if you want to add some of the blogs from these people. My own personal list of security blogs, of course, is on the can see it, just over there under the Walt's Recommended Blogs list. Your list will vary depending on your own interests, but as you do your end-of-year cleanup, you might want to update your list with some of these from Tripwire.

Tuesday, December 6, 2011

PCI Council Open Mic Sessions

The PCI Council will hold two Open Mic sessions, December 12 and 14th. If your institution is a Participating Organization, you should have received an email invitation with instructions on how to register for a session. Since the Council's email contained a registration code, I assume the sessions are restricted to POs only.

Since NACUBO (in conjunction with the Treasury Institute) is a PO, I plan to attend the December 12th session. I'll report on particularly interesting comments or outcomes here as appropriate.

Friday, December 2, 2011

ACH email Scams May Be a Teachable Moment

Have you received any of those "Your ACH has failed" or "NACHA Transaction Alert" emails in the past few weeks. I have, and I deleted them immediately. I did that because they are spam.

If you received these emails, then you noticed they were very brief. They also contained a link or downloadable file, which I really, really hope you didn't click.

The good news is that these emails are a teachable moment. My colleague, Morgan Tremper (he runs our scanning support group and is a general security whiz) wrote a good piece at the 403 Labs blog (you can click here to read it). He says it better than I, so I won't repeat his thoughtful analysis.

My point is that in this season of endless appeals for our generosity, it may be a good time to alert all your staff that it is no time to go clicking on ANYTHING in an email they were not expecting.

Call me a Grinch if you like, but I'd rather be a safe Grinch than Pwned. That is not a very good holiday gift, either.

Protect Your POS Devices, NOW

Just because you are a Higher Ed institution does not mean the bad guys have not targeted you. Unfortunately, the University of California Riverside just found that out. In a news release the school advises that campus cash registers at food service locations were compromised, and that up to 5,000 individual card numbers may have been compromised. These cards didn't just belong to students, but may have included parents and visitors, too.

I don't have any specific information on this breach other than what is in the release. What they do say, though, is disturbing: "The hacker had unauthorized access to card numbers, cardholder names, card expiration dates and an encrypted version of debit card pin numbers [sic]."

Attacks -- both physical attacks on POS like skimming (as I wrote about here) and "cyberattacks" on Web-facing systems -- increasingly target smaller businesses like higher education. Why? The reason seems to be because smaller businesses have poor security or none at all.

You do not want to have to go to your president to ask for budget (to set up a website, field calls, write a FAQ, etc.) and approve a press release telling your students, parents, alums, and friends to "monitor card activity carefully, and report any suspicious activity."

Protecting the POS should be part of your annual security training. The bad guys are out there. They target higher ed institutions. And if you are compromised, please know you cannot expect any special treatment from the card brands as far as fines or other penalties. You are a merchant, and you lost the data. Game over.