Categories ArchivesConsumer Security

Does Apple Pay Signal the Beginning of the End of PCI? standard

Whether you are a fanboy or not, you have probably seen some news about Apple’s new Apple Pay feature in the iPhone 6. It appears that the sleeping giant of digital wallets is stirring from his slumber. Could this spell the end of PCI DSS for the majority of companies affected by the standard? The last few decades have seen a number of companies attempting to disrupt or revolutionize payments, but like the payment card brands themselves, they battled acceptance. Apple’s new iPhone 6 finally has Near Field Communication (NFC) built into the device, which means it can now interact with contact-less payment card readers. The dream of leaving your house with only your phone is not quite a reality ...

Continue Reading

Why won’t you change your password? standard

There was a very interesting post by Punam Keller last week on the HBR Blog Network on the psychology of passwords. This isn’t like the previous posts you have seen on this blog. While I tend to focus on the technical problems and ways around them, Keller explores the behavioral aspects of passwords and our general resistance to do what we all know is right. She highlights four attitudes that people have when it comes to passwords: People who don’t know they should change their passwords—most likely by intentionally ignoring information that indicates they should. People who know they should change it, but avoid doing it because they think password theft and misuse will happen to someone else. People who ...

Continue Reading

Don’t Listen to this ConsumerReports Advice standard

Lifehacker recently posted something from ConsumerReports where an author suggested asking a hotel manager for their [PCI DSS] Attestation of Compliance. Asking someone for an AoC is en exercise in futility. There is one piece of advice that is good (use credit not debit), but the constructs of asking for an AoC is really not good advice. There are a number of reasons for this. Many hotels with your favorite brands are actually smaller properties owned and operated by individual owners. Even if they have an AoC, it’s probably done from the perspective of a Self Assessment Questionnaire which does not require a third party to review. I promise you that the vast majority of front desk clerks and managers ...

Continue Reading

More Fun with EMV standard

Yes, it’s time to go hit your local university library again (or just join the Association for Computing Machinery) to see a great article from Anderson & Murdoch entitled, “Inside Risks EMV: Why Payment Systems Fail.” For those of us in the US that are now on the cusp of a wide-scale EMV rollout, there are still many questions that need to be answered. Drs. Anderson and Murdoch do a great job of summarizing the issues that we will face here in the US, including some of the attacks that were common in other implementations of EMV. Turns out, the French may be the best experts at cracking this thing. EMV tokens make an appearance in the article, but there ...

Continue Reading

EMV as an E-Commerce Fraud Driver standard

Oh what a year it has been so far. Breach here, breach there, breaches everywhere! EMV to the rescue, right? RIGHT?!? Well, yes and no. EMV does add tremendous security (when configured properly) to a Card Present (CP) transaction, but EMV does nothing to help the security of Card Not Present (CNP) transactions. And given the increased digitization of business and commerce, we would expect that over time the number of CNP transactions would increase at the expense of CP transactions. Meaning, as more digital business models drive people to purchase goods and services without physically presenting their card for purchase, people will opt for that style as it could be seen as more convenient. Don’t forget that CNP transactions ...

Continue Reading

Heartbleed and Passwords standard

Right around this same time last week there was a flurry of activity for those responsible for deployments leveraging OpenSSL. Yep, I’m talking about Heartbleed. So after we go through all of the patching and re-keying, it’s now time to consider password changes. This post isn’t about Heartbleed, it’s about passwords and what the bad guys already know. Melanie Pinola from Lifehacker wrote a very interesting piece on Friday about how our password tricks don’t fool the modern hacker. I’m not sure what happened to recommendation number 3 in her piece, 1, 2, and 4 are spot on. What’s the solution? Ultimately it comes down to using some software to help you out. Password managers are now built into some ...

Continue Reading

For the Super Geeky Crypto Guys standard

Of course, if you are a super geeky crypto guy (in which I am envious because math is not my strong suit) you probably already saw this amazing paper by Daniel Genkin, Adi Shamir (the S in RSA), and Eran Tromer in which they prove a side-channel attack against RSA encryption. Since the math behind RSA is such that decryption becomes infeasible through brute force, attackers must get creative in how they go after the protocol. Previous attacks on prime number generation have been published, as well as weak implementations of software that leak parts of the key. But this one is really ingenious. The authors are able to extract the RSA key by simply listening to the noise put ...

Continue Reading

I Thought We Were Done With These? standard

Well, it appears that the bad guys hit another giant retailer this year as Target now reports a massive breach. There are a few items here that are interesting to note. First, we are talking about magnetic stripe and a massive volume of cards in a short period of time. This would indicate some kind of software compromise (read, not an attached skimmer) that lead to the capture of stripe or PIN data. Given that there is a concern about PIN, I would guess that the compromise was either in the POS terminal or in the actual payment terminal itself where the PIN is entered. Breaches of this magnitude obviously call their compliance status in question, and the devil will ...

Continue Reading

EMV vs the UPT, Can We Fix the #FAIL? standard

Update Nov 4, 2013: I was in the UK last week and it looks like the Underground has fixed their terminals to allow the use of the chip at a UPT! This is great news. My guess is there is some upper limit to what can be accepted without signature and it is now implemented. Well, it has struck again. Remember how I told you guys about some of my EMV experiences now that I have a card with the chip in it? Well, it struck again… but not in the place y0u might think! I’m here in Salt Lake City, Utah, and I decided to take advantage of the lovely public transit (UTA) by hopping on the light rail ...

Continue Reading

Fixing the CAs, A New Approach standard

The last few years has been a bit rough for Certificate Authorities (CAs) as hackers have figured out how to obtain certificates in a manner that erodes trust in the system. Not only have they gone after the middle-men in the chain of certificates, but they have gone directly after major CAs effectively compromising the entire system. There have been a few alternatives proposed such as Notary and now the Certificate Authority Security Council (CASC) proposed a new model that leverages OCSP stapling, a technology designed to fix one major issue with the revocation process. Before OCSP and OCSP stapling, we had Certificate Revocation Lists (CRLs). This fail safe is designed to allow for an issued certificate to be revoked, ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!