Categories ArchivesConsumer Security

On Self-Driving Cars standard

What could possibly disrupt the great wheeled livery disruptor Uber? Self-driving cars can certainly take a chunk of money away from them for those of us who have cars, but use Uber to take us around when we go out with friends. It won’t topple Uber like they have toppled taxis, but it will pull some share. Self-driving cars and other livery are the focus of much debate in a number of different circles. Unions, lawmakers, citizens, and technologists all have opinions on the viability of the technology. To be clear, I love the concept. I think the technology has a ton of promise, much like many other things that technology companies are contributing to the automotive industry. But much like other ...

Continue Reading

CurrentC, Off to a Rough Start standard

Last week we saw a flurry of announcements around CurrentC, a merchant-driven alternative payment scheme that is designed to cut the costs from electronic payment processing. Sure, they didn’t demonstrate a great approach to security with the notification of their breach last week, but no payment information was put at risk. CurrentC is designed to work in a similar manner as Apple Pay (enabled by a smartphone), but it platform independent and works using QR-codes to transact business. Essentially, any merchant with a scanner that can read a QR-code would theoretically be able to accept this form of payment. That brings in grocery stores and big-box retail for sure as most use some kind of scanning technology to assist in ...

Continue Reading

Enable 2-Factor Everywhere standard

Dropbox is the latest victim to announce that a third party (Snapchat was last week) integration caused a ton of their usernames and passwords to be leaked on Pastebin. At this point, most of our super-useful cloud services (Evernote, Twitter, Facebook, Google, and Dropbox to name a few) all have the ability to turn on some kind of stepped-up authentication. Some of these use Google Authenticator, which couldn’t be any easier to use than it already is (probably). So after you go change your Dropbox password (to something unique, not used on any other website), take a few moments to step up your authentication with 2-factor authentication. It will only take you a few minutes, and it will provide much ...

Continue Reading

Shellshock and the Cyber Safety Program standard

I recently had a conversation with Josh Corman of IAmTheCavalry where he shared with me his open letter to the automotive industry. Entitled, the Five Star Automotive Safety Program, it outlines five specific areas that affect information security, and thus will affect the safety of humans that rely on those systems. The five areas are: Safety by Design Third-Party Collaboration Evidence Capture Security Updates Segmentation & Isolation When Josh and I first chatted, I was wary of number 4. Not the fact that security updates are needed, but that there must be a mechanism by which updates can be automatically deployed (not by taking a car to the repair shop). Could someone create a cyber-zombie army by taking over an ...

Continue Reading

Apple Pay is Not P2PE, and Does Not Replace PCI Compliance standard

Apple Pay’s announcement two weeks ago caused a flurry of activity—some of it right here on this blog. I had a chance to catch up with someone who is very close to the design of Apple Pay. I was able to get a few questions answered and I wanted to share those answers here with you all. Apple Pay’s NFC uses EMV. EMV is a standard which was implemented in both the chip and contactless variants for payments. It is effectively the first wide-scale system that uses the EMV Token standard released this year. Apple Pay is software that uses the NFC radio built into the iPhone 6/6+. Why did I make this distinction? Each technology (for example, PayWave and ...

Continue Reading

Side Channel Attacks for PINs standard

I found this Lifehacker post this week and I am totally loving the demonstration he gives in his video. Anyone who has watched a crime drama knows that people are filthy beings that leave traces of themselves wherever they go. It could be DNA from skin cells or hair, prints from our shoes, or a heat signature from touching something. In the video, Mark Rober shows you how an iPhone attachment can pick up the PIN code you just entered into a terminal to pay for goods and services. He even gives you some ideas on how to avoid getting hit. For those of us that saw Bob Arno at the Community meeting last week and saw the coordinated shoulder ...

Continue Reading

Does Apple Pay Signal the Beginning of the End of PCI? standard

Whether you are a fanboy or not, you have probably seen some news about Apple’s new Apple Pay feature in the iPhone 6. It appears that the sleeping giant of digital wallets is stirring from his slumber. Could this spell the end of PCI DSS for the majority of companies affected by the standard? The last few decades have seen a number of companies attempting to disrupt or revolutionize payments, but like the payment card brands themselves, they battled acceptance. Apple’s new iPhone 6 finally has Near Field Communication (NFC) built into the device, which means it can now interact with contact-less payment card readers. The dream of leaving your house with only your phone is not quite a reality ...

Continue Reading

Why won’t you change your password? standard

There was a very interesting post by Punam Keller last week on the HBR Blog Network on the psychology of passwords. This isn’t like the previous posts you have seen on this blog. While I tend to focus on the technical problems and ways around them, Keller explores the behavioral aspects of passwords and our general resistance to do what we all know is right. She highlights four attitudes that people have when it comes to passwords: People who don’t know they should change their passwords—most likely by intentionally ignoring information that indicates they should. People who know they should change it, but avoid doing it because they think password theft and misuse will happen to someone else. People who ...

Continue Reading

Don’t Listen to this ConsumerReports Advice standard

Lifehacker recently posted something from ConsumerReports where an author suggested asking a hotel manager for their [PCI DSS] Attestation of Compliance. Asking someone for an AoC is en exercise in futility. There is one piece of advice that is good (use credit not debit), but the constructs of asking for an AoC is really not good advice. There are a number of reasons for this. Many hotels with your favorite brands are actually smaller properties owned and operated by individual owners. Even if they have an AoC, it’s probably done from the perspective of a Self Assessment Questionnaire which does not require a third party to review. I promise you that the vast majority of front desk clerks and managers ...

Continue Reading

More Fun with EMV standard

Yes, it’s time to go hit your local university library again (or just join the Association for Computing Machinery) to see a great article from Anderson & Murdoch entitled, “Inside Risks EMV: Why Payment Systems Fail.” For those of us in the US that are now on the cusp of a wide-scale EMV rollout, there are still many questions that need to be answered. Drs. Anderson and Murdoch do a great job of summarizing the issues that we will face here in the US, including some of the attacks that were common in other implementations of EMV. Turns out, the French may be the best experts at cracking this thing. EMV tokens make an appearance in the article, but there ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!