Categories ArchivesConsumer Security

EMV as an E-Commerce Fraud Driver standard

Oh what a year it has been so far. Breach here, breach there, breaches everywhere! EMV to the rescue, right? RIGHT?!? Well, yes and no. EMV does add tremendous security (when configured properly) to a Card Present (CP) transaction, but EMV does nothing to help the security of Card Not Present (CNP) transactions. And given the increased digitization of business and commerce, we would expect that over time the number of CNP transactions would increase at the expense of CP transactions. Meaning, as more digital business models drive people to purchase goods and services without physically presenting their card for purchase, people will opt for that style as it could be seen as more convenient. Don’t forget that CNP transactions ...

Continue Reading

Heartbleed and Passwords standard

Right around this same time last week there was a flurry of activity for those responsible for deployments leveraging OpenSSL. Yep, I’m talking about Heartbleed. So after we go through all of the patching and re-keying, it’s now time to consider password changes. This post isn’t about Heartbleed, it’s about passwords and what the bad guys already know. Melanie Pinola from Lifehacker wrote a very interesting piece on Friday about how our password tricks don’t fool the modern hacker. I’m not sure what happened to recommendation number 3 in her piece, 1, 2, and 4 are spot on. What’s the solution? Ultimately it comes down to using some software to help you out. Password managers are now built into some ...

Continue Reading

For the Super Geeky Crypto Guys standard

Of course, if you are a super geeky crypto guy (in which I am envious because math is not my strong suit) you probably already saw this amazing paper by Daniel Genkin, Adi Shamir (the S in RSA), and Eran Tromer in which they prove a side-channel attack against RSA encryption. Since the math behind RSA is such that decryption becomes infeasible through brute force, attackers must get creative in how they go after the protocol. Previous attacks on prime number generation have been published, as well as weak implementations of software that leak parts of the key. But this one is really ingenious. The authors are able to extract the RSA key by simply listening to the noise put ...

Continue Reading

I Thought We Were Done With These? standard

Well, it appears that the bad guys hit another giant retailer this year as Target now reports a massive breach. There are a few items here that are interesting to note. First, we are talking about magnetic stripe and a massive volume of cards in a short period of time. This would indicate some kind of software compromise (read, not an attached skimmer) that lead to the capture of stripe or PIN data. Given that there is a concern about PIN, I would guess that the compromise was either in the POS terminal or in the actual payment terminal itself where the PIN is entered. Breaches of this magnitude obviously call their compliance status in question, and the devil will ...

Continue Reading

EMV vs the UPT, Can We Fix the #FAIL? standard

Update Nov 4, 2013: I was in the UK last week and it looks like the Underground has fixed their terminals to allow the use of the chip at a UPT! This is great news. My guess is there is some upper limit to what can be accepted without signature and it is now implemented. Well, it has struck again. Remember how I told you guys about some of my EMV experiences now that I have a card with the chip in it? Well, it struck again… but not in the place y0u might think! I’m here in Salt Lake City, Utah, and I decided to take advantage of the lovely public transit (UTA) by hopping on the light rail ...

Continue Reading

Fixing the CAs, A New Approach standard

The last few years has been a bit rough for Certificate Authorities (CAs) as hackers have figured out how to obtain certificates in a manner that erodes trust in the system. Not only have they gone after the middle-men in the chain of certificates, but they have gone directly after major CAs effectively compromising the entire system. There have been a few alternatives proposed such as Notary and now the Certificate Authority Security Council (CASC) proposed a new model that leverages OCSP stapling, a technology designed to fix one major issue with the revocation process. Before OCSP and OCSP stapling, we had Certificate Revocation Lists (CRLs). This fail safe is designed to allow for an issued certificate to be revoked, ...

Continue Reading

IDC Releases Alarming Trends for the Digital Universe standard

Nobody disputes the growth of digital information over the last decade enabled by technology developments in storage further put to use in the hands of consumers. We all create content every day; and as the phones get bigger and better processors, cameras, and radios, we can expect this to continue. To put the growth of digital information into perspective, think about how painful it was to download a thirty second HD movie clip five years ago or an entire music album ten years ago. Now we do it on our phones or tablets without thinking about it (until that data-bill comes in!). IDC released a study today (in conjunction with EMC) projecting that the digital universe will be so large ...

Continue Reading

Preying on National Disasters: Today’s Get Rich Quick Scheme standard

Earlier this week we started to see warnings from news outlets, bloggers, and other media warning people about scams to collect money in the aftermath of Hurricane Sandy. Unsolicited calls asking for donations, websites that seem to appear official, and random numbers you can text to donate money automatically start to pop up and disappear quickly. So if you are in a giving mood, how do you find the good ones from the bad ones? The first thing to be wary of is someone calling your phone and asking for money. It can be a great reminder, but if you want to guarantee your money gets to people in need and not into someone’s pocket, go find your charity of ...

Continue Reading

If I Derive PII/PHI, Does It Make A Sound? standard

The Big Data problem and solution is fascinating. In some respects it is incredibly powerful and has tremendous applications for humanity at large, but other implementations are frighteningly big brother-esque. If you hadn’t heard, Target knows you are pregnant before your family does. They do it by watching your behavior on their website. So the new question that we face is what do we do if we derive or create accurate PII/PHI in the normal course of learning about our customers? I’m worried that companies will recklessly create data about their customers in new ways never before possible, exposing we citizens to many privacy breaches. I’m doing research in this area now, and am very interested to see where this ...

Continue Reading

The Apple Incident standard

This weekend had some interesting security implications for a significant portion of you out there. Mat Honan had his digital life pwned. Erased. Disrupted. Even if only for a few days, I am certain it was incredibly stressful. The kicker here is that it wasn’t some sophisticated hacking scheme that got it done, it was simple social engineering and some crafty computing. Go read about Mat’s story and imagine what it would be like if it happened to you (regardless of your device). Lifehacker also answered a question about this, so check it out if you want to take steps to protect yourself against attacks like this. What I want to talk about today is how that incident forced Apple ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!