Ditch SMS for True Second Factor Authentication standard

At one point, getting a text message with a code seemed like a great way to provide more identity and authentication assurance. Phone networks are out of band from email, the cost of sending the message is relatively inexpensive, and few people are without a cell phone these days. As it gained popularity, SMS-based authentication got the attention of cyber criminals and they soon exposed a number of high- and low-tech attacks that make SMS authentication unreliable. I’ve been on a kick to turn on any 2nd-factor authentication option possible in every site/service that I use. Lately, however, I’m switching to real 2nd-factor options that include apps, U2F, or other methods. To that end, I recently published an article that ...

Continue Reading

Brando’s Rules for Success standard

I’ve had a few folks ask me if I could attribute any big life lessons that have helped me get to where I am. Things like the Golden Rule or an extremely healthy amount of respect for karma (both of which would be true for me) came to mind, but I was able to distill my guiding principles into this: Show up. Don’t be a dick. End of list. Let’s dive deeper. Show up. This rule can mean a lot of things, which is why I love it. It’s extremely versatile. Be physically present and on time to appointments when required. Don’t be a flake. Fulfill your commitments (and communicate EARLY if you need to adjust them, bad news does ...

Continue Reading

PCI Council Loses $600K in Revenue, PO Population on the Decline standard

Last year I released a blog post and a GitHub repository with some code to calculate how much money the PCI Council brings in annually, with an estimation of lifetime revenue. There are some MAJOR assumptions in there that can swing the revenue in either direction. And, of course, there are already new programs that the Council will happily charge for that have been released since my initial commit (3DS Assessors, 25 of those with each individual consultant paying $1,400 per exam). I’ll work on that soon. I was meeting with some industry people this week and thought I’d check up on the old numbers to give the package a refresh. As it turns out, the number of Participating Organizations ...

Continue Reading

No Need to Sign standard

If you went shopping on Sunday and happened to notice that a signature was not required for your credit card purchase, that wasn’t an April Fools joke. Back in December & January, the major payment networks all announced they were dropping the signature requirement. Even MORE time saved when paying for things! I’m sure many of you are like me in that you didn’t even put your actual signature on those papers or electronic signature capture devices. The only time I have been serious about it is when I travel abroad. Those cashiers are very good at matching your signature to what is signed on the back of the card.

Continue Reading

So You Want to Gong-Fu? standard

The Gong-fu Tea Ceremony is a celebrated method for brewing and enjoying tea (here’s another instructional video, and here are two posts with awesome info). When you start to spend money on higher quality leaf, the gong-fu tea ceremony will yield better results for a more immersive and enjoyable tea experience. Even lower quality tea can taste much better using the gong-fu method! Full disclosure: I’m just as lazy as the next guy some days. There are times where I can barely be bothered to rip open a single serve teabag of Queen Anne and throw it into a mug with hot water. I also have a few different ways I make loose leaf tea that are simple and get ...

Continue Reading

What’s the craic on KRACK? standard

For those who are not familiar with the Irish slang, read this. We got another fun named vulnerability this week that goes after WPA2 encryption, something that is ubiquitous but not impenetrable. Key Reinstallation Attacks, or KRACK for short, exposes a weakness in the WPA2 protocol. It’s an attack on the protocol itself, so anything that is unpatched and properly implemented to the Wi-Fi and WPA2 standard is vulnerable. Patches are already well on their way to being released and deployed. But this problem is going to stick around for a long time like Shellshock and Heartbleed. Many Wi-Fi hotspots are running outdated firmware that cannot be upgraded in some cases. Just like Shellshock and Heartbleed, the only way to ...

Continue Reading

Why PCI DSS 4.0 Needs to be a Complete Rewrite standard

The last month has been tough for our coastal regions and based on what forecasts show for the rest of the season, we’re not out of the woods. If you have not donated to those affected by these massive storms, please consider doing so today. The group that received my donations this time around is Direct Relief, but there are plenty to choose from. Thankfully, the Council canceled the Community meeting due to Irma (albeit, probably two days too late). It was the right decision. Hopefully, the vendors who have spent money with the Council will get some kind of relief for this year. Given that the conference didn’t happen, there was a missed opportunity to discuss the future of PCI ...

Continue Reading

Equifax is only half the problem, your SSN needs a redesign! standard

The Social Security Number in the United States is the closest thing we have to a national identification system. It’s widely used to deal with the government, open lines of credit, and serves as the unique ID for a tax payer. It’s effectively your financial and governmental digital footprint identifier from which all actions are compared. Great, right? We can use it to ensure people pay their taxes, connect bank records and large financial transactions to an identity, ferret out money laundering and illicit business, and get a personal balance sheet on anyone who has credit. Except, once that number is disclosed, it’s disclosed. Unlike a payment card number, there is no wide-scale method to reissue a social security number. Like ...

Continue Reading

Orfei Steps Down standard

In a rather surprise announcement, admittedly from a guy who is farther and farther removed from the PCI DSS ecosystem with each passing day, The PCI Council announced that Steven Orfei is stepping down as GM. His tenure was rather brief, in comparison to Russo, but it’s a thankless job that probably gets even more thankless every passing day. I wonder who will be next to steer the ship?

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!