Wednesday 28 November 2012

Text Spammings, Finally an ICO Fine of Merit

Today the Information Commissioner's Office (ICO) announced a record fine of £440,000 against the owners of Tetrus Telecoms. The ICO stated the Manchester based Tetrus Telecoms, were responsible for sending millions of unsolicited text messages using unregistered SIM cards, and personal data gained illegally.  Tetrus Telecoms were said to be sending 840,000 spam text messages a day promoting PPI claims and accident compensation claims, in the hope of earning a referral fee should any of the recipients respond. These referral fees netted the text spammers £8,000 a day. This is a lot of easy money, but it does mean 99.9% of those receiving the texts didn't reply, and so didn't want the text message in the first place.
Who hasn't had a PPI Text Message this year?

Finally the ICO dishes out a fine which is close to their maximum amount of £500K. Often criticised as a toothless tiger, the ICO fines are really hit and miss, however this £440K fine is the highest amount levied to date.

Finally a significant fine amount from the ICO against the owners of a private company. I don't agree with the past ICO six figure fines against public sector organisations, such as local authorities and the NHS, as in affect the ICO are taking money out of the public purse. Not great especially in these tough economic times, as these fines hit budgets, which in turn hit the provision public services. Negative publicity and pressure on organisation leaders, are the more appropriate method in dealing with publicly funded organisations that breach the Data Protection Act (DPA). Furthermore public sector fines appear not to be too much of a deterrent, as the NHS and local authorities continue to breach the DPA regularly  Private business are motivated by financial penalties hitting their profit margins, but the private sector do not have to disclose DPA breaches to the ICO. Also if a business volunteers for an ICO audit, they appear to be handed a "get out of jail free card" for any data breaches they knowingly have incurred. Businesses Consider Abusing ICO Data Breach Fine ‘Loophole’

ICO: Inconsistent enforcement action

Finally the ICO gets tough with text spammers, an issue which the vast majority of the UK public actually do really care about. Who doesn't hate being bombarded with streams of PPI text messages on our mobiles? Most people have received loads of these unwanted texts this year, wondering why such messages are allowed to be sent.  But it does beg the question, why has it taken the ICO so long to deal with text spamming, and what about phone call and email spamming which are equally rife. There are many other UK based illegal spamming operations in play, isn't it in the public interest to have these tackled as well?

Friday 9 November 2012

The Death of PCI: Two-Factor Online Payments

Back in September 2007, I attended the inaugural Payment Cards Industry Security Standards Council (PCI SSC) Community Meeting in Toronto.  These were the days before PCI was big business, there must of been only a couple of hundred people at the event in a typical down town Hotel in Toronto.  PCI was still finding its feet, the PCI SSC Board members spent most of the event being grilled by delegates brimming with questions about the PCI standard, and it is fair to say some delegates weren't happy chappies at all. I took the opportunity of asking SSC Board members several questions myself, looking back today some of my questions could be seen as rather naive, given who is behind setting up the PCI SSC and why. 

I asked why PCI SSC doesn't just regulate the card issuers, challenge them with a standard to secure the cards and cardholder data to a higher degree, instead of passing the buck onto to everyone else in the industry. I explained how in Europe we had just started using a new two-factor authentication system, Chip and Pin, which was already dramatically cutting face-to-face card fraud (known as cardholder-present transactions). I argued they just needed to replicate the two-factor authentication for when we couldn't prove a person (cardholder) was in possession of a payment card, specifically with telephone, online and perhaps mail order payments (known as cardholder-not-present or MOTO payments).  My point was the industry should be focusing on updating the plastic card technology itself, which had been standing still for decades with its 1970s magnetic strip holding sensitive card data on the back, wasn't it time to evolve the technology and make the cardholder data itself worthless, in order to combat card fraud more effectively? 
Magnetic Strip
Of course these questions and points all fell onto deaf ears, as the PCI SSC is about regulating cardholder data beyond the card issuers, passing the failing and fraud cost of weakly secured plastic cards onto the Payment Processors and Retailers, that need to process them for payments.  The one big downside to PCI DSS, is companies are paying to protect someone else's data, as cardholder belongs to the card brands (i.e. Visa, MasterCard, Amex), and not to the cardholders. My gripe is companies invest more in protecting someone else's data better than they do their own confidential information, and more importantly more than other people's personal sensitive data. This often leads to their information security budgets being plundered by PCI programmes in order to protect card brand's data at the expensive of protecting citizen's personal data.

Five years on from that Toronto meeting, it is clear for many years now, that Chip & Pin (EMV) works in cutting cardholder present fraud, every Information Security professional knows the benefits in using a two-factor authentication system. Only now has North America finally started to push Chip & Pin for cardholder present transactions following the European success, could the penny have finally dropped? Are card brands and card issuers now seriously thinking about using two-factor authentication to protect online transactions from fraud as well?

To secure online transactions in the same way as Chip & Pin, you need to ensure the cardholder is in possession of their card. This can be accomplished by using a unique number generator onto a thin LCD screen on the card itself, this card number. This one time number can be generated using a timed encryption sequence  which creates a unique number valid only for a limited time. This number can be keyed in or spoken by the cardholder, and so used to corroborate the payment card itself is in possession of a cardholder. Further the security could be seriously ramped up by first requiring the cardholder to type in their PIN on the card itself before generating the number. This gives a two-factor authentication for online and telephone payments (MOTO), both proof of possession of the card (something you have), and the cardholder must know their PIN number (something you know), well recently both Visa Europe and MasterCard have announced new cards that do just that.

MasterCard's Two-Factor Payment Card


Visa's Two-Factor Payment Card

Why we want one of those
Most card consumers don't want gimmicky pictures of themselves on their payment cards, we want two-authentication for all our card payments, not just at the checkout. Why? because consumers actually do care about having their accounts hit by fraudulent transactions, and do want to be decently protected, as when all is said and done, all consumers foot both the card fraud bill and the retailers PCI bill. These new generation of cards present dealing with the root cause of the card fraud problem, the weakly secured plastic itself, and has to be the best way forward.

Death of PCI
For retailers, if all cards switched to two-factor authentication completely, it could finally mean they don't need to protect cardholder data, certainly not to the same degree at present, which really could spell the death of PCI. We'll have to wait and see before this 'not new' technology takes off in the industry, but I don't think PCI DSS will be around a decade from now.

Saturday 3 November 2012

4 Ways Your Child is Vulnerable to Identity Theft

Scary American made awareness video on Child identity theft by Good Money.  It's titled "5 Ways", but it's actually 4 ways for UK parents, we can ignore number 2 on Social Security numbers.

My recommendation is to educate and monitor your children/teenagers online activity, and teach them to secure their personal information digital footprint online.

5 Ways Your Child is Vulnerable to Identity Theft Online from Good Money by CreditScore.net on Vimeo.

According to the United States Bureau of Justice Statistics, in 2010, 7% or “8.6 million households had at least one member age 12 or older who experienced one or more types of identity theft victimization.” But identity theft is not just reserved for tweens and adults. In this age of information, children are increasingly vulnerable to the same kinds of attacks that cripple credit scores and bust bank accounts. Check out this video to learn about five ways you could be exposing your child’s sensitive information to identity theft.

Friday 2 November 2012

UK InfoSec Review for October 2012

UK Police net suspected phishing gang http://www.scmagazineuk.com/police-net-suspected-phishing-gang/article/266148/
  • UK police have arrested three men suspected of being involved in thousands of phishing attacks on banking customers.
  • One Nigerian and two Romanian men were arrested at a central London hotel on conspiracy to defraud and money laundering charges.
  •  The three men were allegedly involved in an operation that placed over 2,000 phishing pages on the internet
XSS remains the most frequently attacked website flaw according to FireHost http://www.securityweek.com/cross-site-attacks-rise-top-q3-says-firehost
  • The third quarter of 2012 showed another increase in attacks against cross-site scripting (XSS) flaws on websites.
  • Analysis of 15 million cyber attacks by FireHost users found XSS, directory traversals, SQL injections, and cross-site request forgery (CSRF) attacks to be the most serious and frequent and are part of FireHost's 'Superfecta' group. In Q3 of 2012, XSS and CSRF represented 64 per cent of attacks in this group.
  • The report claimed that XSS is now the most common attack type, with more than one million XSS attacks blocked during this period alone, a rise from 603,016 separate attacks in Q2 to 1,018,817 in Q3. There were 843,517 CSRF attacks reported.
Android apps 'leak' personal details http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
  • Android apps can be tricked into revealing personal data, research indicates.
  • Scientists tested 13,500 Android apps and found almost 8% failed to protect bank account and social media logins.
  • These apps failed to implement standard scrambling systems, allowing "man-in-the-middle" attacks to reveal data that passes back and forth when devices communicate with websites.
  • The usage of Android in BYOD schemes by businesses, this is a risk to investigate further
Cost and education are the biggest hindrances and failings around PCI compliance according to Vigitrust survey
Microsoft rejects digital certificates with fewer than 1024 bits
  • Microsoft Security Advisory: Update for minimum certificate key length http://technet.microsoft.com/en-us/security/advisory/2661254
  • Microsoft said that certificates with RSA keys less than 1024 bits in length will be blocked. Microsoft has recommended that people using RSA keys should choose a key length of at least 1024 bits after it spotted a number of digital certificates that did not meet its standard for security practices
  • I recommend business adopt 2048 bit certificates by default with all applications and service
EU and banks stage DDoS cyber-attack exercise
  • The European Union has responded to an increase in the number of Distributed Denial of Service (DDoS) attacks with its biggest cybersecurity exercise.
  • Enisa (European Network and Information Security Agency), which is co-ordinating the event, said 25 nations actively participated in the practice run in October, and a further four countries were observing. But it would not specify the names of the states or organisations involved.
  • DDoS attacks have been increasing in the couple of years

Thursday 1 November 2012

UK Data Protection Review for October 2012

ICO fines Stoke-on-Trent City Council £120,000 after sensitive information about a child protection legal case was emailed to the wrong person
  •  11 emails containing sensitive information relating to the care of children were sent to the wrong address by Council employees
  • The fact the Email and attachments were not encryption protected was the root cause of the seriousness of the incident, leading to the high fine. An encrypted file cannot be opened by unintended recipient, therefore it is best practise to use file encryption on any document contain sensitive personal information sent outside a company infrastructure via email.
ICO fines Greater Manchester Police £150,000 following the theft of a memory stick holding sensitive personal data from an police officer’s home
  • The ICO action was prompted by the theft of a memory stick containing sensitive personal data from a police officer’s home. The memory stick was not encrypted and contained details of more than a thousand people with links to serious crime investigations.
  •  The ICO found that a number of police officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office. Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.
ICO serve a £70,000 monetary penalty to Norwood Ravenswood after sensitive information about four children was lost after being left outside of a house
  • A social worker, who worked for Norwood Ravenswood, left the detailed reports at the side of the house on 5 December 2011, after attempting to deliver the items to the children’s prospective adoptive parents. At the time neither occupant was at the house, but when they returned to the property the reports were gone. The information has never been recovered.
  • The reports contained sensitive information, including details of any neglect and abuse suffered by the children, along with information about their birth families. The ICO’s investigation found that the social worker had not received data protection training, in breach of the charity’s own policy, and received no guidance on how to send personal data securely to prospective adopters.
  • In this case the lack of data protection awareness training provided to the social worker was identified as the root cause of the incident; therefore the business was held to account and fined.
ICO release a statement stating it was concerned with personal data protection within local government and the NHS
  • The ICO published four reports which summarise the outcomes of over 60 ICO audits carried out in the private, NHS, local and central government sectors.
  • In the health service only one of the 15 organisations audited provided a high level of assurance to the ICO, with the local government sector showing a similar trend with only one out of 19 organisations achieving the highest mark. Central government departments fair little better with two out of 11 organisations achieving the highest level of assurance.
ICO issues two monetary penalties over £250,000 to two marketers responsible for distributing millions of spam texts
  • Spamming is just wrong, especially all those PPI text messages going around at the moment, nice to see the ICO attempt to go after someone for it doing