Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Whats Worse: Credit Card Or Identity Theft?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 2:54:28 PM
Re: Identify Theft & bitcoins
@CypherpunkI - In my state -- Massachusetts, they've installed bitcoin ATMS in South Station and a major subway hub. But the state consumer protection agency is advising consumers to be careful.  Personally, I'm still a little bit leery of them..

User Rank: Apprentice
4/10/2014 | 2:48:26 PM
Re: Identify Theft
Identity theft and credit card data breaches by retail merchants are driving consumers to seriously look at bitcoin as an alternative payment network. Bitcoin transactions are peer-to-peer "push" operations so they do not require any third party intermediary, cannot reveal personally identifying information and are verfified by a worldwide network of computers so the payments are confirmed in minutes instead of hours or days. As an added bonus, transaction fees on the bitcoin network are miniscule compared with credit card fees (~$0.004 paid by the customer, as compared to 3%-5% of the purchase price paid by the merchant to the credit card processor).

The credit card system is entrenched 1950's era technology that hasn't had to evolve for decades; cryptocurrency is 21st century technology that is designed for today's mobile marketplace which places security as the first priority, not tacked on as a hastily-written emergency patch. 
User Rank: Apprentice
4/10/2014 | 1:34:50 PM
Without Question, it's Identity Theft
Remember something very important about identity theft, and that's the notion of "one and done". You only have one birthdate, social security number, and other unique vitals. Once they are breached, they've been forever compromised and cannot be changed. As a PCI-QSA, breaches occur – and will continue to occur – but how lasting is the damage, really? You can replace your credit card number, but not your unique vitals and it's why I strongly favor compliance assessments that should be focusing on critical aspects of Personally Identifiable Information (PII). 

Only in very extreme circumstances can you get another social security number, but as for credit cards, just give your bank a call.
User Rank: Ninja
4/10/2014 | 12:39:00 PM
Re: Identify Theft -- Awareness Training
I did read it, and unfortunately, I'm not surprised. In fact, I'm inclined to think that the survey results may have understated the number of users who were not trained. Additionally, it begs the question whether or not the training was actually effective. Unfortunately, the true measure of effectiveness would be the examination of a breach to see if it was a direct result of unsafe practices. Accidental exposure does occur, and it can be argued that accidents are a result of unsafe practices, but we are all human beings and we do have weaknesses. So on a more practical side, the measure of effectiveness cannot devolve to a simple Q&A test - it has to be a simulated real world test like an internal social engineering exercise. Automated auditing tool reports can also provide data regarding those practices; i.e. filters or applications that prevent storage of PII or PHI or CC data in insecure locations such as workstations, etc. An example of lack of awareness: a few years ago while we were undergoing an HR application implementation, I was contacted by the vendor's conversion specialist to ftp a file so they could import data into the application. The file name was empdata. Naturally, alarm bells rang in my head, and when I examined the contents of the file, I saw that it contained employee data including banking information for direct deposits, SSNs, dependent infotmation, etc. Normally, the ftp request would have gone through someone else in our organization, and not someone in IT, but for some reason, the request came to me. What shocked me was that I was informed that such a request was "routine" and other clients simply complied without question. When I told them that I refused to ftp the file due to security reasons, the conversion specialist asked me if I would email it to them instead of ftp. I almost lost it right then and there. Long story short, I caused the vendor to implement a more secure way of transfering the files, and they made it a standard procedure with all their clients. Imagine a client having to educate an HR software vendor on secure practices regarding sensitive employee information - what's wrong with that scenario? That incident shows the lack of awareness in too many organizations.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/10/2014 | 11:36:40 AM
Re: Identify Theft -- Awareness Training
To your point about security awareness training. Did you read Tim's story today:

Majority Of Users Have Not Received Security Awareness Training, Study Says

The survey of 600 employees, conducted by EMA Research and sponsored by training firm Security Mentor, indicates that 56 percent of workers say they have not had security or policy awareness training from their organizations. The remainder of employees (44 percent) say they have received annual training.

Thoughts on how training can be more prevalent and/or effective? 
User Rank: Ninja
4/10/2014 | 10:28:39 AM
Re: Identify Theft
@Kerstyn & Neira: Nothing like hitting the nail right on the head! I can't remember how many times I've made that statement about awareness training. Many times, C level executives simply do not see the ROI from awareness training. I attribute this to the failure of security personnel to effectively communicate the business need and impact of all IT security aspects to the organization. If C level executives see IT security in terms of compliance and current bottom line impact only, budget decisions become a matter of spending the least amount to gain an acceptable level of security comfort or compliance. The axiom that compliance equals security has been disproven many times, with the Target breach serving as a glaring example. Security expenditures must be viewed in terms of an investment in the organization's future. Yes, it is intangible, but so are many other investments ourside of security. As far as effectiveness of training, much can be gained by designing the material in such a way that users see a personal gain from it. The training material I prepare frames security practices that affect the organization, and also their personal lives. When seen from that perspective, users will adopt practices that improve the security posture of the organization as well as their own personal security. Not surprisingly, users have thanked me for the information, and told me how they have changed their personal behavior to improve their own personal security, and even disseminated the information in their personal circles. We are creatures of habit and we usually engage in similar practices at home or at work. When you think about it, those practices do not differ much from organizational and personal standpoints. Secure practices do not necessarily have to precipitate from the top down; they can be adopted in a widespread fashion to accelerate and elevate the security posture of any organization much more quickly.
Kerstyn Clover
Kerstyn Clover,
User Rank: Moderator
4/10/2014 | 9:01:37 AM
Re: Identify Theft


I read over your blog and you touch on a lot of great points that I did not have the space for in my own. This in particular jumped out at me: "...education and awareness is still failing in most organisations as it seems to be merely driven by compliance and regulation..." and I think that almost anyone in the industry would agree.

A lot of security comes from being aware, trained, and practicing frequently. Unfortunately those are all things that can be very difficult to compel companies or people to work on because they tend to be intangible and require a lot of effort.
User Rank: Ninja
4/9/2014 | 7:54:41 PM
Data Masking and PII
I feel that as the years progress that the amount of data that is considered PII is increasing. I think one reason this situation is difficult is because you have to way data accessiblity versus security. How can you be secure but also be able to perform your tasks? I think one item that might help is data masking. Now understand like encryption methods, authentication, and other security safeguards, this is a measure that can still be exploited but I think that if multiple masking methods are leveraged for different data sets it makes the data that is being worked with much harder to access.

Also we need to realize its impossible to prevent 100% data leakage. We need to focus on the best ways to prevent as much as possible.

Any one else to posit solutions that may help protect against identity theft and data leakage?
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
4/9/2014 | 6:42:44 PM
Re: Identify Theft - a new conversaton
Credit card numbers should really be one-time use numbers.

I wonder if stiffer penalties for identity thieves -- like being forced to manually correct grammatical errors in spam messages -- would create more deterence.
Randy Naramore
Randy Naramore,
User Rank: Ninja
4/9/2014 | 4:28:06 PM
Re: Identify Theft - a new conversaton
Agreed, that is a much easier conversation to have than to "try" to explain how to straighten out their credit file, fraudulent charges,life, etc.
Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-10-03
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
PUBLISHED: 2022-10-03
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
PUBLISHED: 2022-10-03
Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA). An attacker could leverage this vulnerability to escalate privileges and execute arbitrary code.
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.