Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Whats Worse: Credit Card Or Identity Theft?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 2:54:28 PM
Re: Identify Theft & bitcoins
@CypherpunkI - In my state -- Massachusetts, they've installed bitcoin ATMS in South Station and a major subway hub. But the state consumer protection agency is advising consumers to be careful.  Personally, I'm still a little bit leery of them..

 
Cypherpunk
50%
50%
Cypherpunk,
User Rank: Apprentice
4/10/2014 | 2:48:26 PM
Re: Identify Theft
Identity theft and credit card data breaches by retail merchants are driving consumers to seriously look at bitcoin as an alternative payment network. Bitcoin transactions are peer-to-peer "push" operations so they do not require any third party intermediary, cannot reveal personally identifying information and are verfified by a worldwide network of computers so the payments are confirmed in minutes instead of hours or days. As an added bonus, transaction fees on the bitcoin network are miniscule compared with credit card fees (~$0.004 paid by the customer, as compared to 3%-5% of the purchase price paid by the merchant to the credit card processor).

The credit card system is entrenched 1950's era technology that hasn't had to evolve for decades; cryptocurrency is 21st century technology that is designed for today's mobile marketplace which places security as the first priority, not tacked on as a hastily-written emergency patch. 
gosmartyjones
100%
0%
gosmartyjones,
User Rank: Apprentice
4/10/2014 | 1:34:50 PM
Without Question, it's Identity Theft
Remember something very important about identity theft, and that's the notion of "one and done". You only have one birthdate, social security number, and other unique vitals. Once they are breached, they've been forever compromised and cannot be changed. As a PCI-QSA, breaches occur – and will continue to occur – but how lasting is the damage, really? You can replace your credit card number, but not your unique vitals and it's why I strongly favor compliance assessments that should be focusing on critical aspects of Personally Identifiable Information (PII). 

Only in very extreme circumstances can you get another social security number, but as for credit cards, just give your bank a call.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/10/2014 | 12:39:00 PM
Re: Identify Theft -- Awareness Training
I did read it, and unfortunately, I'm not surprised. In fact, I'm inclined to think that the survey results may have understated the number of users who were not trained. Additionally, it begs the question whether or not the training was actually effective. Unfortunately, the true measure of effectiveness would be the examination of a breach to see if it was a direct result of unsafe practices. Accidental exposure does occur, and it can be argued that accidents are a result of unsafe practices, but we are all human beings and we do have weaknesses. So on a more practical side, the measure of effectiveness cannot devolve to a simple Q&A test - it has to be a simulated real world test like an internal social engineering exercise. Automated auditing tool reports can also provide data regarding those practices; i.e. filters or applications that prevent storage of PII or PHI or CC data in insecure locations such as workstations, etc. An example of lack of awareness: a few years ago while we were undergoing an HR application implementation, I was contacted by the vendor's conversion specialist to ftp a file so they could import data into the application. The file name was empdata. Naturally, alarm bells rang in my head, and when I examined the contents of the file, I saw that it contained employee data including banking information for direct deposits, SSNs, dependent infotmation, etc. Normally, the ftp request would have gone through someone else in our organization, and not someone in IT, but for some reason, the request came to me. What shocked me was that I was informed that such a request was "routine" and other clients simply complied without question. When I told them that I refused to ftp the file due to security reasons, the conversion specialist asked me if I would email it to them instead of ftp. I almost lost it right then and there. Long story short, I caused the vendor to implement a more secure way of transfering the files, and they made it a standard procedure with all their clients. Imagine a client having to educate an HR software vendor on secure practices regarding sensitive employee information - what's wrong with that scenario? That incident shows the lack of awareness in too many organizations.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/10/2014 | 11:36:40 AM
Re: Identify Theft -- Awareness Training
To your point about security awareness training. Did you read Tim's story today:

Majority Of Users Have Not Received Security Awareness Training, Study Says

The survey of 600 employees, conducted by EMA Research and sponsored by training firm Security Mentor, indicates that 56 percent of workers say they have not had security or policy awareness training from their organizations. The remainder of employees (44 percent) say they have received annual training.

Thoughts on how training can be more prevalent and/or effective? 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/10/2014 | 10:28:39 AM
Re: Identify Theft
@Kerstyn & Neira: Nothing like hitting the nail right on the head! I can't remember how many times I've made that statement about awareness training. Many times, C level executives simply do not see the ROI from awareness training. I attribute this to the failure of security personnel to effectively communicate the business need and impact of all IT security aspects to the organization. If C level executives see IT security in terms of compliance and current bottom line impact only, budget decisions become a matter of spending the least amount to gain an acceptable level of security comfort or compliance. The axiom that compliance equals security has been disproven many times, with the Target breach serving as a glaring example. Security expenditures must be viewed in terms of an investment in the organization's future. Yes, it is intangible, but so are many other investments ourside of security. As far as effectiveness of training, much can be gained by designing the material in such a way that users see a personal gain from it. The training material I prepare frames security practices that affect the organization, and also their personal lives. When seen from that perspective, users will adopt practices that improve the security posture of the organization as well as their own personal security. Not surprisingly, users have thanked me for the information, and told me how they have changed their personal behavior to improve their own personal security, and even disseminated the information in their personal circles. We are creatures of habit and we usually engage in similar practices at home or at work. When you think about it, those practices do not differ much from organizational and personal standpoints. Secure practices do not necessarily have to precipitate from the top down; they can be adopted in a widespread fashion to accelerate and elevate the security posture of any organization much more quickly.
Kerstyn Clover
50%
50%
Kerstyn Clover,
User Rank: Moderator
4/10/2014 | 9:01:37 AM
Re: Identify Theft
Neira,

 

I read over your blog and you touch on a lot of great points that I did not have the space for in my own. This in particular jumped out at me: "...education and awareness is still failing in most organisations as it seems to be merely driven by compliance and regulation..." and I think that almost anyone in the industry would agree.

A lot of security comes from being aware, trained, and practicing frequently. Unfortunately those are all things that can be very difficult to compel companies or people to work on because they tend to be intangible and require a lot of effort.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/9/2014 | 7:54:41 PM
Data Masking and PII
I feel that as the years progress that the amount of data that is considered PII is increasing. I think one reason this situation is difficult is because you have to way data accessiblity versus security. How can you be secure but also be able to perform your tasks? I think one item that might help is data masking. Now understand like encryption methods, authentication, and other security safeguards, this is a measure that can still be exploited but I think that if multiple masking methods are leveraged for different data sets it makes the data that is being worked with much harder to access.

Also we need to realize its impossible to prevent 100% data leakage. We need to focus on the best ways to prevent as much as possible.

Any one else to posit solutions that may help protect against identity theft and data leakage?
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
4/9/2014 | 6:42:44 PM
Re: Identify Theft - a new conversaton
Credit card numbers should really be one-time use numbers.

I wonder if stiffer penalties for identity thieves -- like being forced to manually correct grammatical errors in spam messages -- would create more deterence.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/9/2014 | 4:28:06 PM
Re: Identify Theft - a new conversaton
Agreed, that is a much easier conversation to have than to "try" to explain how to straighten out their credit file, fraudulent charges,life, etc.
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.