COLUMN

Security Blog Log: The sobering scope of data fraud

By Bill Brenner 17 Mar 2006 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

---------------------------------------------------------------------------------------------------------

Last week, I mentioned how Citibank was forced to put a freeze on PIN-based transactions after discovering a wave of fraudulent debit card use in at least three countries.

It has since become clear that Citibank's misfortune may be part of something bigger: a global surge in debit card fraud that suggests the bad guys have cracked more banking networks than first thought.

The affair has left some bloggers to wonder if financial institutions are being reckless in how they store customer data, turning payments by debit card into a game of Russian roulette.

About Security Blog Log Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: A DRM threat to lives and infrastructure? Hacking for grades causes a stir Hey, Mac. Is that a worm in your Apple?

Noting the recent bust of an alleged debit fraud ring in New Jersey, network security professional Martin McKeay wrote in his Network Security blog that merchants are playing with fire by hanging on to debit card data, which more times than not becomes too tempting a target for the digital underground to pass up.

"I still wonder why any merchant would be keeping magnetic stripe information from a debit card along with the PIN, even if they are encrypted," he said. "I foresee either new industry compliance regulations" or several new state laws "coming out of this event."

He said he hopes other businesses are examining their data retention policies regarding debit card information and weighing the pros and cons of holding onto that information. "I hope they realize that there's no positive benefit to keeping the information in the first place."

Chris Jay Hoofnagle, senior counsel for the Electronic Privacy Information Center (EPIC), offered several examples of lax security in the banking industry in his EPIC West blog.

"We're always hearing that financial institutions take security seriously," he said. "I've always believed it because banks are ultimately liable to the consumer if money is stolen. But there is mounting evidence that security isn't taken as seriously as the banks say."

He offered these examples:

• A man tears up a credit card application into little pieces, reassembles it, fills it out (and changes the address), and sends it in. The card arrives less than one month later (to the different address).
• Another man scribbles his signature on credit card receipts until they become unreadable. He even writes "I stole this card" on one receipt. In every instance, the signature is accepted.
• That same prankster calls Visa and gets through security by mumbling his mother's maiden name.
• A man receives a credit card application in his dog's name, so he completes it, noting that the applicant works at the "Pupperoni Factory." The card arrives in the mail.
• An entire series of cases document situations where someone puts incorrect personal information on the credit application, but still gets the account.
• Finally, identity theft continues to be the top consumer complaint to the Federal Trade Commission.

Perhaps, Hoofnagle said, "it's accurate to say that security is taken seriously, but profit is taken more seriously."

Tags: Client security,  Network Device Management,  Security Event Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Client security DLP technology challenges security costs Endpoint protection best practices manual: Combating issues, problems Kaspersky update for SMBs in wake of free Microsoft Security Essentials Microsoft makes free antivirus software widely available Security best practices in hotels Best Antimalware Products Perimeter defense in the era of the perimeterless network Microsoft Security Essentials (MSE) shows no vision, expert says Smart tactics for antivirus and antispyware Top tactics for endpoint security Network Device Management Researchers find thousands of flawed embedded devices Is there a way to block iPhone widgets that bypass Web filters? Will an application usage policy best control network bandwidth? What is the difference between static and dynamic network validation? How to manage network bandwidth with distributed ISP bandwidth DNSSEC deployments gain momentum since Kaminsky DNS bug Firewall rule management best practices What are best practices for fiber optic cable security? The requirements for being a PCI DSS-compliant service provider Enterprise UTM security: The best threat management solution? Security Event Management Network traffic collection, analysis helps prevent data breaches Best Security Information and Event Management Products Understanding PCI DSS compliance requirements for log management Data breach notification legislation: What info must be released? How to prevent a denial-of-service (DoS) attack Mature SIMs do more than log aggregation and correlation The top 5 network security practices SIMs tools and tactics for business intelligence SIEM: Not for small business, nor the faint of heart Should IDS and SIM/SEM/SIEM be used for network intrusion monitoring?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary brute force cracking  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) Crash Course: Spyware  (SearchSecurity.com) email spoofing  (SearchSecurity.com) phishing  (SearchSecurity.com) rootkit  (SearchMidmarketSecurity.com) social engineering  (SearchSecurity.com) Wired Equivalent Privacy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary