The Logic Group Blog

The new Annual Fraud Indicator from the National Fraud Authority (NFA) was published this morning and makes some interesting reading.

 

The headline figure which everyone will pick up on is that the loss to the UK economy to fraud each year is estimated to be £73Bn. Considering the previous estimate in 2011 was £38Bn has fraud really increased two fold? The answer, unsurprisingly, is that it hasn’t; what has changed is the inclusion of new areas of the economy not previously considered in the scope and a step change in the methodology in place.

 

So what are the interesting facts in the report?

Well as usual, I attended PCI London this week, which is probably my fourth or fifth one over the years. As always it was very well attended, which was encouraging as it demonstrates that merchants, schemes and service providers continue to treat security seriously, even in these difficult times.

 

It has been interesting to see the changes in approach.

 

Initially at my first one, the event had an educational bias. “What is PCI DSS, who does it impact, what does it mean?”

 

Then it moved to a more supplier centric focus, with many presentations talking about technology and solutions which would allow a merchant to meet a variety of controls within the standard.

Well they have arrived. After more than a year of discussion and debate the new requirements for Point to Point Encryption (P2PE) have finally been released by the PCI SSC.

 

These requirements, which are contained in the Point to Point Encryption: Encryption, Decryption and Key Management within Secure Cryptographic Devices (Hardware/Hardware) v1.0, were released this month and define how a payment solution provider may validate its P2PE solution thereby allowing merchants to reduce the scope of their PCI DSS assessments when using the solution.

I returned from holiday to find another attack vector has raised its ugly head. Reading the latest news, at least two hundred fraudulent SSL certificates (and oossibly over five hundred) have been issued from a trusted root certificate authority (CA). In this case, it appears that Diginotar, the Dutch trusted third party has been breached and spoof certificates for common domain names including google.com have been issued. This follows on from a breach at Comodo earlier in the year.

 

What are the implications of this? Well the Diginotar root certificates are included within the trusted root authority stores of all common browsers, meaning that the fraudulent certificates would have been trusted when creating a SSL connection. These can be used to create encrypted tunnels to spoof sites where sensitive information could be transmitted, or leading to potential Man in the Middle attacks.

As we have seen, contactless payments are beginning to move into the mainstream. As my colleague Mark Carpenter noted in his blog, support for contactless transactions is moving out from the metropolis, even to the rarefied environs of his country retreat.

I was recently browsing, when I came upon an interesting article.

 

It was discussing the Monty Hall problem.

 

For those of you who don’t know, this problem is based on a US quiz show and has caused a huge amount of debate at various times in the past. The idea is as follows.

 

A contestant is asked to look at three closed doors and told behind two of them is a goat and behind the other, there is a sports car. Choose the correct door, you get the car, choose incorrectly and you go home with an old goat. (Please add your own joke here)

I have just been reading the new guidance provided by the PCI SSC on Virtualisation. This document has been long anticipated, having been pre - announced at the PCI SSC User Forum back in October 2010.

 

The document includes advice for local virtualised servers and environments as well as advice for those merchants considering a wholesale switch to cloud computing in whatever flavour they believe beneficial. It covers a wide range of options and topics and the authors are to be congratulated on the output they have achieved.

Well looking at the latest news, Sony Corp. still remains in the spotlight. A new hacking group seem to have made Sony Corp. the focus of their current efforts. However I believe the most interesting incident from a security perspective is the attempted break in at Lockheed Martin and the recent announcement from RSA regarding the replacement of SecurID tokens.

What a busy year we are having. Following the release and implementation of the Payment Card Industry (PCI) Data Security Standard (DSS) v2.0, the PCI Security Standards Council (SSC) have just released their new version of the PCI DSS Prioritised Risk Approach for PCI DSS v2.0.

 

Available from all good websites, this new document outlines the six milestones which make up the Prioritised Approach to PCI DSS. As many of you are aware; acquiring banks have been increasingly measuring their merchant progress to PCI DSS compliance by their achievement of the milestones, with Milestone 1 being assessed as the most important, covering areas such as cardholder flows, sensitive authentication data and cardholder data retention, down to Milestone 6.

As I ask the question I can hear the thud of exasperation from overworked network administrators. Surely not another awareness day or preparatory day for the masses; haven’t network administrators enough work to handle.

 

Well, I suspect they do, however World IPv6 Day does have a serious intent. World IPv6 Day is scheduled for June 8th and a number of notable sites such as Google, Facebook and the like will be enabling their web services to be served over IPv6 for a test period of 24 hours.

 

Why? Well the internet is running out of network addresses; in fact they pretty well have and IPv6 is the solution. When IP was first developed, 4.3 billion addresses seemed sufficient; but with the number and diversity of devices looking to connect ever increasing (think of the proverbial internet enabled fridge or power smartmeter) this is far too small. IPv6 provides far more addresses, 3.4 x 10 to the power of 38 to be exact. However IPv6 is far more than simply a greater address range, it is the next generation of IP and has significant changes from the current IPv4 protocol stack.

I wonder what the Japanese is for “when you are in a hole it’s usually a good time to stop digging“?

 

I read the new Sony press release with some bemusement; the one with regard to the loss of 25 million further customer details from Sony Online Entertainment. The release had the following statement:

 

information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained.

 

I wonder if Sony are aware of the Payment Card Industry Data Security Standard (PCI DSS) since they are very effectively stating their non-compliance.

Today we hear confirmation about a breach of the Sony Playstation Network with the loss of millions of account names and personal details and potentially the loss of payment card details such as the payment card number and Expiry dates, but excluding the security code.

 

The type of data rumoured lost includes names, addresses, email addresses, account names, account passwords, relevant date of birth and answers to security questions. By security questions one presumes the questions would be of a similar type to: What is the name of your pet?

 

So should we be concerned?

Why is it; whenever there is a breach of a company’s security it is always attributed to the work of sophisticated cyber criminals? Is this because it really does take a sophisticated criminal to breach an environment these days or do victims prefer to characterise the cleverness of the criminal rather than the weakness of the security environment?

Following recent news that more than two-thirds of companies have been hit by data breaches over the past year, the report featured in Computer Weekly is an interesting, if not alarming, confirmation that fraud is on the rise. Although person-present payments have improved security measures due to developments in global security standards like PCI DSS; cyber attacks still continue to be an area of vulnerability for businesses across the UK.

In many cases executive IT and security professionals trust their Information Security departments to provide adequate security to protect employees while operating in their business environment. However it is rare for users to extrapolate this security to a home environment.

 

What does this mean in practical terms? Well, an enterprise will normally provide a risk analysis of a security threat and then provide adequate controls to mitigate that risk to an acceptable level. And users need to consider the same things when at home. So what are the considerations which IT directors should take into account when looking at cyber security provisions for mobile workers?

According to the January 2010 report from the National Fraud Authority, fraud now costs the UK an eye watering £30 billion a year. 58% of fraud is committed in the private sector with tax fraud hitting £15.2 billion, and, in the private sector, financial services companies and organisations are said to suffer yearly losses of £3.8 billion through crimes including mortgage and insurance fraud, online banking, cheque and card fraud.

In the past decade there has been a sharp increase in focus on the security of cardholder data held by third parties. High profile data breaches and the associated losses resulting from the fraudulent use of compromised cardholder data have made global headlines and have struck fear into consumers and merchants alike.