Finally, Twitter has implemented 2-factor authentication of their accounts. It is made possible with SMS messages. When you log in to your twitter account, in addition to username and password, you will be prompted for 6-digit code which is sent to your mobile phone. Similar technology is used by some other companies (for example, Facebook and Bank of America). This is not the best solution (what if you are located in out of service zone?) but it is better than nothing. There are more robust solutions, which also use mobile phone, implemented, for example, by Google or PayPal. They utilize software tokens: different smartphone apps (Google Authenticator and VeriSign VIP accordingly) that, however, do the same: display new temporary code every minute. Such app generates the numbers based on preset initialization vector and mathematical formula, which does not require any server connection. Therefore, the phone device with such app can be used offline, the same way as classic hardware token like RSA SecurID.
Testing stolen credit card dumps
Carders test their dumps of stolen credit cards on charity websites. This is not new. But the amount of such transaction normally is very small - several cents - just to test the validity of the account. The founder of the Jack and Jill Foundation actually confirms it: "the foundation was receiving international donations as small as two cents".
Once the account is validated (donation succeeded), there is no need to run more transactions with this card as now it is ready to be used to purchase online or make a fake plastic and go to shop in store.
What is unclear about the victim - how the total amount of such fraudulent test transactions came to $170,000?! If transactions were tested with $0.02 amount as he claims, they should run 8.5 million cards! It was really good batch!
Credit card skimmers were found at Chevron and Valero gas stations in California:
"The skimmers were attached internally... Nobody would have noticed these devices just looking at the outside of these pumps. But when you open them up to change say a credit card receipt reel, then they’re easily noticeable.”
Here is proposed solution for payment data security:
"All the clerks have checked the pumps and they’re continuing to check them on a daily basis so if any more of these are installed they should be taken down fairly quickly”.
Sounds like effective Intrusion Detection System.
Breach expense protection
Interesting version of solution for payment security problems.
The security controls include the following mechanisms:
1. "Security policy that fulfills the PCI DSS requirements"
2. "Online self-assessment questionnaire wizard"
3. "Reimbursement of up to $100,000 per merchant location for certain breach related expenses, with a combined per occurrence and aggregate yearly limit of $500,000. The breach funds are intended to cover the costs of the required forensic audit, replacement of affected credit cards, resulting fines from PCI
Security Standards Council members and telephone consulting support"
I would like to get a trial version!
Visa credit card swipe fees in the US are 10x higher than in Europe. I guess we are paying the price for requent card data breaches.
"Credit card swipe fees in the U.S. are up to 4 percent of the transaction value, while the new Visa rate in the EU will be 0.3 percent.These sky-high swipe fees mean higher prices on virtually everything in the U.S., even if you pay by cash or check. If U.S. credit card swipe fees were the same as the EU rates, Americans would save $40 billion annually."
Refuse to be Terrorized
I have been comparing several Track/PAN detection tools and this one looks pretty good. Later on I am going to publish a comparison chart of several such products (both commercial and free). If you have any comments/links please let me know.
National Security Agency has unclassified the document which previously was a secret guide to search engine hacking including Google and Yahoo. In fact, this is the full-size book (640 pages) called Untangling the Web: A Guide to Internet Research.
Interesting quote from the introduction:
"We pay for the benefits of the Internet less in terms of money and more in terms of the currencies of our age: time, energy, and privacy."
Intel in PCI compliance business
I thought Intel just powers my laptop. I was wrong. It also sells PCI compliance... I am sorry... PCI appliance. I am curious whether this is an indication of how important PCI or how bad CPU sales are these days.
Is MAPCO security breach caused by new malware or maybe one of those recently reported from grocery breaches?
It sounds like RAM Scraping:
"The payment card processing systems in our stores transmit credit and debit card information needed to process card transactions initiated by our customers. This information is not stored by MAPCO and is only held in these systems for minutes. We believe the hackers were able to access this card data when the malware was active on the systems."
Recently discovered RAM Scrapers (aka memory-parsing malware):