The Federal Trade Commission announced a third delay, from August 1, 2009, to November 1, 2009, for compliance with the identity theft prevention red flags rule. The delay is for another three months. Compliance originally was scheduled for November 1, 2008, then delayed the first time until May 1, 2009.
via HIPAA.com – FTC Delays Red Flags Rule for Third Time.
Web hosting firm Network Solutions on Friday announced that, despite its being PCI compliant, a breach had compromised approximately 573,928 individuals’ credit card information.
…..
Approximately 4,343 e-commerce websites were affected by the breach. Network Solutions could not disclose which merchants were affected but said the victimized merchants sell a wide variety of merchandize and are primarily small businesses
via Network Solutions was PCI compliant before breach – SC Magazine US.
Microsoft wants to speed adoption of its security development lifecycle (SDL), starting with the release of a free SDL Process Template that is integrated with the Visual Studio Team System. The company also announced additions to its SDL Pro Network and updates to the SDL process.
via Microsoft Brings Secure Development Help to Application Developers for Free.
A roster of new organizations will make up the second Payment Card Industry Security Standards Council (PCI SSC) board of advisers, including Bank of America, Wal-Mart and PayPal, the industry standards body announced Monday.
The advisers will replace the inaugural board, which served a two-year term beginning in 2007. The purpose of the board is to provide strategic and technical guidance to the PCI SSC, which manages the Payment Card Industry Data Security Standard (PCI DSS).
via PCI appoints new board of advisers – SC Magazine US.
If you’re a current or former University of California, Berkeley student, and have taken advantage of the on-campus health services at some point in the past ten years, you may want to check your credit report. The university today announced that it has discovered a massive data theft involving 160,000 current and former UC Berkeley students.
via UC Berkeley Hit With Major Data Theft – Network World.
A data breach at US electronic transaction firm RBS WorldPay has been linked to a gang that used debit cards to steal millions of dollars from ATMs.
The FBI has released images of thieves believed to be part of a gang that took money from ATMs in 49 cities around the world using cloned debit cards in late November.
The thefts stemmed from a data breach at RBS WorldPay in which hackers stole the personal data of 1.5 million card holders, in early November, according to the Washington Post.
The thefts, which come within weeks of a data breach disclosure by Heartland Payment Systems, highlight the vulnerability of data processed by these firms.
Heartland, which is being sued for failing to protect customers from identity fraud, has announced a dedicated department to encrypt data on all its systems.
ADVERTISEMENT
Despite being compliant with the Payment Card Industry Data Security Standard PCI DSS, cybercriminals were able to gain access to Heartland’s systems.
The PCI DSS does not currently require that credit card data be encrypted on internal networks, which Heartland says it will now implement.
Robert Carr, chief executive of Heartland, has defended the PCI DSS as a good standard, but said increasingly sophisticated attacks demand end-to-end encryption.
Encryption of data in motion between internal systems is the next logical step according to Carr, but he said constant monitoring will always be required.
Carr has called for greater information sharing in the payments industry to prevent cybercriminals from re-using techniques in multiple attacks.
via ATM heists linked to RBS WorldPay data breach | 6 Feb 2009 | ComputerWeekly.com.
Top contenders in the IT governance, risk, and compliance market merged on Tuesday as Archer Technologies announced it is acquiring Brabeion Software. Forrester projected consolidation as a key GRC market trend for 2009, and we explored the issue further for IT GRC vendors in our report, “Consolidation Looms for the IT GRC Market.”
This was a strong move for Archer, as other, larger vendors are closely eying the IT GRC space for acquisition potential. Along with the acquisition of Paisley by Thomson Reuters last month in the Enterprise GRC space, this is just the beginning of what’s to come over the next 12-18 months. The GRC market as a whole is extremely broad and ripe for growth, but it is also crowded with niche vendors. Market leaders and enormous outsiders will be eager to scoop up as much of the pie as possible, which means more deals are on the way.
via The Forrester Blog For Security & Risk Professionals.
Credit card processing company Heartland Payment Systems disclosed today it suffered a malware attack last year. The discovery was made after officials from Visa and MasterCard reported suspicious activity involving processed card transactions.
Payments processor Heartland Payment Systems disclosed today it was hit with a malware attack last year that may have resulted in a large cache of financial data being compromised.
The company said it launched an investigation after officials at Visa and MasterCard reported suspicious activity surrounding processed card transactions. In response, Heartland enlisted forensic auditors to conduct an investigation. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network, Heartland officials said.
In a statement released today, Heartland declared the breach had been contained. The compay further added that no merchant data or cardholder social security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. None of Heartland’s check-management systems were involved either, officials added.
“We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands,” said Robert H.B. Baldwin, Jr., Heartland’s president and chief financial officer, in the statement. “We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.”
In the wake of the incident, Heartland has announced plans to implement a program designed to flag network anomalies in real-time and help law enforcement catch cyber-criminals. The company has also created a Web site – www.2008breach.com – to provide information about the situation. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.
“Heartland apologizes for any inconvenience this situation has caused,” continued Baldwin. “Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective.
Based in Princeton, NJ, Heartland provides credit, debit, prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide.
via eWeek.
The Enterprise Mobility arm of Motorola today announced a new wireless firewall designed to protect retail clients from the kinds of WLAN attacks to which firewalls optimized for wired infrastructure may be blind.
Calling it “the industry’s first wireless firewall,” Motorola says its solution meets the requirements of the latest Data Security Standards enforced by the Payment Card Industry (PCI) by providing clean separation between wireless and wired networks. Used in conjunction with Motorola’s AirDefense wireless intrusion prevention systems (WIPS), the firewall protects sensitive information, such as credit card data, by employing “unparalleled” traffic inspections at every network layer.
Motorola says its “enhanced stateful Wireless Firewall” is easy to deploy and integrates with leading enterprise authentication systems.
“There are a multitude of challenges for retailers to protect against,” said Kevin Goulet, senior director of product marketing, Enterprise WLAN Division of Motorola’s Enterprise Mobility Business unit. “Threats into networks are becoming commonplace. As the network expands, it is making the edge of that network more vulnerable. We saw the need for additional protection, not only protection between the outside Internet and the inside network, but also from the killers at the edge.”
The TJX scandal and other high-profile retail data breeches attributed to lax WLAN security have made retailers more aware of risks—and the PCI requirements help ensure greater levels of security are enforced.
“Our retailers are aware that their networks are vulnerable and need to be protected,” said Goulet. “The headlines over the past year or two, and other areas, have made them more aware than other industries. There are also retailer requirements for passing credit cards over a WLAN; they must be PCI-compliant to maintain their ability. We see the retail industry as being more aware and proactive in protecting than other industries. They see everything from DOS attacks to rogue devices.”
The fine for businesses recklessly transmitting customer credit card and personal information can be up to $300 per compromised record.
“Providing security at the edge, at the wired/wireless demarcation point, is not enough in today’s wireless enterprise deployments,” said Goulet. “We are offering location-based access control and policy enforcement.”
In other words, retailers can leverage the locationing engine built in to the Motorola firewall to enforce user identity-, role- and location-based security policies, which helps to keep access to sensitive consumer data under control. Retailers can have one policy for an employee who is accessing the network externally by connecting through mesh APs, for example, and a different security policy for employees inside headquarters using the internal network.
“This allows way more granularity, depending on role, location, time of day, etcetera,” said Goulet.
Motorola’s wireless LAN access points, switches, and mobile computing devices also support the IEEE 802.11i security standard, as mandated by the new PCI Data Security Standard (DSS) version 1.2.
“This is a new approach to firewalling that we think is right for the wireless network. In the old way, a wired firewall is acting as the demarcation point between the wired and wireless network, but this ignores the other vulnerability, which is the wireless side,” said Goulet. “This is different than AirDefense wireless intrusion detection; this is a firewall on the AP to protect the network from the attacks on the wireless side.”
Beta customers are currently testing the firewall in the field. Existing customers who have a service agreement will not have to pay to upgrade their software to include the firewall, and new customers will not see a bump in the cost of Motorola APs.
“We want to offer more features at the same price point,” said Goulet. “It really ties in to when Motorola and AirDefense, came together. We have a vision that will make ‘wireless’ and ‘security’ synonymous. We began by bringing WIPS into the wireless LAN infrastructure and we followed that up with the secure AP that had a full-time traffic cop on one radio in the AP, providing access to clients and devices. This is the third leg of that–providing firewalling and security in the network. It helps us execute that vision.”
* For more on Motorola, read “Review: Motorola RF Management Suite (Part 1),” “Review: Motorola LANPlanner (RF Management Suite, Part 2),” “Aruba/Motorola Patent Dispute Slogs On.”
* For more on Wi-Fi in the retail space, read “Retailers Need to Shore Up Defenses,” “WLAN Security Service Aims to Boost PCI Compliance,” and “RF Barrier Helps Deter Eavesdroppers.”
* To learn more about WLANs, read “Understanding WLANs: Architecture 101.”
* For more on AirDefense, read “Motorola’s AirDefense Acquisition Complete,” “Motorola’s New Indoor/Outdoor Management Solution,” and “Motorola Buys AirDefense.”
via Motorola’s New Wireless Firewall.