Data Breaches up in 2008

Posted on Friday, January 09, 2009 by Bryan Johnson

A report out this week by the Identity Theft Resource Center claimed the reported data breaches were up by 47% duing 2008, reaching 656. Some interesting highlights (NOTE: this is not only credit card data):

• Only 2.4% of breaches had encryption or other strong protection in use
• Only 8.5% had password protection

About their method:

The ITRC tracks five categories of data loss methods: data on the move, accidental exposure, insider theft, subcontractors, and hacking. Subcontractor breaches, whild counted as one breach each, in some cases affected dozens of companies. The number of breaches does not affect the number of companies affected. ITRC uses media, notification lists and government agencies to confirm breaches.  To be considered a breach, it must include the loss of personal identiying information like a SSN.

Comments: 0 | Post a Comment

---

Costco, your marketing department has gone rogue

Posted on Friday, December 05, 2008 by Bryan Johnson

Costco advertises unbeatable credit card processing rates of 1.64% and 1.99% in their November magazine. The problem? It's like a national long distance provider advertising a flat $.05 per minute that actually only includes your zip code.

And the first benefit Costco touts regarding their services? "No Hidden Fees"

Any business that accepts credit cards will tell you that this advertisement is misleading. If a merchant were to actually sign up, expecting to pay these rates, they would be unpleasantly surprised to find out that the actual rates are:

* 1.64% and $.20 for swiped transactions
* 1.99% and $.27 for non swiped transactions
* 2.96% $.32 for rewards, business, corporate, non-AVS, authorizations not settled within 24 hours, and a host of other conditions.
* 3.80% $.32 for government or international cards

I don't know about you, but that's a minor * that I would want to know about before buying.

Come on Costco, you're a brand we trust. We realize others in the industry do the exact same thing, but your customers deserve better.

 

Comments: 0 | Post a Comment

---

2008 Credit Card Data Breach Trends

Posted on Tuesday, November 25, 2008 by Bryan Johnson

I recently listened to a presentation by a security group that performs forensics work when a merchant experiences a credit card data breach. Here are the breach trends they've seen during 2008:

Methods of entry - largely unchanged

• Insecure remote access software
• SQL injection 

Breaching credit card data - evolved strategies

• Capturing credit card data in transit over the network between devices 
• Via program modification after a vulnerable application was breached
• Via collection of Random Access Memory (RAM) contents

Techniques used - most apply to software POS

• Key-logging 
• Network sniffers
• Serial port sniffers

Case Study

In one case study they shared the criminal was able to penetrate the network via remote access software. They then installed a debugging tool to collect RAM contents and malware to parse track data. The malware then uploaded the data to a Russian website.  The merchant was using a PABP POS that was not collecting prohibited cardholder data.

---