A California supermarket chain recently sent letters informing customers that a security breach had been discovered at 20 of their stores. The breach notification letter released by Lucky Supermarkets reads, in part:

“Dear Lucky Customer:

In the course of regular store maintenance, we discovered our credit/debit card readers at the self-check lanes ONLY in 20 stores (listed below) had been tampered with. Steps were taken immediately to remove the tampered card readers in the affected stores, as well as enhance security to every credit/debit card reader in all 234 stores in our company. We are not aware nor have we been notified of any reports that customer accounts were compromised.”

The “tampering” referenced in this letter has been described as skimming, which occurs when a separate piece of hardware is affixed to an ATM or point-of-sale terminal. The hardware is designed to blend in with the face of the machine and record card data whenever a card is swiped. Criminals either remove the skimming device later or retrieve data remotely via wireless Bluetooth or mobile SMS.

In this particular case, however, it isn’t clear exactly what happened. What is known is that the POS terminals were compromised. When point-of-sale terminals have been compromised in the past, this has usually meant that criminals actually entered the store, physically removed an entire machine, and replaced it with one that resembled the original, but had been tweaked to capture and transmit customer data.

Consumers cannot protect themselves from this crime. All they can do is check their bank statements frequently and refute any unauthorized charges or withdrawals. On the other hand, online retailers who are subject to having stolen credit cards used on their sites can, in many cases, prevent fraudulent transactions upfront by checking the device’s reputation used during the transaction. Computers, tablets and smartphones are assessed for fraud, high-risk and suspicious activity in real-time, which means while that device is interacting with the retailer’s website.  By checking against iovation Inc.’s global shared database of more than 800 million unique devices and their associations, online retailers can protect themselves against chargeback losses, shipping fraud, account takeovers and identity theft attempts.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses POS skimming on CBS. 

EMV, which stands for Europay, MasterCard, and Visa, refers to the chip and PIN credit card technology commonly used in Europe and elsewhere around the world. Credit cards that incorporate an embedded microprocessor chip are far more secure than any other form of credit card currently available, including the standard magnetic striped cards that are all too easy to skim at ATMs and point of sale terminals.

Major banks and retailers are now pushing very hard to make EMV the new standard in the United States. Visa recently announced plans to expand their Technology Innovation Program to the U.S., which will encourage retailers to support cards with microchips by “[eliminating] the requirement for eligible merchants to annually validate their compliance with the PCI Data Security Standard for any year in which at least 75% of the merchant’s Visa transactions originate from chip-enabled terminals.” This will go into effect October 1, 2012 for merchants whose point-of-sale terminals accept both contact and contactless chips.

Meanwhile, Citi has announced the launch of its own Citi Corporate Chip and PIN card, which is designed for U.S. cardholders who travel abroad. Bank of America has made a similar announcement of its expanded credit card technology aimed at international travelers. And Wells Fargo is already testing EMV cards in the United States, with its Visa Smart Card, which includes the traditional magnetic stripe as well as a microprocessor chip, in order to make the cards flexible and useable around the world. Wells Fargo’s pilot program includes 15,000 customers who travel regularly.

With all these major players making significant strides to embrace EMV chip technology, it’s only a matter of time before full adoption becomes inevitable.

Consumers would be smart to take advantage of any pilot program available to them. EMV chip and PIN technology is more secure, and it also works better internationally than the old-school magnetic stripe.

For more information on the benefits of EMV chip technology and to show your support, visit http://www.getfluentc.com/, from JustAskGemalto, to let your voice be heard and share your stories.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. 

In this closing article, last in a set of three, I discuss some international treaties that may or may not apply to Cyber Security. Again I would like to note that the answers I give are merely my opinion on the matter. This article is comprised of two questions. Without further ado:

In how far can international codes of conduct in using the digital domain contribute to increase Cyber Security? Can we learn from experiences with existing codes of conduct such as in the area of non-proliferation?

Fading national borders and defacto international routing of data traffic are a property of cyberspace we can’t escape. This makes international relations and codes of conduct essential, especially when considering fighting cyber crime. This calls for Law Enforcement Agencies and Justice departments of multiple countries to work together to stop criminal enterprises in their tracks. International cooperation amongst law enforcement agencies in taking down cyber crime rings has been taking place for several years now, and although not nearly as successful as we'd hope, they did have some successes. For an excellent read on this subject, I recommend Joseph Menn's Fatal System Error.

As for Cyber Warfare and Cyber Conflict, there are various internationally accepted legal frameworks and cooperative initiatives that can provide some help with increasing security in Cyberspace. Consider the Law of Armed Conflict or the Universal Human Rights, both of which have received wide adoption and have led (and still lead) to increased cooperation among nation states. Connecting to existing initiatives in this area is therefore highly recommended.

Although Non-Proliferation has a similarly high adoption rate, using this as an example may very well give off the wrong idea because of the emotional 'weight' associated with nuclear weapons. Cyber weapons are not currently anywhere near the immediate physical threat that nuclear weapons pose, nor is it feasible to attempt to restrict development or trade of cyber weapons. Cyber weapons consist of computer code and knowledge of the target system or application. Anyone with enough knowledge can create one, and all it takes is a computer. Connect that system to the internet and proliferation is both virtually immediate and unstoppable.  

How can NATO and the EU give substance to the principles of Common Defence, Deterrence and the Solidarity clause when considering cyber threats? How can NATO and the EU improve the information exchange with regards to threat analyses?

Existing initiatives within NATO and the EU offer excellent opportunities in this regard. For instance, a better connection to the NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia is a very good idea. The CCDCOE was founded and sponsored by a number of nations, but the Netherlands was not one of them. It is still possible to become a sponsoring nation by signing its Memorandum of Understanding and after looking at its Mission statement revolving around cooperation, I highly recommend our government does so. Aside from this centre, NATO’s own C3 agency has various endeavors with regards to Cyber Security that we here in the Netherlands might be able to get an advantage out of.

All in all, it’s safe to consider that our best bet lies in engaging in cooperation with other culturally similar nations. Most western nations are as connected to the Internet as we are, and they share our understanding of how critical cyberspace is to us and our economies. Together we simply have a much better chance of improving our situation online.

About the author: Don Eijndhoven has a BA in Informatics (System & Network Engineering) with a Minor in Information Security from the Hogeschool van Amsterdam, The Netherlands. Among a long list of professional certifications he obtained are the titles CISSP, Certified Ethical Hacker, MCITPro and MCSE. He has over a decade of professional experience in designing and securing IT infrastructures. He is the CEO of Argent Consulting and often works as a management consultant or Infrastructure/Security architect. In his spare time he is a public speaker, works as a Project Manager for CSFI and acts as its Director of Educational Affairs in the EU region. He also blogs for several tech-focused websites about the state of Cyber Security and is a founding member of Netherlands Cyber Doctrine Institute (NCDI), a Dutch foundation that aims to support the Dutch Ministry of Defense in writing proper Cyber Doctrine.

Cross-posted from ArgentConsulting.nl

In continuation of the series I promised you on high-level debates surrounding Cyber Warfare, here is the next article in a series of three. This article will be the longest in the series due to the multi-parted nature of the question. Of course the answers given to each of the questions are merely my opinions on the matter. Please feel free to comment or contact me with relevant remarks.

Question                
In how far, and in what way, are existing international Legal frameworks relevant to behavior in the Cyber domain; specifically in relation to cyber violence? 

• [Ad Bellum] Under what circumstances can a cyber threat be considered use of force or threatening use of force, in the sense of article 2, section 4 of the UN Charter? Under what circumstances can a cyber attack be considered an armed attack  that justifies violence in self-defence based on article 51 of the UN Charter?
• [In Bello] When does humanitarian law of war apply to behaviors in the Digital domain? Must these be linked to kinetic use of force? How would this, during such application, be given shape to the Law of War’s  principles of distinction and proportionality, and the requirement of taking precautions for safety?
• How would Civil legal concepts such as Sovereignty and Neutrality be given shape in the Cyber Domain?

Relevant UN Charter articles: 

• Article 2, Section IV:
  All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.
• Article 51:
  Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.

An Answer – the Right to Self Defence
Although Cyber gives a new dimension to Warfare, it is my opinion that the general application and behavior apply in the same fashion as they do under conventional warfare. It is important that one should look to the effects of cyber attacks rather than the method or the individual components therein. In the end it is the damage dealt that bears relevance to those it is inflicted upon rather than the method. For this reason the thresholds that have bearing on the various articles in the UN Charter  we have set for conventional warfare do not necessarily change because of innovation in technology, nor do  international agreements automatically become void. Under the current UN Charter, each member state has the right to actively defend itself when attacked (or threatened with attack) and I feel this right remains relevant when discussing cyber warfare. I would like to point out though, that what is typical for Cyber Warfare, but uncommon in kinetic operations, is the problem of Attribution. Not knowing who will attack, is attacking or has attacked you complicates the situation considerably. It makes all action and reaction susceptible to a fair margin of error and so any response should be carefully considered before execution.

Humanitarian principles
As far as humanitarian principles in warfare go, it is certainly conceivable that cyber attacks may directly or indirectly lead to injury or loss of life. For instance, when a cyber attack on a power plant successfully blacks out an area, this can cause all kinds of damage. Some of the more obvious risk area’s are those that affect Hospitals and Emergency Services such as Police and Ambulance services, but this is not a new aspect of warfare. Knocking out power and communications is always something that must be done with utmost care, and this advance in technology doesn’t change that. In this case a well-placed cyber attack may very well be preferred over a kinetic attack that does permanent damage. Principles of distinction between military and civilian targets, as well as proportionality should still apply when discussing the use of cyber attacks.

Civil-Legal principles
The debate surrounding legal concepts such as Sovereignty and Neutrality are the subject of much debate amongst technical, political and legal experts from many nations, and any answers to these questions are most likely susceptible to change as insight is gained over time. Many people take the approach that Cyberspace does not have physical borders, but this is not exactly true. While Cyberspace as a concept may be regarded as unbound by geography, it is held up by very real, physical networking equipment. Data flowing from one system to the next does actually cross physical space through cables, routers and maybe even airspace via satellites or Wi-Fi connections. As such, this data may be subjected to all kinds of rules and regulations imposed by the owners of the networking equipment in between points of departure and arrival. And what to say about being used as a proxy during a cyber attack? Without international understanding of the ‘rules of the game’, you may be involuntarily drawn into conflicts because one of the parties routes his cyber attacks through your networks, or even using systems that are hosted on your soil. Regardless of what position you take, it’s clear that concepts such as Sovereignty and Neutrality have a place in the debates surrounding Cyber Warfare.

About the author: Don Eijndhoven has a BA in Informatics (System & Network Engineering) with a Minor in Information Security from the Hogeschool van Amsterdam, The Netherlands. Among a long list of professional certifications he obtained are the titles CISSP, Certified Ethical Hacker, MCITPro and MCSE. He has over a decade of professional experience in designing and securing IT infrastructures. He is the CEO of Argent Consulting and often works as a management consultant or Infrastructure/Security architect. In his spare time he is a public speaker, works as a Project Manager for CSFI and acts as its Director of Educational Affairs in the EU region. He also blogs for several tech-focused websites about the state of Cyber Security and is a founding member of Netherlands Cyber Doctrine Institute (NCDI), a Dutch foundation that aims to support the Dutch Ministry of Defense in writing proper Cyber Doctrine.

Cross-posted from ArgentConsulting.nl

In my previous blog "Something Rotten in my Kingdom" I asked the question: Can we envisage a way to improve security through compliance? 

Angela Carlisle, Technology Compliance Manager for Regions Financial Corporation highlighted in our recent chat that the major impediments to compliance and security are resources: having enough people, enough money, enough time, the right skill sets to help you address the issues. It’s a variety of resource challenges. People want to do the right things, everyone wants to help but there is this lack of resources: not enough people, not enough time and no funding to pay for additional people or items.

The funding is the source of this problem and guess who holds the key to the moneybox? Mmm? Well, the decision-makers.

So probably the more challenging mission of compliance, risk and security managers is to convince the decision-makers to make a positive decision. That leads me to conclude that the key to the above problem is "decision".

Nothing could be properly done if it has not been decided first. The same goes for security-related matters. We can't protect our data if there is no official  decision to do so. Once something is decided, nothing could divert us from our trajectory. Decisions lead to action. But what leads to proper decisions and more specifically, what leads to better security decisions?

Proper decisions require information. Information about the problem, the situation or context, the potentials alternatives associated with their pros and cons, as well as an understanding of the potential losses and gains.

Proper decisions also require an understanding of the motives of the parties involved in the thinking process and the biases that could influence the outcome.

Targeting compliance is a decision in itself that could positively or negatively impact the security of the company depending on the motivations. But compliance programs are also a valuable source of recommendations and guidances that could lead to better security decision making.   

So I would suggest tackling this problem by looking through it from the perspective of security decision-taking. Our approach would then be to discuss best practices and guidances from these compliance programs and present them through the lens of decision process. 

What do you think?

What are the factors that one should take into account in making security-related decisions?

CIS-Partners, a consulting firm specializing in compliance strategies for the pharmaceutical industry, wrote an article entitled, “Don’t Get Burned”. The main focus of this article is to discuss how organizations are shifting to third-party vendors and in turn, how internal auditors need to respond to the risks associated with this process.

View article here: http://www.cis-partners.com/downloads/RiskWatch_June2011_Don'tGetBurned.pdf

CIS-Partners is a sponsor of the upcoming marcus evans Life Sciences Internal Audit Forum, February 7-9, 2012 in Philadelphia, PA. During this event, two key sessions will focus on third-party audits and managing the risk that comes along with these new types of relationships. These include: “Administering Effective and Reliable Audits of Third Party Relationships” – Andy Weintraub, Director, Group Internal Audit at AstraZeneca
“Recognizing Key Risk Areas in the Overall Operational Audit Management” – Pawel Bialecki, Senior Manager, Internal Audit at Cephalon
Don’t miss out on this two-day premiere event! Other key topics include: • Improving communication between business units and internal audit to increase performance • Mitigating risk in the internal audit area by assessing financial and non-financial areas of risk • Discuss how automated controls can increase effectiveness and decrease cost

For a full list of speakers and sessions, please contact Michele Westergaard at 312-540-3000 ext. 6625 or This email address is being protected from spambots. You need JavaScript enabled to view it.. For registration information, visit: http://www.marcusevansch.com/LSIA_IGF

The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.

Now, after five years of pushing standards out to merchants and retailers, a Verizon study has found that 79% of retailers are noncompliant. That means your credit card data is at risk in 8 out of 10 transactions.

InformationWeek reports numerous reasons why credit and debit card data is at risk. The first is that the burden posed by PCI causes businesses to view PCI as a nuisance, rather than a standard. Instead of working towards better security, they shun it.

Another risk factor is that most merchants only maintain basic compliance. Credit card processors hold merchants’ feet to the fire by requiring that PCI standards be met, but only audit annually so merchants don’t maintain security throughout the year. When it comes time to be audited, merchants will often fail because they’re unprepared or because the rules have changed.

Finally, lack of awareness increases risk. According to Verizon, “the greater awareness of PCI found in a business, the greater the actual compliance.” Jennifer Mack, director of global PCI services, says, “The more aware your organization is of the standard, the more prepared you are for the type of approach you take.” Seems like common sense to me!

No matter how you slice it, retailers are a target and must employ multiple layers of fraud protection to thwart cyber criminals. One way that retailers are uncovering suspicious activity on their site is by utilizing powerful tools for early detection. iovation Inc., the leader in device recognition technology, allows retailers to create multiple rules and adjust them as threats emerge and evolve.  They do this without collecting any personally identifiable information (PII) from the retailer.

As devices (such as computers and mobile devices) with fraudulent histories connect to the retailer’s website, the business is alerted in real time. And when velocity or geolocation alerts are triggered, the retailer knows in real time. iovation’s living database of device intelligence is shared across its global base of finance, gaming, travel, shipping, dating and retail clients. They share information to detect fraudulent activity as soon as possible, before product is shipped and chargebacks and fees are incurred. They call it device reputation.  I call it another bit of common sense for retailers.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston.