Tuesday, June 3, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Security Briefing: June 3rd [Liquidmatrix Security Digest]

Posted: 03 Jun 2008 07:16 AM CDT

Myspace Trolling: An Introduction [Vitalsecurity.org - A Revolution is the Solution]

Posted: 03 Jun 2008 07:11 AM CDT

I've delved into the world of Myspace Trolling before, and talked briefly about it at RSA - how rape support groups and bi-polar help forums have been run into the ground by morons posting up (naturally enough) pictures of rape, scat porn and God knows what else. "For the lulz", of course.

Well, over the past month or so the situation has deteriorated in a spectacular fashion, and a series of system glitches / exploits / system errors / insert phrase of choice here are going hand in hand with a hardcore collective of asshats that Myspace are clearly aware of, yet are seemingly powerless to stop.

A pretty good achievement, considering the trolls in question have the combined IQ of a wet lettuce but whatever.

Rather than ramble on, here's some randomly selected choice words from Moderators faced with the wonderful task of cleaning up scat porn, crapfloods, porn and threats on a daily basis.....












The group the above posts were taken from was hit earlier with scat porn, random threats and various other nonsense (check out Pirate-Bill-Cosby and rubber duck guy with a pinned post) which (considering the group is invite only) hints at the possibility of the glitch that allows people to enter supposedly private groups uninvited. Why so? Because the same idiot that sent this to a lady on Myspace a few days ago, happened to send this to another troll way back in March:



....yes, that's right. The supposed glorious "leader" of the main group of Myspace Trolls resorts to sending random PMs to people he doesn't actually know very well when trying to learn about possible system exploits. Might want to be less stupid next time, though I understand this might prove difficult.

You'll see more of him later (and I mean a lot more, so bring some eye bleach).

Has he found a way to wander into groups unannounced? If so, you can add that to the other Myspace forum glitches he uses that (when all is said and done) makes Myspace forums completely at the mercy of losers who like to pretend to be pirates.

Splashed across various Myspace pages, it says "Bright Idea: Read the FAQ and give Tom a break."

Break? I think Tom needs to put a little overtime in on this one. More later....

Hackers Invade Mars [Liquidmatrix Security Digest]

Posted: 03 Jun 2008 06:50 AM CDT

Marvin the Martian

Well, the website for the NASA Phoenix Lander at least.

From the Register:

Add the webpages for the Phoenix Mars Lander to the list of high-profile sites that have been hacked by script kiddies. Not once, but twice.

Security pros had to take down the University of Arizona-hosted site after hackers replaced the lead blog entry with graffiti that read “hacked by VITAL.” As if that wasn’t enough, members of the self-declared “sql loverz crew” redirected baffled visitors of the Phoenix mission’s official webpage and a companion site to a third-party destination. That page gave credit to hackers going by the names BLaSTER and Cr@zy_king.

Red is the color of the Martian surface, but it seems it also describes the faces of security pros responsible for the sites. Evidently, they had better things to do than vet their scripts for SQL-injection vulnerabilities. So these hackers were willing to step in and test the sites for them.

Pesky SQL Injection attacks abound and the script kiddies are loving ‘em.

Article Link

Teen Hacks PA School Computer, Gets Tax Info [Liquidmatrix Security Digest]

Posted: 03 Jun 2008 05:23 AM CDT

A 15 year old student managed to hack into a school computer in Pennsylvania. He got his hands on 2005 tax return information for 41,000 which sent a town meeting for a loop.

From DailyLocal dot com:

Borough police arrested a 15-year-old Downingtown West High School freshman on May 21 and charged him with theft by unlawful taking or disposition, computer theft, unlawful duplication and computer trespass.

District administrators learned about the intrusion on May 9, when a student told Downingtown West's principal that another student might have personal information, Griffin said. But 71 school employees did not learn their 2005 W-2 forms were copied until May 16, and Griffin said this was because district officials had to first perform "due diligence."

According to police, the data files contained more than 41,000 adult taxpayers' names and personal information, including Social Security numbers, and more than 15,000 students' names and personal information. The school district sent out letters to 16,595 residences about the incident.

Eldredge said he received the school district's letter but believes it's a dead issue.

"For me, I'm comfortable that nothing was done with the information," Eldredge said.

But, not everyone felt the same.

"I have a tremendous objection to anyone but the county having this information," West Bradford resident Susan Singer said. And if there are instances of identity theft, "I will be more than outraged," she said.

ID theft can scare the best of us at the worst of times.

Article Link

Somewhat More Interesting than the Transformers / Terrorist TShirt Fiasco... [Vitalsecurity.org - A Revolution is the Solution]

Posted: 03 Jun 2008 05:12 AM CDT

....is this link here, which goes into detail regarding a whole pile of stupid tshirt related incidents. I think this one is my favourite at the moment:

Another potential terrorist was apprehended when a lawyer was arrested and charged with trespassing at a public mall in the state of New York after refusing to take off a T-shirt he had just purchased at the mall bearing the words "Give Peace A Chance".

I'm glad to have done my part for Queen and Country:



I also note with a general sense of eye-rolling disdain that when I got this TShirt made:



...the guy in the shop that made it wanted me to confirm it had nothing to do with paedophilia.

No, really.

My Article On Compliance For The Little Guy [The IT Security Guy]

Posted: 03 Jun 2008 05:05 AM CDT

I had an article come out yesterday on SearchCIO-Midmarket about compliance for middle market companies. I gave some tips and best practices, as well as, a list of tools for keeping tabs on compliance for smaller companies.

One product for tracking SOX compliance had the unusual name of Knock Your SOX Off.

Too Stupid to Use Spaces [Jon's Network]

Posted: 03 Jun 2008 01:12 AM CDT

Fortune Small Business published this drivel in response to a serious question: Is it time to consider moving your small business to Macs?

Their answer: it makes sense for maybe 20 companies out of 100, up from just 5 a few years back.

Here are the reasons Macs won’t work for your small business:

  • The slogan “Designed by Apple in California” posivitively shouts at you from the box.
  • “On” switch is not on the front of the monitor
  • Not enough USB ports (didn’t mention how much would be enough)
  • GoToMyPC doesn’t work
  • Same driver issues as with a Vista upgrade (this one I just don’t believe without the details)
  • Small business users too stupid to use Spaces
  • Different keyboard commands (this takes like 3 days to get used to)
  • The Mighty Mouse only has one button
  • Time Machine retrieves backups with too much fanfare
  • Syncing Blackberries and smartphones can be a pain
  • Terrible problems getting company programs to work properly (again, no details)
  • After months of comparisons, no efficiency was gained doing critical business functions

This is probably the worst article I have read on the topic. You gotta love the last line:

Windows Vista, properly installed and used in tandem with Web-based productivity tools, is a powerful, powerful alternative.

That conclusion doesn’t follow from the explanation. One valid point that it hints at though is that if you are using web-based tools, it doesn’t matter what OS you are using.

The author didn’t offer enough detail about the valid concerns (GoToMyPC work-arounds, syncing problems, programs not working on Macs) to help any small business owner make the decision. He also didn’t mention the well-known desktop virtualization phenomenon that is fueling the trend of small biz Mac switchers. Being able to run Windows on your Macs using Fusion or Parallels reduces the risk of switching and eases the transition.

As for using a Mac for months without efficiency gains, I believe that most small businesses would increase their productivity by using Macs. I haven’t done enough research on it to state it as a conditional fact yet, but I have a fuzzy idea of why it would be.

  1. Macs get you out of the filing paradigm. You don’t need to stuff all your emails and files into folders. Use keywords. Use something like Quicksilver to make any file on your machine a few keystrokes away.
  2. The services menu and the Cocoa framework
  3. Applescript
  4. Less expensive, faster (the article did mention these two), more reliable

This all needs to be clarified and quantified, but that is a project for another day.

More Than Meets The Eye [un-excogitate.org]

Posted: 02 Jun 2008 10:51 PM CDT

Just read this article by Michael Farnum over on computerworld.com and I have to say, what a spectacular example of security through absurdity.

In the "couldn't have happened to a better set of people" department... [Emergent Chaos]

Posted: 02 Jun 2008 09:33 PM CDT

Fifteen people have escaped unharmed in the US state of Indiana after a sky-diving plane lost power 7,000ft (2,100m) from the ground.

The pilot told the 14 skydivers on board to jump to safety, then crash-landed the plane.

And the pilot was un-injured, according to the AP story. From Skydiving plane fails at 7,000ft, BBC. The website of the company in question even asks "Want to jump out of a perfectly good airplane?" making one less joke for us to tell here.

Canadian Group Says Facebook Violates Privacy Laws [Liquidmatrix Security Digest]

Posted: 02 Jun 2008 09:21 PM CDT

You know, I would have to agree with them in principle. From what I have seen Facebook seems to take a dim view of anything/anyone that questions their “rule”.

Privacy, schmivacy.

From Computer World AU:

A Canadian public policy group Friday filed a complaint charging Facebook with 22 separate violations of a Canadian personal information protection law.

The Canadian Internet Policy and Public Interest Clinic (CIPPIC), based at the University of Ottawa, asks the Privacy Commissioner of Canada to investigate what it describes as Facebook’s failure to inform members how their personal information is disclosed to third parties for advertising and other commercial activities. The complaint also alleges that Facebook has failed to obtain permission from members for disclosure of their personal information.

Facebook did not respond to a request for comment.

They didn’t comment? How out of character.

In an unrelated story most of the University of Ottawa’s student population had their accounts terminated on Facebook.

Yes, I’m joking.

Article Link

MX Lab Admin receives an update [mxlab - all about anti virus and anti spam]

Posted: 02 Jun 2008 06:29 PM CDT


MX Lab provides a new major update of MX Lab Admin, the management interface for clients. The update includes new features, support for multiple languages, interface enhancements like date range selector tools, animated Flash charts, new statistics reports and more.

Educause SE Regional Event [CTO Chronicles]

Posted: 02 Jun 2008 05:15 PM CDT

While I am sitting not attending any of the regional Educause conferences this year, our own beloved VP of Marketing, Trent Fitz, is speaking along with Chuck Adams of Northwest Mississippi Community College.  We love it when any of our customers speak in public; and Trent, in spite of being from Oklahoma, is a good speaker and all around fine American.  If you're headed down to Jacksonville, by all means stop in and throw a tomato (or a tomatoe, if you prefer) at Trent.

8th Pet Symposium Early Registration Deadline [Emergent Chaos]

Posted: 02 Jun 2008 11:13 AM CDT

We kindly invite you to attend the next PET Symposium, that will take place in Leuven (Belgium) on July 23-25, 2008. The PET Symposium is the leading international event for the latest research on privacy and anonymity technologies. This year, four other events are co-located with PETS 2008, including the Workshop On Trustworthy Elections (WOTE 2008) and the closing workshop of the EU FP6 PRIME project (Privacy and Identity Management for Europe). There are now 3 days left before June 5, the Early Bird registration deadline. The PETS'08 early bird registration fee is 250 euros (until June 5th), and it will be 350 euros after June 5th. We strongly encourage you to make your hotel and travel arrangements as soon as possible, as we cannot guarantee hotel availability after the block bookings expire on June 5th.

Learning the rules [Network Security Blog]

Posted: 02 Jun 2008 08:58 AM CDT

Lori MacVittie misinterpreted my rant on an NDA slipped into a recent presentation I saw as “don’t trust bloggers” when what I really meant was “educate bloggers”. I don’t know how many bloggers would even recognize a Non-disclosure agreement or understand what it means. It’s definitely a lower percentage than in the journalist community. The same could probably be said of the term ‘embargo’.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Heading to Gartner IT Security Summit Monday [The Falcon's View]

Posted: 01 Jun 2008 04:29 PM CDT

Howdy folks - just a quick heads-up, I'll be playing "booth babe" for BT on Monday at the Gartner IT Security Summit tomorrow (Monday 6/2) in Washington, D.C. If anybody is planning to attend, please feel free to drop by...

Next Week [Vitalsecurity.org - A Revolution is the Solution]

Posted: 01 Jun 2008 06:02 AM CDT



Myspace trolls that pretend to be pirates, eh? I smell action and adventure on the high seas...

The greatest cooking prep lesson I think I’ve ever learned [Srcasm]

Posted: 31 May 2008 10:21 PM CDT

I was perusing the interwebs the other day and decided to search for the best ways to cut an onion. A quick Google search and I came across this video — And it works! I was able to cut an onion, from start to finish without crying. I can’t believe no one has ever shown me this before but I have used it three times since yesterday and I’m not even a big fan of onions.


Cut An Onion Without Crying - The most popular videos are here

Twitter was down, they could have used this [Srcasm]

Posted: 31 May 2008 05:57 PM CDT

StatShorts.com - Keep the community informed

I think we’ve all learned over the past couple of weeks, with Twitter being down, the importance of notifying the customers with what’s going on. This idea stemmed from a few things, GetSatisfaction (with their communication to the end-user and the need for status pages (like status.twitter.com). Simply put, status pages that are both replicated and hosted around the globe. Take a server in the US, one in Europe and on in APAC and replicate the sites and databases and allow companies and/or organizations to get sub-domains off of the main site.

These “company status pages” would take their information from a multitude of sources. During setup, the company could choose accounts to follow on Twitter, Friendfeed and any other information source (even SMS based). These accounts could be owners, evangelists or employees of the company. Anytime the company status page needs to be updated, it can be done from anywhere on the world wide web or beyond. Say Twitter is having issues? Alex Payne can text to 47783 (ISSUE) with an update to the world.

Because these status pages are both replicated and hosted around the world, there is very little chance of the users being unable to access these very important status pages. Twitter can have twitter.statshorts.com reserved just for them. :)

Top 5: Why Customers Consider NAC [Security Uncorked]

Posted: 31 May 2008 05:10 PM CDT

On a daily (and nightly) basis I have the wonderful experience of talking to, chatting about, presenting on or asking questions of customers about NAC.

At each of these opportunities, I like to ask ‘Why are you considering NAC?”

Here’s my Top 5 of Why Customers Consider NAC (or think they want NAC). This is not based on any other organization’s research or polls, nor is it based on analyst analysis. It’s not based on forethought or musings of an ‘expert’. It’s just my personal experience from my daily interactions.

#1: Endpoint Compliance
I put this one first, because I think it’s the most-hyped and possibly least significant. I know, that’s harsh, especially when endpoint compliance seems to be the big bat NAC carries around. Truth be told, it’s more of an ‘icing on the cake’ for the people I talk to. Until the auto-remediation features are a little more mature, the idea of checking for much beyond presence of anti-virus and possibly patches is unattractive. Frankly, endpoint compliance for LAN-based devices can be a Charlie Foxtrot except under the most ideal circumstances. There are many large organizations and DoD groups that need endpoint compliance, and that’s a primary driver for them. For the rest, one of the other reasons below is a primary compelling feature and endpoint checking is just another knob they can play with.

The lack of fervent interest in endpoint checking is why I had to disagree so strongly with Stiennon’s when he advises in his NWW article “Don’t even bother investing in NAC”. The entire premise of his issues with NAC center around various endpoing checking. (You can check out Shimel’s response  too Stiennon’s blog here.)

#2: Guest Access
Believe it or not, the most frequent response I get for “why are you considering NAC” is “guest access”. Guest access seems to be a thorn in every organization’s side. It’s a simple problem with impossibly complex solutions… or so they think. For years, we’ve been provisioning safe and secure guest access for customers with the use of clean and simple protocol-less VLANs and so, I know that about 82% of the time, there are much simpler ways to offer guest access than by rolling out a full NAC implementation. If guest access is your primary and only goal with a NAC solution, there’s probably a better, faster and less expensive solution. If money and time are no object, then NAC can be a good way to get from point A to B and give you a few fun technical trinkets to play with.

#3: Edge Port Security
After guest access, the next thing I hear most is interest in adding edge port security with a 802.1X NAC solution. (We call this Layer 2 NAC.) I tend to think for the time being, this is NAC’s sweet spot. Note I said ‘for the time being’, I think this may change in the next 18-24 months. But for now, the ability to lock down edge ports and secure switch-to-switch links is an extremely attractive feature. Outside of the 802.1X protocol, there aren’t really any other ways to skin this cat. I know what you’re thinking… you don’t have to do NAC to use 802.1X… and that’s certainly true, but for a network of any size, NAC makes an 802.1X implementation easier to manage and monitor centrally and gives you more of that NAC icing we all love.

When the 802.1X-REV comes out (probably early 2009) I think you’ll see organizations that have previously blown off 1X seriously considering it for all the added security and multi-user support it will bring to the table.

#4: User & Resource Accounting
Unless you have a 3rd party solution or want to dig through mounds of RADIUS syslogs, you probably don’t have a good way to account for user authentication and accountability of resource access throughout the network. Most vendors’ NAC solutions already have pretty good logging and reporting features built in today. Depending on the solution and integration of other devices, you may even get detailed accounts of which user viewed exactly what, when and from where. This is a great selling point to organizations that are trying to follow strict regulations for accountability of financial or extremely sensitive resources. The standards bodies (IEEE, TNC framework and IETF) are coming out with more and more ways to leverage 3rd party security devices within NAC. The IF-MAP is a great example and we’ll be seeing more I’m sure.

#5: Dynamic VLAN Assignment
Lastly, but not least, I hear a lot of customers that are looking for a good way to dynamically provision attributes, such as VLAN assignment and QoS to users or devices. It makes switch configuration and management much simpler, and eliminates the need to assign port-based VLANs. The ability to leverage your existing user directory and define both broad and very granular attributes is certainly a draw, and NAC is a great way to offer that.

That wraps up my Top 5. Of course, there are plenty more drivers, both business-based or technology-based, but these are the 5 I hear most.

# # #

More ideas than I can count [Srcasm]

Posted: 31 May 2008 03:54 PM CDT

I seem to come up with ideas left and right and I think it would only be fair to put them out there for the community to mull over and possibly implement. I am opening these up to anything you would like to do with them. You owe me nothing (although if you’d like me involved I’d be more than happy to help) if you use them and I wish you the best of luck — in fact, if you roll it out, I’ll probably review and write about them on one of the many blogs I currently write for. So please, this new category on my blog will be for simply putting the information out there and starting a conversation.

————

Text 2 Drink - You want that drink and you want it now.
So, during a late night drinking trip at National Mechanics with Bart (and later had Alex’s input as well), I came up with this interesting concept. There have been similar tries with regards to SMS based advertising and coupons but this takes a little bit different approach.

The idea is that bars would get a system installed. This would be a small computer (think Eee PC) and a receipt printer. When someone sits down at a table, the waiter (or waitress) would take a credit card to open a tab, would then click a button on the computer and it would print a slip with instructions and a generated serial number. The table would get this slip and the waiter would be off to the next table.

Whenever a drink was needed by the table, anyone there could simply send a text message to 37465 (DRINK) with their special ID and the type of drink they desire. This information would pop up on the special computer behind the bar, the bartender would see it, make the drink, set it up for the waiter with information about which table it goes to. This not only saves time but also allows the waiter to reduce the number of trips to each table and allows the drinker to get their next beverage that much faster.

On top of this idea could be built in a sponsorship mode. Instead of drinkers being able to order any drink, they send a text to 37465 with their special ID only and the “drink of the night” is brought to them. Think of Coors, Bud, Philadelphia Brewing Company or any others sponsoring their beer of the night. The bar gets a discount on beers and the drinkers get the savings passed on.

This service could be setup for trial with simply an iPhone at the bar and system setup with TextMarks and a simply API being built. So go ahead, what do you think? Doable or not? If so, do it.

IT Vendor VAR Relationships 101 [Security Uncorked]

Posted: 31 May 2008 03:52 PM CDT

I guess I’ve been in the VAR business so long it surprises me when we run across customers that really are clueless as to how the whole process works and the value of underlying relationships. I shouldn’t be surprised- only a relative handful have really mastered the customer -> vendor/VAR -> distributor -> manufacturer relationship. The rest have no clue.

So, if you’re in ‘the rest’ category, here’s a quick overview of how the chain of love works top-down from manufacturers to VARs to you.

Manufacturer -> Reseller.
First it’s important to note that most IT Manufacturers have some level of Partner Programs. These programs are structured agreements between a Reseller and the Manufacturer and are usually based on 1) volume of their product sold and/or 2) technical expertise. Each Manufacturer is different, but they usually offer 2-4 tiers of partner programs depending on those 2 things, and each tier may have a different discount offered to the Reseller.

Commodity items may just require a Reseller to request to be in the Partner Program, and sign a couple of documents. More involved products, such as the network and security products we deal with, usually require the Reseller to demonstrate competencies and a high level of technical expertise with that product. Some product lines or specific products may require a Reseller to have authorization or certification to sell and/or provide services for a product.

When selecting a Reseller or VAR, it’s important to keep these things in mind and be sure your choice is comfortable with that product line- you should be able to ask them for recommendations and help specifying the correct products and possibly help with the installation and integration. If you send a Reseller a list of part numbers and it’s the wrong ‘stuff’- you’re less likely to get help exchanging it for the correct items, from the Reseller or Manufacturer. It’s also nice to know you have a friend to lean on when you’re installing new products.

You’ll see more info from me on understanding the difference between a Reseller and a VAR soon. Your VAR should be able to help every step along the way, and a Reseller should at least be able to help you select the correct part numbers as part of their pre-sales support.

Distributor -> Reseller
There’s another interesting twist in our chain of IT relationships- the Distributor, or Disti for short. Understanding distribution of a product can be advantageous- some products are sold directly from the Manufacturer to Reseller, but most go through a Disti. The Disti can be another advantage for your Reseller to leverage, but the Customer really should not be involved in any way in these transactions. Sometimes Distis offer an additional discount to a specific product line or type. Other times the Distis may be offering a volume discount or bundles. Sometimes the incentives are for the Reseller, and some times they’re designed to pass through to the Customer. It’s a good idea to just ask your Reseller if there are any additional discounts that could be applied.

Reseller -> Customer
A lot of Customers like to get information directly from the horse’s mouth and at times this Reseller-Customer relationship is bypassed at critical times. Keep in mind the Manufacturer sales rep is most interested in selling you something- and they may be interested in selling you a specific something, depending on what their incentives are. If you, as the Customer, call in a Manufacturer directly for pre-sales support, do you really expect them to honestly tell you “Hey Mr Customer, you really don’t need my widget.”? On the other hand, if you call in a trusted Reseller or VAR, they have a more vested interest in your success, and the success of whatever solution is put in place because they’re responsible for making sure it all works.

Another distinct advantage of a good Reseller/VAR -> Customer relationship is the ability to leverage your Reseller’s relationship with the Manufacturer. Maybe you’re a huge buyer of the Manufacturer’s stuff- and maybe you have enough clout with them directly to get what you want. Congratulations if you’re in that position, but for 99% of Customers, that’s not the case. If your Reseller or VAR is in good standing and either moves a large volume or has extensive technical expertise, they can offer you some great advantages, in pricing, services and more. Your VAR can frequently negotiate additional discounts, maybe free training or reduced service costs and competitive trade-ups.

Another tip- don’t discount smaller Resellers. Our company, for example, is not an International online box-pusher, but we have the best pricing tier with most or all of our Manufacturer partners and offer the majority of our product lines at less than you’ll find from those online e-tailers and wholesalers. Surprise!

That’s a very brief overview- you’ll see more on Vendor-VAR relationships coming soon.

# # #

 

Look to the acquiring banks, not the PCI Security Council [Network Security Blog]

Posted: 31 May 2008 02:12 AM CDT

Alan is continuing the conversation about the firing at TJX and reporting Payment Card Industries ‘violations’ to someone. I want to pause the conversation for a moment to clear up a few misconceptions.

The PCI Security Council has no power to fine and is only responsible maintaining the PCI Data Security Standards and administrating the assessment process. They set the standards and keep track of who’s compliant (or not). That’s about it. They have a lot of power to influence the security industry. They have complete control over the assessment process. But what the PCI Security Standards Council does not have is a direct means to fine a company for not being compliant. There is almost no direct relationship between the PCI Council and the businesses taking credit cards.

The credit card companies never fines a merchant directly, since their relationship is with the acquiring bank, not the merchant. In simplest terms, acquiring bank takes the credit card information from the merchant and gives the merchant his money, minus a small fee. The acquiring bank, the PCI Council and the credit card companies all have direct relationships. Only the acquiring bank has a relationship with the merchant. The credit card companies can fine an acquiring bank, but don’t fine a merchant directly. Though that cost is usually passed through to the merchant in some form.

If a merchant suffers a compromise or is non-compliant, the acquiring has several punitive options, including raising the per transaction fee or levying a fine. Most merchant would rather receive a fine than raised fees; for medium and large businesses the fine would be much less painful than a .25% raise in their per transaction fees. .25% of several hundred million dollars is still a lot of money. The acquiring bank can also choose to absorb the loss.

The acquiring bank has the power to make a company hurt if they’re not compliant or suffer a compromise, the ‘teeth’ Alan’s looking for. There isn’t much direct evidence of how much the acquiring banks are fining companies and what we saw happen with the first TJX incident wasn’t inspiring. Visa fined the acquiring bank $880,000 which will likely be passed along in one form or another. But we, the public, don’t know the specifics of what TJX was fined because there is no reporting requirement. Even working in the industry, all I know of the fines is from the press.

The bottom line is, the PCI process has teeth. They’re being used quietly by the acquiring bank as part of the business processes. It’s a monetary issue from start to finish, there are no legal requirements. Would I like to know what the fines being levied against companies are? Yes, and I’d like to have enough information to understand the effectiveness of the PCI Standards. But there’s no fiscal incentive for any of the parties involved to disclose fine information to the public, so don’t expect to see it any time soon. Just because we don’t see the teeth doesn’t mean they’re not their though.

And as far as I can tell, there’s no way for the public to get in touch directly with the acquiring banks.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)