In the UK at least, there are rules outlining how merchants deal with credit cards and other secure information. This set of rules is maintained by the PCI Security Standards Council.
The main credit card issuers have all agreed to implement these standards when issuing their compliance requirements to merchants. This means that merchants have to heed these requirements when taking cards over the internet, face-to-face, or over the phone.
Depending on how the merchant takes your card details dictates the ‘level’ of compliance they need.
For example, at 3DPixel.netÂ we send the customer to RBS Worldpay to process the payment. We (or more importantly, our servers) never ‘see’ the credit card number. In this respect, 3DPixel is not required to be PCI compliant. Of course in this situation, RBS worldpay is required to be PCI Compliant.
Another customer of ours,Â piccadillyrecords.comÂ has a different requirement. With recent changes to the PCI standards and how they specifically deal with credit card numbers, they were required to change their setup. Piccadilly Records actually need to store the credit card information because they have pre-orders, backorders and such. With our assistance, they migrated to individual servers for web and database (hidden from the internet), full encryption, up to date server daemons that pass their required quarterly scan and a myriad of other measures to ensure PCI compliance. It’s expensive. They needed to move from a single server to multiple servers, and pay to have a company set it up, secure it etc etc..
Another client, who shall remain nameless, approached us with a similar situation but refused to comply with the requirements citing the costs involved. They are a relatively small business and the cost of complying with PCI is high, especially after recent rulings. The threat from the credit card issuers of hefty fines was a risk they were willing to take. There is no real punishment for non-PCI compliance. Banks may charge a non-compliance fee (I’ve heard Â£80 a month) and they may get fined <strong>IF</strong> there is a breach.
I should point out here, that this attitude is not uncommon amongst small online retailers. Naturally, they have the best intentions with your credit card number and other secure details, but you may be surprised how many companies are handling your details, and are not PCI compliant.
PCI compliance, if you read their documents, is a fluffy mess with no real ‘set’ rules. It’s more a guideline that merchants need to follow and draw their own conclusions on how compliant they need to be. It’s no wonder that merchants a) don’t know about it and b) shy away from the technical fluff. They just want to get paid.
The basic rules (from my perspective) are:
1. If your server, company or staff ever physically TOUCH a credit card number (server means, if they’re inputting the details in to <strong>your</strong> site, even if it’s sent ‘securely’ to a gateway) then you need basic PCI compliance.
2. If your server, company or staff are storing or keeping hold of credit card numbers, then you need a higher level of PCI compliance.
You may think there would be a mechanism to report non-compliance. There isn’t.
You may think that having an SSL certificate (turns your browser bar green etc) means your data is secure. It doesn’t.
You are totally within your rights to ask the merchant what measures they have in place to deal with your information and if they are PCI compliant.
Looks like a high profile SSL certificate compromise from well known provider Comodo.
As a valued GlobalSign Partner we would like to make you aware of our official company statement on the recent Comodo compromise.
On March 23 2011, the Certification Authority Comodo announced it had mis-issued 9 SSL Certificates to high profile websites including:
* login.yahoo.com (3 certificates)
The Certificates were issued through one of its unnamed Registration Authority (RA) Partners who had been given transferrable trust rights to issue publicly trusted SSL Certificates.
The fraudulent Certificates have since been revoked, however due to the high profile nature of the mis-issued Certificates, Microsoft, Google and Mozilla have issued browser updates to hardcode the revocation status of the Certificates into the browsers. We advise all GlobalSign customers to update their browsers immediately.
This is a very serious compromise of unprecedented scale. As further details unfold, our security group will publish a full statement. However we wish to strongly iterate that this is a completely standalone attack on the Comodo systems. GlobalSign wishes to confirm to all customers, partners and the industry as a whole that GlobalSign is not affected by the Comodo compromise.
I’ve read a several articles about this in the past few weeks.
Someone hacks an email account and uses the account’s own contact list to ask ‘friends’ and contacts for money citing some personal tragedy or immediate need. Often these people interact with the contacts using the terminology, phrases, sign off names of their victim to assure the email conversation appears genuine. Of course, they can garner lots of information from previous sent emails.
If someone needs help, use the trusted method of picking up the phone.
You may know that I operate a webhosting company. I find it amazing some of the information that people give out without even thinking.
Take for example a simple question the other day that required us to transfer a domain name from another domain registrar. The client had been in contact with the third party registrar and gone through their ‘security’ procedure. This involved answering the secret questions that many companies now require we have answers to. Mother’s maiden name, place of birth and so forth.
The issue was the client had forwarded us their response with these answers inline. I’m sure the client was trying to be helpful but little did they know what information they’d inadvertently handed over. With this information we could interact with companies on her behalf that we know requires this ‘secret’ information.
When dealing with long email and social media conversations and later involve a third party, remember what you may have given away.
Google has made SSL available for the .com version of its search engine. It has not been rolled out to the specific country code Google versions as of yet but surely it cannot be far off.
Despite passing the search query over GET variables (i.e. the search is included in the URL so you can link directly) Google assures us that the search string is not open to snooping.
Google is making efforts to make the SSL search the default soon enough which can of course only be a good thing for privacy especially when using public terminals or open wifi hotspots.
An article on the FSA’s site shows that the scamming industry is still alive and well. 38,000 UK names have been discovered on a list used by fraudsters dealing in worthless stocks and shares.
A person (possibly having invested in legitimate stocks previously) is called out of the blue and is offered shares that are essentially worthless, don’t exist, or are subject to a ‘pump and dump‘ scam. High pressure sales tactics are common. The invested money simply disappears and when the would-be investor tries to contact the company in question they find it no longer exists.
The ‘list’ that these people find themselves on is used for repeat scams and further engineering as most likely, the list comes with pertinent information that can be used to gain trust most likely gleaned in previous conversations (even with another ‘company’).
These ‘boiler room’ scams are ever common and have, in recent years, moved more towards the internet versus cold calls but obviously from this report, the industry is alive and kicking.
Most offices these days have their airspace saturated with wireless networks. It’s amazing therefore, with the ubiquity of wireless routers and hubs that there are still so many connections that are on the lowest encryption available. WEP. Possibly because the hardware in use only has that encryption available but you’d be surprised.
It’s quite trivial these days to crack a WEP password. A post in a forum I saw a couple of weeks back had a 12 second record! A fundamental flaw in the way WEP recycles its encryption key over and over means that if you collect enough packets, the key can be easily decrypted.
If you’ve never heard of SPF (Sender Policy Framework), don’t worry, you’re probably not an email administrator. SPF was designed as an addition to the email system to prevent sender spoofing. In other words, allowing someone else to send an email pretending they are you. Read more
This morning I received an email from Globalsign who provide some of our SSL certificates. It reminded me of a story I read a few weeks ago about a Canadian security expert testing common webmail providers to see if they allowed him to register ssladmin@ email addresses.
Further to my post about traditional passwords I began to think about common site approaches to resetting passwords.
Many, as you would imagine, use a security question that was answered upon originally signing up or registering. Mother’s maiden name, place of birth, name of first pet, favourite colour?. How many answers do you think there are to these common questions? Read morekeep looking »