Friday, April 30, 2010

Insider Steals $2 Million from 4 Credit Unions

April 30, 2010 - Linda McGlasson, Managing Editor
Bank Information Security Articles

In a case of insider fraud, a Utah computer consultant was sentenced to five years in prison for stealing nearly $2 million from four Utah credit unions by programming extra deposits for himself.

On April 27, a judge sentenced 43-year-old Zeldon Thomas Morris to 63 months in prison and ordered he pay back over $1.8 million.

Morris pleaded guilty to taking the funds from Deseret First Credit Union, First Credit Union, Alpine Credit Union and Family First Credit Union in 2008. The FBI says they discovered he was hired to help the credit unions with computer upgrades. Instead, he used the passwords to create accounts for himself.

Morris admitted to transferring the money to his joint business account, Lee and Morris Enterprises LLC. He remodeled his home and paid for two cars with the money. He begins his prison sentence June 18. Morris was investigated after a business partner saw something suspicious and reported it.

Friday, April 23, 2010

FISMA Compliance

FISMA Background

Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Safend Data Protection Suite helps you control your endpoints and address data leakage and targeted attack threats.

Security Compliance in a Cloud

Security Compliance in a Cloud

Sunday, April 18, 2010

Sunbelt warns on game console security risks

16 April 2010

Sunbelt Software has warned businesses to be aware of the growing security risks posed by network-connected game consoles in the work environment.
The problem, Sunbelt says, stems from the increased use of network-connected consoles in break and waiting areas, which heightens the chances of distributed denial of service (DDoS) and phishing attacks

Sunbelt has issued its warning after a study of more than 200 senior IT figures in the public and private sector, which reveals that 39% had no idea about any of the documented threats that relate to online console gaming, including DDoS attacks, phishing and social engineering.

The study also found that 80% of those questioned said their organisations keep no record of who uses the game consoles within the workplace, making it almost impossible to track down the source of any data leaks or brand-damaging in-game behaviour that might take place via services such as Xbox Live and Sony PlayStation.

According to Sunbelt, console users participating in online play risk exposing both their IP address, increasing the risk of that address being targeted for DDoS attacks designed to cripple the target's internet connection.

These types of attacks, which can render the organisation's connection unusable, are frequently used by opportunistic criminals and disgruntled players, the company says.

And, the IT security vendor adds, innocent players in the workplace are also potential targets for social engineering and phishing scams intent on extracting usernames, passwords and other sensitive data from users via chat forums, in-game speech and email.

Chris Boyd, a senior threat researcher with the firm, who recently joined Sunbelt from Facetime Communications, said that there are benefits to having game consoles in the workplace, as they can boost morale by providing staff with a fun diversion during lunch and other break periods.

"Consoles, meanwhile, in the lobby and waiting areas help convey a sense of a modern, fun and tech-savvy organisation", he said.

"However, these benefits must be weighed against the business implications of a threat, such as a DDoS attack, which can harm productivity significantly", he added.

"In most cases, the most practical option for an organisation is to disconnect consoles from the internet and use them for offline play only."

This article is featured in:
Application Security • Compliance and Policy • Data Loss • Internet and Network Security • Malware and Hardware Security

Tuesday, April 13, 2010

Missouri's Breach Notification Law

Posted by Stephen Wu, Esq. on Apr 13, 2010 11:06:23 AM

Missouri became the 45th state to enact a breach notification law. Mo. Rev. Stat. §§ 407.1500.1-407.1500.4. Missouri’s governor signed the enabling legislation, H.B. 62, into law last July. It went into effect last August 28. For a copy of H.B. 62, click here.

H.B. 62 covers “personal information” consisting of a name in combination with a driver’s license number, Social Security number, or account number together with an access code. Id. §§ 407.1500.1(9). These are the usual elements of “personal information” seen in California’s SB 1386. In addition, however, the Missouri law also covers personal information in the form of medical information, health insurance information, and identifier and access codes permitting a person to access a financial account. Id.

Businesses must notify Missouri residents if there is unauthorized access to residents’ personal information that the businesses are maintaining. Id. § 407.1500.2(1). No notification is necessary if, following an investigation and consultation with law enforcement, the business “determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach.” Id. § 407.1500.2(5). A business making such a determination must record it in writing and preserve the writing for five years. Id. In addition, a business may delay notification if law enforcement informs the person that notification may impede a criminal investigation. Id. § 407.1500.2(3).

The Missouri law states that the Attorney General has the “exclusive authority” to bring an action for damages or a civil money penalty. The “exclusive authority” phrase implies that there is no private right of action. The maximum penalty the A.G. may seek is $150,000 for one breach or a “series of breaches of a similar nature that are discovered in a single investigation.” Id. § 407.1500.4.

Stephen S. Wu

Parner, Cooke Kobrick & Wu LLP
28 Views Tags: compliance, data_breach, law, legal, policy_and_government

Friday, April 9, 2010

Real-world PCI-DSS: identity is key

March 3, 2010 - 10:08 A.M.

Amir Lev
Security Levity

In this week's Security Levity, I'm interviewing Abhilash V. Sonwane, vice president of product management at Cyberoam. Abhilash has extensive experience building credit card data loss-prevention solutions that help organizations achieve regulatory compliance. I'm sure you'll agree that in this interview, he brings some thoughtful insights into real-world Payment Card Industry Data Security Standard (PCI-DSS) compliance and the importance of user identity.

Abhilash, give us a quick backgrounder on PCI, as a starting point...

Here's how we describe it ... our elevator pitch, if you will.

PCI-DSS aims to give cardholders the assurance that their card details are safe and secure when their debit or credit card is offered at the point-of-sale. To be compliant with the standards, merchants and other service providers holding cardholder data need to do 12 things:

1.use a firewall,

2.change default passwords and other vendor-supplied security parameters,

3.protect stored cardholder data,

4.encrypt data in transmission,

5.use anti-virus software and keep it updated,

6.develop and maintain secure systems and applications,

7.keep access to cardholder data on need-to-know basis,

8.assign a unique ID to each internal user,

9.restrict physical access to the data,

10.track and monitor all access,

11.regularly test security systems and processes,

12.maintain an information security policy.

Those seem like sensible precautions.

[Laughs] You'd surprised how many merchants weren't implementing some of those best practices, or were implementing them in a half-hearted way. That's why the industry got together to form the PCI Security Standards Council.

OK, so any thoughts on which of those requirements are most important?

From the perspective of actual compliance with the regulations, they're all important. But it's too easy to forget the need to link true user identity to network security. It's a fundamental part of PCI compliance, but too often overlooked.

You really need complete visibility into who is doing what in the network, as well as access controls based on the user’s work profile. Identity becomes particularly significant in dynamic environments like retail stores, e-stores, hospitality, banking and other service provider industries -- anywhere that multiple users and customer service executives work in shifts over shared machines.

What does that mean for technologies that help enterprises comply with PCI?

A chosen technology should allow user-identity-based access policies. Based, for example, on work profile, department and individual user. It shouldn't depend on IP addresses to identify internal users. The point is that you need to have protection even in often-changing environments that incorporate DHCP, Wi-Fi and shared machines.

In other words, you need to bind user identity to security features.

OK, that sounds reasonable, but can you tell us why you think user identity is so important?

It allows granular policy creation in enterprises. You're able to create schedule-based or temporary web access policies, or policies allowing certain people access to applications like IM and P2P but which restrict file transfer over these functions to ensure data security.

You also need to be able to easily make dynamic changes to security policies -- while accounting for user movement in the network -- and maintain visibility into network access by individual users. This enables enterprises to modify the user access policies for tighter security controls and to prevent probable security breaches.

But this all sounds like a lot of extra work for IT administrators. How can they be expected to track users' movements?

In the real-world, identity isn't an island. You need to integrate with Active Directory, LDAP, RADIUS or an enterprise's custom internal database.

Centralized authentication, authorization and single sign-on maximizes security, employee productivity and convenience -- particularly in shared workstation spaces.

So, in summary, focusing on user identity is a Good Idea, especially in enterprises where multiple users share the same machine.

In fact, identifying users and taking proactive action isn't just a good idea -- it's a key part of PCI-DSS compliance.

I want to make this an interactive place: where I can answer questions and cover topics that you suggest. Feel free to add comments and ask Amir!

When he's not interviewing PCI-DSS experts, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider. MORE...

Disclosure: Cyberoam, a division of Elitecore Technologies, has been a partner of Commtouch since 2007, when the company licensed the Commtouch RPD anti-spam engine as part of its identity-based UTM appliance. However, no consideration has been exchanged in respect of this interview, and Amir Lev retained full editorial control

Tuesday, April 6, 2010

'Free Webinar of SkyView Partners - Implementing Object Level Security'

'Free Webinar - Implementing Object Level Security'

AWARD Winning Webinar by Mrs. Carol Woodbury, President of SkyView Partners

Date: April 20, 2010 10.00am Pacific.

More Heartland-Related Fraud Detected

More Heartland-Related Fraud Detected (source:

A Florida credit union must issue 12,000 new debit cards after new fraud attempts traced back to the Heartland Payment Systems data breach.

The MidFlorida Federal Credit Union's is taking this action, according to chief operating officer Kathy Britt, because of the continued risk of fraud.

Britt says the $1 billion-asset, Lakeland, FL-based credit union already reissued new cards to about 5,000 of its members in 2009, after the breach was made public. Britt says the new replacements follow recent fraud attempts on cards involved in the Heartland breach.

The credit union has about 80,000 debit card holders. The credit union sent notices out to affected cardholders March 26, telling them they will receive new cards. Britt says customers are being asked to review their accounts for possible suspicious activity.

Heartland, a New Jersey-based payment processing company, announced a major data breach in January 2009. The largest such breach on record, it involved 130 million credit and debit card transactions. The breach affected MidFlorida customers who used their debit cards at retailers on Heartland's network.

Albert Gonzalez, the mastermind behind the Heartland breach and similar incidents, was sentenced to concurrent prison terms on March 25 and 26.

MidFlorida FCU is not the first institution that has reported new fraudulent activity related to the Heartland breach. In March, First National Bank of Durango in Colorado came forward, saying it was forced to replace 5,000 debit cards because of fraudulent transactions.

Monday, April 5, 2010

How the Credit CARD Act Will Affect Types of Credit Cards

By Allie Johnson
Thursday, April 1, 2010
Changes abound for rewards, low interest and student cards.

How will the CARD act affect you? That depends in part on which type of credit card you've got in your wallet.

The combined impact of the economic downturn and the restrictions placed on credit card companies by the Credit CARD Act mean card issuers will be changing how they do business in ways that will affect every credit card -- but the impact will vary depending on the type.

"I think we'll see a reverting back to the model of the 1980s -- annual fees and higher interest rates," says Dennis Moroney, research director for TowerGroup, a financial services industry research and consulting firm. "But in those days, everything was pretty plain vanilla -- there will be much more creativity now."

One by one for each of 10 types of cards, here's how experts see the CARD Act's impact:

Bad Credit Credit Cards

The CARD Act's crackdown on extremely high fees will severely curtail the ability of issuers to offer so-called "fee harvesting" credit cards -- cards with hefty upfront fees and extremely low credit limits -- geared toward people with bad credit, experts say.

"I think the more reputable issuers, if they were issuing these cards in the past, are going to be much more reluctant to do so now," Moroney says. Issuers that do market cards geared toward consumers in the subprime market will have to strike a balance between charging enough to cover the increased risk and following the new law, according to Ken Paterson, vice president, research operations/director credit advisory service for Mercator Advisory Group, a consumer payments industry research and consulting firm. One immediate impact was the introduction of high-rate cards to replace high-fee cards: One card issuer, First Premier, experimented with. To date, no one has followed its lead.

"One of the silver linings of the CARD Act is that it has built in more protections against some of the more egregious pricing that sometimes creeps into that market," Paterson says. In the future, Moroney predicts customers with shaky credit will gravitate toward prepaid cards and secured cards.

Balance Transfer Cards

For most consumers, being able to get a balance transfer card that offers a 0 percent, 1 percent or 2 percent interest rate on a transferred balance for much more than a year will become a thing of the past.

"Teaser rates aren't going to go away, but they're probably not going to be as lucrative for the consumer as they were -- you're going to see a higher rate and a shorter introductory term," says Jerry Straessle, president and CEO of JLS Associates, a consulting firm specializing in the credit and debit card industry. Even before the act's passage, card issuers were retreatingn from one-year introductory periods and toward the minimum of six months mandated by the CARD Act. Expect introductory rates of 7 percent to 9 percent or higher, Straessle predicts.

"The CARD Act is going to have upward pressure on rates simply because the ability to adjust rates on outstanding balances is severely limited now," Straessle says. Issuers "can't do anything about accounts that have protected balances, so they will book new accounts at higher rates of interest to make up for lost revenue from penalty fees and penalty interest."

However, there will always be issuers bucking the latest trend that make it worth shopping around. Citi, for example, just extended one of its 0 percent balance transfer card offers from a maximum of 12 months to a maxiumum of 15 months.

Business Cards

None of the provisions in the CARD Act apply to business credit cards. "So far, small business cards are unaffected by the Act -- only consumer cards were included," says Mercator's Paterson. "But it wouldn't surprise me if some of the improved disclosure that was legislated on the consumer side eventually found its way to the small business side too."

Though business owners should keep personal and business expenses separate, Paterson says the increased protections on the consumer side might push very small business owners away from business cards. "I haven't seen data evidence of this, but a one or two-person business -- a freelance programmer, artist or Web designer -- might say, 'My personal card works just fine for business purposes. I don't need a small business product.'"

Debit Cards

Debit cards have never been all that profitable for banks, but new rules on overdraft charges mean banks will make even less. Starting in July 2010, new customers will not be allowed to overdraft using their debit cards unless they opt in ahead of time. Overdraft fee income had been a big profit center for banks.

To help make up the lost revenue, many banks may start charging annual fees for debit cards, probably in the $20 to $30 range, Moroney says. Or, banks might charge for other services, such as financial planning or linking accounts to help customers avoid the embarrassment of having their card declined at a store, Robertson says.

Banks probably will get innovative; for example, providing more rewards debit cards and more hybrid credit/debit cards, as well as cards geared toward students who now cannot get credit cards because of the new law, experts say. Also, banks will reinforce responsible management of personal finances -- maybe with more programs similar to Bank of America's BAC Keep the Change, in which the bank automatically rounds up each check card purchase to the nearest dollar and transfers the difference to the cardholder's savings account. "We'll see more products that tap into consumer appeal," Moroney says.

Gas Cards

The CARD Act will indirectly influence the most popular type of gas card -- the co-branded card, which typically is issued by a bank in partnership with an oil company, and offers perks and rewards to the customer, experts say.

"If there's a revolving feature, it's going to be more expensive," Straessle says, noting that there has been a lot of talk in the industry about controlling costs by paring down rewards. "If you get 5 cents in fuel credits per gallon of gas now, you can probably expect in the future it's going to be a lesser amount -- maybe a penny or two pennies less," Straessle says.

Low Interest Cards

In the near future, interest rates on fixed rate low interest cards, as well as cards with low introductory rates, likely will go up several points, and issuers will be even more selective about who gets these cards, experts say.

"Low interest is a lot less desirable for most card companies because they don't have the ability to change rates as readily as they did in the past" because of the CARD Act, says Beth Robertson, director of payments research for consulting firm Javelin Strategy & Research. "So low interest cards will be more for very valuable and very creditworthy transactors -- people who carry high balances, pay regularly, have good credit scores and have a high volume of transactions, probably more than $1,000 a month. Often someone in that category is someone who travels a lot on business and is purchasing airfare, hotel rooms and meals out, but it could also be someone who is especially wealthy and is spending money on higher-ticket items."

Prepaid and Gift Cards

The Credit CARD Act imposes prepurchase disclosure of certain fees, such as inactivity fees, associated with prepaid cards -- and mandates that the cards not expire before five years. The new rules for prepaid cards -- including gift certificates, reloadable prepaid cards and gift cards -- go into effect Aug. 22, 2010.

"In the past, some expired after a year -- if you still had money on it, you lost it," Straessle says. He predicts that, to make up for this lost revenue, issuers will start charging a higher upfront fee to get a prepaid card and also a higher fee to reload the card -- as high as the market will bear. "It will depend what they think they can do competitively," he says. "It's the logical place for additional revenue to happen because there are not many revenue sources in a prepaid cards program."

Reward Cards

Rewards card issuers already have started to move away from a mass-market mentality in which the goal is to create buzz around a rewards program and get as many people as possible to apply, according to John Bartold, vice president, Loyalty Solutions for Epsilon, a marketing services firm. "Issuers already have tightened up requirements for who gets into a loyalty or rewards program," Bartold says. "The recession and the indirect impact of the CARD Act are making issuers look at these things a little differently and a little more smartly."

Credit card companies have reams of data on their customers and probably will start using that data they've collected to target their customers in a more relevant way, Bartold says. "It's not going to happen right away, but I think we're going to start seeing cards more focused for certain types of lifestyles -- where consumers can find a card that matches them rather than a generic spend-a-dollar, get-a-point," Bartold says.

Card issuers might do that by creating a general program customers can tailor to their own preferences -- similar to the Discover CardBuilder approach -- or by creating a card targeted toward a specific group of consumers such as sports fans, eco-conscious consumers or music lovers. "For example, with music and entertainment, you could have a site where customers could download music, you could have a newsletter that reviews artists by genres, you could look at sponsoring a concert," Bartold says.

Student Cards

The days of the big credit card issuers setting up tables on college campuses and offering free pizza to entice throngs of students to sign up for easy credit are over. The CARD Act prohibits that type of marketing and requires anyone under 21 to prove a source of income or have a parent co-sign to get a card.

"We probably will see fewer student cards out there because the CARD Act restricts a lot of it," says Greg Meyer, community relations manager for Meriwest Credit Union in San Jose, Calif., who predicts more issuers will offer debit and prepaid cards geared toward teens and young adults.

New student cards probably will have higher interest rates and lower credit limits and will be treated more as a vehicle for building financial responsibility, according to TowerGroup's Moroney. "They might offer little things that will reinforce responsible behavior," he says. "'You paid your bill on time this month, Bob or Sally -- let us treat you to half off your next latte at Starbucks.' Or, it could be a discount on textbooks. To a college kid, that's a big deal. They could send the merchant promotions directly to a PDA with a bar code and the student could spend it immediately."