Our family has had a PayPal account almost since PayPal has offered them.  It’s remarkably convenient, it provides us great flexibility to shop online using a single payment source and I love that we’ve been able to change funding sources several times over the years.  It’s always conveyed a certain sense of security; I’ve just always felt safe using PayPal.  I’ve even gone so far as to suggest that at some point, if PayPal management grows things just right I could see a future state where paper currency and maybe even actual physical credit cards go away and are replaced by some version of their services.  When I discovered this past year that Home Depot already allows you to use PayPal to make in-store purchases I was convinced I was right.  Now I’m not so sure.

Over the past year or so I’ve been getting the occasional email ping from PayPal regarding our reaching a spending limit.  It’s a fairly high limit for most but considering that we’ve been using PayPal to make purchases going back nearly a decade maybe not as much.  But the message has been quite clear; if we didn’t verify our account before reaching this limit it would be “ the maximum amount of money you can send or use for purchases before you need to become Verified”.   So how you become verified is quite simple – either give up your bank account information or apply for a privately owned credit card.  No, seriously, those are the only two options.

My first thought was that although I liked having the protective layer of a credit card product buffering my PayPal account from my actual money I was okay with providing bank account information.  It’s not like I don’t use that in other places to make payments and so there wouldn’t be any enhanced risk by doing so again.  I wasn’t going to apply for a PayPal-based credit card because I don’t want one or need one and I wasn’t looking for a new credit source anyway, I just wanted to continue using PayPal.  I clicked on the option to provide my bank account information and after the initial screen where they ask for the routing and account details and clicking on “Submit” I was presented with a screen that I still can’t believe exists.  Right there before my eyes was a screen from PayPal in which they ask me to provide my online banking user-id and password so they can verify a series of PayPal generated payments thus confirming my banking details.  Let me repeat that one more time; PayPal asked me to provide them with my online banking user-id and password.

Has PayPal lost its collective mind?  Seriously, have they?

I was stunned, almost to the point where I couldn’t get coherent words to flow.  I immediately fired off an email to PayPal customer support asking them how they could do something so outrageous.  Within minutes I received an automatically generated reply which I always find insulting, as if though I’m not worth an actual intelligent and personal response.  It was a complete regurgitation of everything stated on their website and completely ignored the gist of my email.  I fired off a second email missive, this time way more specific.  Here’s what I wrote:

Here’s the sequence of events:

Wednesday morning I received an email alert from a company I use that my automatic monthly payment was declined.  Knowing full well it wasn’t a balance issue I assumed correctly that my bank had cancelled the card.  As I travel extensively and rely on the card exclusively I made my way to a local branch later that morning.  Along the way I called into the service center and confirmed my suspicions, that Visa informed the bank that my card was part of a range of numbers that was possibly exposed via a breach.  I asked if it was possible to learn the name of the offending vendor and was told (same as last time) that Visa doesn’t share that information.  As I am now a two-time victim it’s easy to spot the trend and hard to ignore the possibility that it might have involved the same vendor both times.  It wound up taking three visits to a branch to straighten me out and actually get a functioning card in my wallet.  The inconvenience is more than benign as I use the card in several places and will now need to make manual, one-off payments with the temporary card while awaiting the permanent card so that I can update the affected accounts.  By the time this is all said and done it will have resulted in my exhausting more than a half day of billable time trying to fix a problem I didn’t create.

A few things need to change.

• First, as part of the breach notification the card issuer needs to share with the cardholder the source of said breach.  I’ve been hit twice in six months, there’s a better than even chance that it involved the same vendor and/or processor and I deserve to know if that’s true.
• Second, affected cardholders should receive status updates providing details about the breach including the suspected source, the techniques potentially used and a description of any follow-up actions including investigative and (hopefully) criminal prosecution.
• Third, issuers need to have a better system in place to address breaches.  The fact that I have to overtly take action in order to replace the card is a joke.  I’m a billable resource and taking time out to wait to talk to a customer service representative results in loss of income; I’m being punished twice as a result.  I should have been offered the option to have a card overnighted to me or have been able to receive a card at any teller window and have it activated right there and then (I had to first activate at an ATM before I could use the temporary plastic).  The card replacement process needs to be streamlined.

We collectively as an industry and a society need to accept that both identity and card theft is a mainstream occurrence and adjust accordingly.  Legislation is needed to further insulate the victims (like me) from any extended damage or inconvenience and ensure as smooth a process as possible to allow us to continue living our lives.  Because right now I don’t just feel like a victim, I feel like I’m being punished for being one and treated like I simply don’t matter.

Hey Washington, make the industry tell us what’s going on and to treat the consumers better!

Oh, and PCI Security Standards Council, how’s that framework working out for you?  I’m thinking the only one benefiting from your content are the practitioners making money by supporting it.

Seriously, something needs to change.

I clicked on the link and instead of being directed to the desired page was instead routed through to a Websphere Administration panel.

But that’s not even the best part of the story.

After confirming that in fact I was somehow through their firewall security and at some point along the way into their infrastructure,  I decided to be a good citizen and let them know.  I tried calling their customer support department twice and both times, after being routed through some crazy series of automated menus, wound up being treated as someone who was simply having trouble accessing his online account.  One customer support representative had no clue what I was describing to them and the other one seemed to grasp what I was saying conceptually but didn’t have a page in his playbook to manage the call and so he defaulted to trying to help me pay my bill.

The funny thing is that once I navigated from their homepage through to the payment page it worked just fine, but if I selected the bookmark it deposited me right back at Websphere Central.  And as of 30 seconds ago it still does.

Now I know that bashing the local cable company is a popular thing to do and has fast become one of our nation’s favorite pastimes.  But I’m not so much picking on them as I’m amazed that they have such an obvious flaw in their network security.  My firm conducts basic penetration tests all the time and this is the sort of thing that would be flagged without much of an effort.  Why haven’t they found it yet?  And if I’ve found it entirely by chance what about the hackers who go hunting for these sort of things?  Or have they discovered it and are currently feeding large while it remains available?

It’s amazing any of us are ever willing to conduct business online, when you get right down to it.

Ms. Keen was kind enough to share her story with me so that I in turn could share it with you.

Her bad day started with the most basic error in judgement: She responded to a Yahoo-branded email requesting that she confirm her account information or else her account would be closed.  She said that “despite my initial instincts, I fell for it.”  It’s not hard to understand why.  Like most parents with school-age children, she has too much going on, depends on email to keep things moving and if she is anything like my wife, is of a mind to address things as they arise; she was a perfect target for a hacker.

Ms. Keen first became aware that she was about to have a bad day when she received an early morning phone call from a friend indicating they’d received an email from her asking for help.  She attempted to sign on to her Yahoo account to see what was going on but the hackers had changed her password and she was locked out.  She explained what happened next:

“I had to wait for Yahoo to open at 9:00am to resolve the issue and regain access to my account.  Yahoo was extremely helpful and we were able to take the account back quite easily.  The representative I spoke with knew to advise me to confirm if any of my personal information had been changed, which it had.  An alternate email address had been added by the hacker as a way to retain control of my account even after I had gotten back in.  And my understanding is this is how they would continue to log in and check to see if anyone was actually trying to send me money.  If I did not know to delete this alternate email, the hackers could continue to monitor the account and target anyone asking me where to send the money.”

I asked her if anyone actually attempted to send money or respond favorably to the hacker’s phishing attempt and fortunately no one had.  While she did receive a few calls and/or emails trying to confirm if the request was legitimate, because as Ms. Keen explained, “They did indeed want to help me if I really needed it,” no one actually took further action.  Apparently the majority of people who received the phishing attempt knew it was a hoax and ignored it (score one for security awareness in the private sector).

Was there a lesson learned from all of this for Ms. Keen to share?

“Do not respond to emails requesting personal account information, no matter how reputable they may seem,” she said.  ”As Yahoo explained, they would never request that sort of account information from me (they already have it and there is no need for it to be confirmed).”

To which I would add that you could easily replace the Yahoo name with literally any reputable business with which you have an online account.  I would also recommend that you print Rebecca Keen’s advice and tape it to your monitors and keyboards at both work and home for all to see.  Because whether it be the result of a successful phishing attempt, poor judgment or sloppy controls (e.g. sticky notes under the keyboard/phone/stapler, etc.) the number one entry point used by hackers to gain access to sensitive information remains password sharing.

Check back here next week. I have an interesting (if not scary) story to share about how some financial institutions are (mis)managing regulatory requirements.

I am a bit relieved that the threats we already know about are still pretty much those that we’re dealing with; we know how they happen, why they exist and what to do about them.  But that’s also why I’m worried.

If we know about these threats and have at our disposal a wide range of techniques and tools to prevent them, why are they still finding any measure of success?

For example, take a personal experience I had while using Facebook.  Shortly after becoming an active user on the popular social networking site, I fell prey to a virus delivered by way of a URL that presented itself in the form of a video link sent from a friend.  The link appeared suspicious and though I attempted to close the message without clicking on the link, something went awry and I navigated right into the steely, sticky jaws of a truly annoying virus.  Fortunately, I was able to clean my machine and irradicate the virus eventually (many thanks to Trend Micro for some pretty good software on that front).  But the experience served as a booster shot of sorts for my overall online strategy.  Now, I won’t even open a message unless it presents itself correctly (e.g. proper spelling, contextually appropriate, etc.).  It took me all of one bad experience to realize I had to use the same level of vigilance on Facebook as I did in the rest of my digital world.

In other words, I learned the lesson and have taken steps to not make the same mistake again. Why can’t the business world do the same thing?

Of the threats detailed in the Verizon report, the vast majority can all be addressed via proper system configuration and basic monitoring techniques.  We’re not talking rocket science here.  And the remaining threats – the ones involving the human element – can be greatly reduced by proper and consistent security awareness training.  Honestly, if I can get my almost octogenarian mother to screen emails and only open those that come from trusted sources, I’m thinking corporate America can train its employees to do the same.  If I can educate my wife on the dangers of skimming and give her the basic tools necessary to avoid suspicious ATM’s (e.g. only use bank-branded devices in well lit areas; always cover the keypad when entering PIN’s, etc.), I’m certain financial institutions can do so with their customers.

The criminal element can be a pretty sharp group and are always, always thinking of new ways to get to other people’s money. Why make it easier for them by leaving the same doors unlocked and windows opened? As I’ve already pointed out, it’s good that we have identified the threat but it’s not so good that we haven’t done enough to stop it.

And here’s a neat little addendum: I wrote this post earlier today while traveling and when I returned home this evening and sorted through my mail, I found a brochure for the SANS event scheduled for March, 2010 in Orlando.  While flipping through the pages, I saw session after session all aligned quite nicely against the threats detailed in the Verizon report.  Again, successfully dealing with this ain’t exactly rocket science.

How is it that a business can be PCI-compliant but still have glaring vulnerabilities?  How is it that despite layer upon layer of controls it’s still entirely possible for an executive to fudge numbers in a spreadsheet and alter a company’s financial reports?  How is it possible that a financial institution undergoes an annual exam and, despite not adhering to the most basic tenants of FFIEC guidance, still receives a favorable report?  And how is it that there’s a regulation that made an entire industry jump all at once but has never actually been enforced (can I see a show of HIPAA hands)?

And don’t think these statements are pure hyperbole; these all come directly from the field and from engagements I’ve been on in the last few years.

Why, you may ask, am I feeling a bit down on the regs this week?  A couple of three reasons:

It started on Monday when I was catching up on my industry reading.  There was an article about data leak prevention (DLP) software and how sales have been heating up lately.  Of the reasons given by survey respondents as to why they were considering purchasing a DLP solution, the top two were pretty much pointing the finger at either industry or regulatory demands.  The third reason was to avoid damage to the company brand/reputation, the fourth was to avoid lawsuits and finally, all the way down at number five on the list of reasons: to prevent the theft of proprietary information.  That’s just Depressing (note the capital “D”).  I thought it was embarrassing that the vast majority of survey respondents were looking to prevent data theft not because it was the right thing to do or to protect customers’ or employees’ sensitive data but rather because they’re being made to do so.  And so maybe you can make the case that regardless of the reason, at least companies are being forced to do something about protecting their information.  Sadly, that’s exactly my problem.  When it comes to doing things for the sake of compliance most companies only take things as far as they need to in order to achieve/maintain compliance.  The people on the front lines sort of lack enthusiasm for doing these things and figure their job ends once the auditors and examiners are happy.

My week of regulatory woe continued on Tuesday when while reviewing key activities aligned against one of the aforementioned frameworks, I identified what was a potentially significant gap not in how the client was conducting their work, but rather in what the regulation specifically required.  In other words, despite my client being completely compliant with this stringent, well respected framework, there was still the very real possibility that a vulnerability could exist.  I dug a bit deeper, made some phone calls to associates whom I often consider to be way smarter than I and the result was that I was right, the gap existed.  One of my associates pointed out that in a well-run shop with a hardened infrastructure you would expect the situation I identified to be managed properly, but the reality is that unless they have to, few managers have the ability to go beyond what’s required (either by the business or regulations).  I suppose if ever a day comes to exist when an IT department has finally cleared out their project queue and has money left in the budget they may very well get around to it, but I’m not volunteering to hold my breath.

And finally, my week is closing with news that a former client of mine is on its financial ropes and very likely about to declare bankruptcy.  Really, in the end it’s just a sign of the times and the sad state of our economy.  They appeared to be making the necessary adjustments over the past few years by trimming back staff and scaling back on non-critical projects, but they’re a half-inch to the left of the epicenter of this whole financial mess and in the end I guess there was no way to avoid the inevitable.  But still, I think of all the money they’ve spent on compliance-based initiatives since SOX first hit the scene and I can’t help but wonder if all of that spend could’ve been put to better use.  In the end, despite all of the great work that was done they still weren’t going to be able to prevent someone from massaging the numbers in a spreadsheet (a personal pet peeve of mine)   Thinking about the number of people they’d brought in to size up and conduct the work to bring their controls up to the necessary levels and the fees they’ve paid to their external auditors to conduct the SOX audits is just plain depressing.  Maybe if they’d used that money to fund a project to offer a new product line or enhance an existing one, they’d have found additional streams of revenue that could’ve helped them through this mess.

I suppose it comes down to this: anything worth doing is worth doing right.  But in the regulatory space that’s not the general rule and I’m thinking that until the oversight bodies figure out a way to provide the proper incentives, the work will always be lacking if not deficient.  Until being compliant also means being secure the job isn’t truly getting done.

Along those lines check back next week; I have an idea I’d like to share with you about how to make things better for all of us in the regulatory domain and turn things around.

In considering the implications of the recently announced changes by MasterCard that will now require PCI Level 2 merchants to be assessed by a Qualified Security Assessor (QSA) it occurred to me that they may be onto something. Why would the credit card industry restrict who needs to be assessed based on size? Why not simply require any business entity that either issues, accepts or processes credit cards to be regularly assessed against the PCI standard by a properly trained practitioner? The size factor could come into play based on the frequency of these assessments but in general everyone would need to have one conducted.

That wasn’t the eureka moment.

It wasn’t until a day or two later, while reading about newly emerging state data privacy laws, that the clouds parted and the sun shone through. With the MasterCard news kicking around in the back of my mind, I started thinking about how these state-based laws were going to come into play, and when I tried to tie all of this back to the Obama administration’s cybersecurity plan, it happened.

What if all business entities that issue, accept or process personal information, regardless of their vertical, are required to have an information security assessment conducted (think GLBA meets NERC CIP meets PCI) by a Certified Information Security Auditor? Think about it; ISACA could be broken up with the subset that oversees the CISA process becoming federally chartered to both manage the framework and issue the certification (think PCI on steroids). The framework would include portions that are of the one-size-fits-all variety and others that are specific to an industry and would be scalable based on the size of an entity. The CISA practitioners would all be trained on the framework and how to apply it properly and would need to attend agency-sponsored seminars at least annually.

Rather than have multiple frameworks to wrestle with, business entities would be able to distill information security regulations down to a single, stronger entity (and reduce all the redundant activities that so many of my clients are forced to struggle with). It would bump the IT general controls audit up a level to encompass more than just bits and bytes and allow the entity to tie together related activities that are assessed through a single pass. And the icing on the cake is that the resulting report could also be used in place of a SAS 70 (and finally provide a modicum of consistency to the SAS 70 process as well).

But the best part of my idea is that the business entity could staff up with their own certified assessors that would not only conduct the required work, but also serve as internal advisors year-round. They’d still need to be properly certified and maintain that certification, but there would be no need to constantly pay premium prices for external firms and/or resources.

Maybe the idea was inspired by the fact that I’m just burned out a little from working on multiple compliance initiatives or maybe it stems from my concerns that true IT governance is a generation away. However, after my eureka moment and after sharing the idea with a few associates of mine I’m still liking it.

Does anyone have a direct line to the White House I can use?

]]> http://itknowledgeexchange.techtarget.com/regulatory-compliance/hows-about-a-federally-mandated-information-security-assessment/feed/ 0