Take it a step further, would
compliance with PCI-DSS provide proof of the breach or is that
security worthless? I suspect that would get settled quickly...
The
merchant strikes back: Cisero’s sues processor and bank over
pass-along fines following alleged breach
January 9, 2012 by admin
There’s an interesting lawsuit to
watch in Utah. The owner of Cisero’s in Park City is suing their
payment processor and bank for deducting money from their account
after card issuers fined them over an alleged breach of the
restaurant’s system.
The case stems from a March 2008
incident. According to Cisero’s, Visa had notified them that they
appeared to be the common point of compromise in a situation
involving credit card fraud and that they needed to bring in
forensic investigators. Two independent forensic investigations
found that the restaurant had unknowingly stored credit card numbers,
but there was no clear evidence of any actual breach.
Despite the absence of confirmation of any breach that could account
for customers’ fraudulent charges elsewhere, Visa ultimately fined
U.S. Bank, the acquiring bank. Elavon, the payment processor, is a
unit of U.S. Bank.
Thom Weidlich provides the background
on the case on Bloomberg.
At issue here is that the
restauranteur’s claim that there was no evidence that they had been
hacked, Visa didn’t prove that there had been a compromise of their
system that resulted in fraud, and that although they
had unknowingly stored over 8,000 card numbers, that number was below
the contractual threshold to trigger fines. The owners
had been sued by Elavon for over $82,000 in fines that Visa and
MasterCard had levied. The owners countersued in August.
“At no time has
Elavon, US Bank, Visa, MasterCard or any other entity proven that a
data breach occurred at Cisero’s, that card issuers actually
suffered fraud losses or that any such losses were caused by a data
breach at Cisero’s,” the restaurant said in court papers.
The owners also allege that U.S. Bank
never provided any information or support to assist them in staying
secure and PCI-DSS compliant, and that rules were unilaterally
changed without notice or consent over time.
Some of their suit seems strikes me as
buyer’s remorse. They signed a contract that permitted some of
these things to occur. Was it a lousy contract? Probably. Were
there documents that they weren’t even provided before they signed
the contract? It seems so. But what it may boil down to is that
they did sign a contract. So what part of the contract did the bank
and processor actually breach? Their strongest arguments appears to
be that they were not notified of the fine, as required by the
contract, in time for them to file a timely appeal and that Visa
ascribed losses to a breach without justifying their numbers –
particularly since there was no proof any breach had even occurred.
I think their claim that the acquiring bank failed to provide them
with information and support to remain compliant is also worth
pursuing, but without the language of the contract to determine the
bank’s contractual obligations to them, I’m not sure where that
will go.
Visa is not a defendant in this law
suit, but they are the elephant in the room.
You can read the payment processor’s
lawsuit
against the restaurant and the countersuit
against the processor and acquiring bank, courtesy of Bloomberg. See
what you think. Do you think they stand a chance of prevailing?
The problem with tit-for-tat is that it
tends to escalate. Given time, either the Hatfields or the McCoys
would have gone nuclear.
Israel’s
hacker avengers: We’ve obtained Saudi credit card info
January 9, 2012 by admin
Aviel Magnezi reports:
The major credit
card information leak, a by-product of the activities of the Saudi
hacker who has been sneering over attempts to locate him, has not
been ignored.
Israeli hackers
who spoke to Ynet claimed on Monday that they have managed to lay
their hands on the details of thousands of credit cards used on Saudi
shopping websites. Ynet has confirmed the hackers’ reports. “If
the leaks continue, we will cause severe damage to the privacy of
Saudi citizens,” one of the Israeli hackers threatened.
Read more on ynet.
Yes, because we know two wrongs
always make a right and turning innocent Saudi shoppers into
potential fraud victims will really improve international relations,
right?
Ubiquitous surveillance. Thank God I
didn't have access to these when I was a kid...
App-Controlled
RC Toys Make You Feel Like Ethan Hunt
… At CES Unveiled Sunday night,
Interactive Toy Concepts showed off its new Wi-Spi line of video
surveillance vehicles: an RC helicopter and RC race car that house a
camera that delivers a live stream of video to your device. Both are
controlled, as the name would imply, by Wi-Fi.
I don't see it as a big problem, but
then I'm not getting $450 per hour...
By Dissent,
January 9, 2012
Howard Anderson reports:
The federal
government has issued streamlined standards for electronic funds
transfers that a health plan uses to pay a claim, as well for related
electronic remittance advice. But despite the issuance of a new rule
enacting the standards, it remains unclear under what circumstances
the HIPAA privacy and security rules might apply to
banks handling transactions, one compliance expert says.
Read more on HealthcareInfoSecurity.
Hopefully the final rule will clarify this. If not, a lot of
lawyers are going to be pulling their hair out [Translation:
are going to be making a lot of money Bob] trying to sort
this out.
For my Ethical Hackers
Smart
meter SSL screw-up exposes punters’ TV habits
January 9, 2012 by Dissent
John Leyden reports:
White-hat hackers
have exposed the privacy shortcomings of smart meter technology.
The researchers
said German firm Discovergy apparently allowed information gathered
by its smart meters to travel over an insecure link to its servers.
The information – which could be intercepted – apparently could
be interpreted to reveal not only whether or not users happened to be
at home and consuming electricity at the time but even what film they
were watching, based on the fingerprint of power usage.
Read more on The
Register.
[From the article:
During the talk, entitled, Smart
Hacking for Privacy (YouTube video here),
the researchers explained that they came across numerous security and
privacy-related issues after signing up with the smart electricity
meter service supplied by Discovergy.
… Because meter readings were sent
in clear text, the researchers were able to intercept
and send back forged (incorrect) meter readings back to Discovergy.
[Cheap energy at last! Bob]
In addition, the researchers discovered
that a complete historical record of users' meter usage was easily
obtained from Discovergy's servers via an interface designed to
provide access to usage for only the last three months. The meters
supplied by the firm log power usage in two-second intervals. This
fine-grained data was enough not only to determine what appliances a
user was using over a period of time – thanks to the power
signature of particular devices – but even which film they were
watching.
They explained that the fluctuating
brightness levels of a film or TV show when displayed on a
plasma-screen or LCD TV created fluctuating power-consumption levels.
This creates a power/consumption signature for a film that might be
determined from the readings obtained by Discovergy's technology.
… More commentary on the
presentation can be found in a blog post by Sophos here.
Inevitable?
India
Reports Completely Drug-Resistant TB
A list for my students (and fellow
faculty) with a couple examples...
10
Free Software you should Download to have a Brilliant Year Online
(Windows)
2. Backup Tool – Comodo
Backup
Comodo Backup is a superior solution
that lets you backup any files to a choice of destinations, including
to CD or DVD, or online, and it can be easy or as advanced as you
want it to be.
4. SanBoxing - SandBoxie
The software can sandbox any
application, which means running it in a secure and disposable
section of your hard drive to prevent it making any permanent changes
to your PC. You can download and even run malware in the sandbox and
it won’t be able to infect your system.
Another resource for students...
Recently, Google has launched a new
site – Good to Know – which contains useful tips that can help
users make their stay on the Internet secure.
A day for resources...
Tuesday, January 10, 2012
Over the last couple of months Evernote
has become my favorite tool for bookmarking websites and saving
files. Evernote allows me to access my bookmarks and files from all
of my devices whenever I'm connected to the Internet. I also like
the tagging and sorting options that I have available to me in
Evernote. Before using Evernote I used Google Bookmarks. While
Google Bookmarks is good, Evernote's tagging and sorting options are
much better.
Recently, I learned that Evernote
has an education section in which they provide examples of Evernote
being used by teachers and students. Through the Evernote
for Education page you can access an hour-long webinar explaining
the how Evernote can be used by teachers and students.
For the students in my Modern Dance
class...
Kinect
Comes To Windows On February 1st
… They’ve been hinting at it,
people have been hacking it, and they even released
an SDK a little while back
… If you’re interested in
contributing, check out the SDK, or if you just want to see what
people have put together (there has really been some mind-blowing
stuff over the last year), scroll through our Kinect
tag.
Am I seeing money in Online Education?
Ampush
Media Acquires One Of Bill Gates’ Favorite Education Startups,
Academic Earth
Ampush
Media, an online marketing startup, has acquired Academic
Earth, an online education video site that’s sort of like a
“Hulu for Education” and a Bill Gates-favorite. Financial terms
of the deal were not disclosed.
As we’ve written in the past,
Academic Earth is a user-friendly,
curated platform for educational videos that allows anyone to
freely access instruction from the scholars and guest lecturers at
the leading academic universities. The site offers 350 full courses
and over 5,000 total lectures from Yale, MIT, Harvard, Stanford, UC
Berkeley, and Princeton that can be browsed by subject, university,
or instructor through a user-friendly interface.
Additionally, editors have compiled
lectures from different speakers into Playlists such as
“Understanding the Financial Crisis” and “First Day Of Freshman
Year.” Since the site’s launch in 2008, Academic Earth has grown
to attract 400,000 unique visitors per month, primarily through word
of mouth.
No comments:
Post a Comment