Who is at Fault for Credit Card Insecurity?


Investigate the Payment Card Issuers

The Massachusetts Attorney General forced the owner of some local restaurants to pay $110,000 to settle charges that the company maintained inadequate security over credit card data.  Malware had infected the company’s computers.  The company (Briar Group LLC) had failed to change the default passwords on point of sale devices, and its wireless security was inadequate.

Even Sophisticated Systems are Breached

Data security is a difficult, sophisticated job.  Briar Group was not well-suited to the job. A company like this relatively small restauranteur is an expert at serving food, not an expert at data security.

The reality is that most any commercial computer system can be breached.  Even sophisticated technology companies like Sony and RSA suffer data breaches.  RSA is one of the most trusted data security firms in the world!  If RSA can get hacked, it is no surprise that Briar Group was hacked.

Investigate Credit Card Issuers Themselves

I am sure that in punishing the Briar Group restaurants the Attorney General had the best intentions.  Yet why is it that the Attorney General focuses attention on a modest restaurant company?  If that company needs to be investigated and fined, why does the Attorney General not investigate companies that have real influence on credit card security – the issuers of credit cards themselves?  Credit cards are abused regularly on account of their weak security.  Why should the Attorney General not punish the issuers for using faulty, out-of-date technology?

Why, for example, should the Attorney General not force the issuers to require a text message confirmation for each credit card transaction?  (Example: I swipe my card at a point-of-sale device; I promptly get a text message on my phone asking for approval; the transaction does not complete until I text approval to the issuer.)

Alternatively, why should the Attorney General not require card issuers to embed dynamic authentication EMV chips in cards, as is done outside the US?

Continuing to Operate after Breach Discovered?

The Attorney General said that one the justifications for punishing the Briar Group restaurants is that they continued to accept credit cards after they knew their computers were compromised.

But do not card issuers do the same thing?  They know that their system is compromised routinely, but they continue to use their old system.

Maybe the argument for issuers to continue to use the flawed credit card system is that even though it is imperfect, it has redeeming qualities.   It has many redundant controls, such as the rule that consumers are normally not liable for false transactions on their cards.  Further, if issuers immediately stopped using their flawed system, the economy would be harmed.  Jobs would be lost.

Could not similar arguments be made in favor of Briar Group?  The theft of card data from a restaurant does not automatically mean fraud will occur.  Redundant controls (such as transaction monitoring by card issuers) help to protect card holders.  Further, if Brian Group had immediately ceased processing cards after it learned it had been breached, it would have been forced to shut down and lay off employees.  For Briar Group to have shut down would have caused  greater harm than the harm caused by some false credit card transactions (for which individual card holders will not be held liable).



Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Update:  Why law enforcement should focus attention not on merchants, but on the insecurity that is inherent in credit cards as they are presently designed.
0 comments

SMS Text Messages | Recovery from Carriers

Over on the social networking site reddit a topic came up that you may find interesting- the technical ability of telephone carriers to restore txt sms messages.

http://www.reddit.com/r/netsec/comments/iifg8/can_txt_messages_be_subpoenaed_from_carriers/

The default stance of the carriers seems to be “no we can not recovery txt messages” however that seems to be at odds with reality:

Kobe Bryant case.

In Flagg v. City of Detroit, 2008 WL 787061 (E.D. Mich. Mar. 20, 2008) (text messages were subpoenaed from SkyTel, a cell phone provider) although I don’t know the time period on that one.

In a more recent case Verizon restored nearly 5 months of text messages: ZDNet

Do you have any experience or tips in successfully compelling a carrier (AT&T in this instance) to restore messages when subpoenaed?  Does it take an order from a judge?

Thanks,

Liam

 The foregoing is the content of a message sent to me by Liam Randall.  Liam gave me permission to repost the message .   My comment:  The rules of procedure for a civil lawsuit provide for "discovery" of relevant records, which can include text messages.  In a lawsuit involving a telecom subscriber, the opposing party might invoke the rules of discovery to demand that the subscriber request that the telecom produce whatever records it may possess.  If the subscriber does not cooperate with the demand, then the opponent might ask the court to impose sanctions on the subscriber.   However, cooperation of the subscriber may not persuade the telecom to do much. By 

Update.  The document posted here apparently shows how long telcos keep different classes of subscriber data.   And a discussion here describes the likely result of a subpoena for  text messages from a cell phone provider.

 Update 2013:  Steps for preservation and acquisition of text, photos, logs, deleted records from mobile device.

Latest Update April 2013:  How long mobile carriers retain data.

Best wisdom as of September 2014: The text, photos and other data you want may well be synced to a backup that can be accessed by legal means such as


  • a subpoena, 
  • an e-discovery demand in a civil lawsuit or 
  • simply a polite letter of request.

2 comments

Copyright | 3D Printing Object

Fair Use | Super 8 Movie Prop

Intellectual property enforcement needs a sense of scale.

An engineer named Todd Blatt created a 3D digital model of a distinctive cube object from the movie Super 8.

Then he made the model available on the 3D printing site Shapeways so that fans could purchase copies of the cube, manufactured on a one-off basis.

Cease and Desist Letter?

Lawyers from the movie studio, Paramount Pictures, issued a cease and desist letter to Mr. Blatt, and he complied. The lawyers believed this odd-ball, one-by-one, relatively expensive method for reproducing the cube violated the studio’s copyright.

This was over-lawyering. The cease and desist letter did not serve the studio’s best interest. 3D printing is today a novelty. 3D printing is unlikely to reduce the studio’s ability to sell its own reproductions of the cube.

Mr. Blatt’s 3D reproduction comfortably fits within the "fair use" doctrine of copyright law, which allows small-scale copying.

Advice to the Studio

The studio comes off looking like an ogre when it sends this cease and desist letter.

The studio should be flattered that Mr. Blatt would go to the trouble to enable this unusual,
intriguing form of acclamation for the movie. The studio needs enthusiasts like Mr. Blatt. Instead of hitting him with a lawyer’s letter, the studio would be better advised to blog about him, tweet about him on Twitter and publish a video about his inspiring work.

In years to come, as 3D printing drops in cost, 3D reproduction of a movie prop could shrink the market for officially-licensed copies of a prop. But 3D printing is not there today.



Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Update:  Mr. Blatt asked me to elaborate on why I think his 3D reproduction is fair use.  (Obviously, none of my public statements are legal advice to Mr. Blatt or anyone else.  I'm just stating ideas for public discussion.)

Let's look at the law.  17 USC Section 107:

"the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is a fair use the factors to be considered shall include:
1. the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
2. the nature of the copyrighted work;
3. the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and
4. the effect of the use upon the potential market for or value of the copyrighted work."

My feeling is that Mr. Blatt's work is so limited and restrained that its impact and purpose are more like commentary, education or research than commerce.  His work is a wondrous novelty that praises the movie makers.  Due to the expense and awkwardness of 3D technology today, the movie makers themselves are very unlikely to try to make a 3D version of the cube in the way that Mr. Blatt did.

The purpose of the fair use doctrine is to enable the kind of cool, provocative exchange of ideas that Mr. Blatt's work exemplifies.
0 comments
Subscribe to: Posts (Atom)