Chapter 2
Introduction to Fraud, Data Theft, and Related Regulatory Mandates
Credit card fraud, identity theft, and broader personal data theft are problems that plague our information-dependent society and predate the age of the Internet. Ironically, things such as automated processing of financial data that make your life easier and more convenient also make crime easier and more convenient. Moreover, the Internet allowed crime that only happened on a small scale to grow and spread globally, and the Internet’s scalability turned electronic-based crimes into a global concern.
Some crime was automated and changed from rare to widespread, for example, Nigerian e-mail or UK Lottery scams. Gone are the days where criminals need to be in the same location, country, or even continent to scam you out of your hard-earned cash. Nigerian e-mail scams started many years ago and are profitable for the scammers. They send out millions of e-mails claiming to be a relative of a Nigerian dignitary with frozen assets and want you to transfer the money for them. You give them your bank account information and/or send them “seed money” to get things moving and end up with nothing. UK Lottery scams aren’t much different with the same basic constructs to get you a cash prize.
Criminals have gone high-tech and have discovered that there is a significant amount of money to be made with very little risk. Hacking a company database or orchestrating a phishing attack while sitting in your pajamas and eating chocolate ice cream in the living room of your house has much more appeal than physically robbing banks or convenience stores. Add to that the lower risk of a confrontation with firearms and electronic crime becomes even more attractive! Depending on the company being targeted, the sophistication of the attack, and sheer luck, sometimes the high-tech crime may also be significantly more lucrative than traditional armed robbery. Sadly, cross-border prosecution issues significantly fuel a cyber-criminal’s activity. When a criminal physically robs a convenience store, he is probably caught on tape and there are witnesses. Plus, law enforcement will mobilize quickly to find and catch the criminal so he may be brought to justice. Cyber-criminals have a couple of things working in their favor, the first of which is their ability to commit crime without ever stepping into the physical location of their victim(s). Couple that with lagging cyber-security laws in most countries and the inability for the victim’s law enforcement to prosecute outside their borders and you have an idea on why cybercrime is on the rise. In addition, the whole ecosystem of criminal outsourcing partners now allow other criminals to only focus on the activities they do best, such as creating malicious software or hosting phishing pages through botnets.
Malicious software (malware) and cyber-criminals are not the only threat. Sadly, the very companies and organizations that are entrusted with sensitive information are often to blame because of a lack of adequate controls to protect sensitive information. In some companies information security is treated with apathy, and in others, a lack of effective controls enables an insider to commit fraud Consumers and businesses are faced with a wide variety of threats to their data and personal information on any given day.
Spyware, phishing attacks, and botnets are all computer attacks that are on the rise and pose a significant threat to corporate and home users, as they connect to the Internet from their computers. However, those threats pale in comparison with the amount of personally identifiable information and sensitive data available to be compromised due to carelessness or negligence by individuals and corporations.
Tools
Did you know that the Privacy Rights Clearinghouse has tracked all reported breaches since the ChoicePoint breach on February 15, 2005? To see all these breaches with an explanation and amount of records lost, point your browser here at www.privacyrights.org/ar/ChronDataBreaches.htm.
DatalossDB at http://datalossdb.org/ is another useful site for tracking the impact of data breaches. Despite its name, most of the recorded and analyzed data “loss” incidents are really data theft and abuse incidents. DatalossDB crew makes an awesome job of tracking all publicly reported incidents and digs out the details on them.
As of today, hundreds of millions of various personal information records have been lost or stolen. Every year since the ChoicePoint breach, we’ve seen major companies fall victim to Payment Card Industry (PCI)-related security breaches. DSW Retail in 2005, The U.S. Department of Veteran’s Affairs in 2006 (and in later years), The TJX Companies in 2007, Hannaford Brothers in 2008, Heartland Payment Systems in 2009, Albrecht Discount (ALDI) in 2010, and Sony in 2011 continue to demonstrate both the poor state of security and increasing sophistication and numbers of the bad guys (as more and more countries have growing populations on the Internet) who want this data and know how to profit from it.
In an “Information is King” era, when more consumers are using computers and the Internet to conduct business and make purchases, taking the proper steps to secure and protect personally identifiable information and other sensitive data has never been more important. It is bad for companies, individuals, and the economy at large if consumer confidence is eroded by having personal information exposed or compromised. It is worthwhile to add that credit card brands are definitely not the only entities suffering from such possible loss of confidence.
Note
your mindset and think of yourself as a consumer, Internet user, or citizen not as a security or payment professional. What data do you hold dear? Think through the following list of scenarios:
What data or information about me can be considered sensitive and should not be disclosed, be corrupted, or be made permanently or temporarily unavailable? Think of a broad range of types of information—from a rare photo that only sits on a hard drive of one PC to your bank account number, medical history, or information about anything you’ve done that you are not proud of.
Think whether this information exists in any electronic form, on your computers or anywhere else? Is that picture on your “private” Facebook page—an oxymoron if there ever was one—or present in an e-mail spool somewhere?
Next, think whether this information exists on some system connected to the Internet. Sadly, the answer today would be “yes” for almost all (!!!) information people consider sensitive. For example:
Credit card information—check,
Bank account information—check,
Personal financial records—check,
Think what will happen if this information is seen, modified, or deleted by other people. Will it be an annoyance, a real problem, or a disaster for you?
Now, think about what protects that information from harm. Admittedly, in many cases, you don’t know for sure. We can assure you that sometimes your assumption that the information is secure will be just that—an assumption—with no basis.
Going through this list helps you not only understand data security rationally but also feel it in your “gut.”
Information technologists are affected by a number of laws and regulations designed to coax businesses into addressing their security problems. Depending on what industry a company does business in, they may fall under Sarbanes–Oxley (SOX), the Gramm–Leach–Bliley Act of 1999 (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), and other regulatory mandates that we mentioned in the very beginning of Chapter 1, “About PCI and This Book.” Maybe this confusing hodgepodge of alphabet soup—and that is without European and other regional mandates and regulations—makes for a tough job understanding how to comply with all these measures, as many organizations still fail to enforce adequate security. The Unified Compliance Framework (UCF) that can be found at www.unifiedcompliance.com tracks hundreds of IT-relevant regulations, and many commercially available eGRC tools such as RSA’s Archer or IBM’s OpenPages can help build, manage, and reference a common control set to cover all of these compliance initiatives.
Note
If you feel lost and out of control, don’t. Remember, all these crazy compliance initiatives are trying to minimize the risk associated with an underlying problem—poor security. Taking a step back and looking at a standard security framework, like ISO27002, would do more to boost your global compliance efforts than attacking any one of these by themselves. A mature ISO27002 program would be able to adapt to future compliance initiatives or changes in a way that would minimize the overall impact compliance has on your organization.
Breaches often target consumer credit card information because of the revenue this type of data can generate on the black market. Since our last publication, the value of magnetic stripe data on the black market has declined dramatically, but that doesn’t stop the attacks or the desire to capture other data like PII and PIN-Debit information. Card companies recognized the rising threat to their brands and the large payment systems they invested in, and eventually they came together to develop the PCI Data Security Standards (DSS). In essence, the credit card industry has taken steps to assure the security of credit card data and transactions and maintains the public trust in credit cards as a primary means of transacting money. If you want to accept credit cards as payment or take part in any step of the processing of the credit card transaction, you must comply with the PCI DSS or face stiff penalties.
Note
Most of the above regulations focus on the issues of data protection from theft or confidentiality of sensitive data. When we think about fraud and abuse of somebody’s identity, we think about people stealing data, as if it were a thing to stash in your pocket. Indeed, to assume an identity and apply for credit under that name, a thief needs that identity’s most sensitive personal information. In the United States, the typical combination needed for ID theft (“ID theft bundle”) is as follows:
From this pack, only the first two are not truly public (even though the secrecy of the latter is at best debatable and the predictability of the assignment of SSNs in conjunction with the multiple methods to obtain this information runs rampant) and require work to obtain, and the rest of the bundle can be assembled later after the most sensitive information is in the possession of the attacker.
However, think what happens after your identity has been stolen and assumed by the attacker who now lives “your” life and applies for credit cards, loans, and bank accounts using your name.
He now modifies or corrupts your data by harming your stellar credit score, reputation, standing with financial institutions, employers, government agencies (for example, if he commits crime and then shows fake ID – or, worse, illegally obtained “real” ID—with your name).
Thus, remember that ID theft is not only about information theft; the damage comes from actual changes to your critical information!
And while the attacker (excluding the most “special” cases which we are not prepared to discuss here…) cannot “erase” your life from the systems, the damage done to your future life can be significant, especially if the case of ID theft is detected late in the game.
Unlike SOX or HIPAA, the PCI DSS is not a law; however, in many ways, it is more effective. Noncompliance probably won’t land you, the merchant, in jail, but on the rare and extreme side, it can mean having your merchant status revoked. For some organizations, losing the ability to process credit card payments would drastically affect their ability to do business and possibly even bring about the death of the company. Although PCI DSS can be effective in stopping security breaches, companies still seem to struggle with its implementation.
Warning
Although PCI DSS itself is not a law, both Nevada and Minnesota have enacted laws requiring that companies serving their residents comply with PCI DSS.
Note
By the way, it is important to note here that credit card theft and identity theft are not the same. In fact, they have literally nothing to do with each other, despite what you hear from misinformed journalists.
To explain it further, you might not care much if your credit card information is stolen due to legally-mandated card liability limits (that are typically reduced even further—to $0), but you must and, in fact, will be made to care if your identity is stolen and then used by the criminals.
There is nothing extraordinary or magical about the PCI DSS requirements. The guidelines spelled out are all, essentially, common security practices that any organization should follow without being told. Companies with mature information security programs have had few problems adding unique PCI DSS requirements to their programs (even when some had trouble proving that their controls are as good or better than PCI mandated controls). Even so, some of the requirements leave room for interpretation and complying with PCI DSS can be tricky.
Here’s a hint: if one particular requirement for PCI DSS seems too hard to comply with, you might be approaching it all wrong. Think less about how to get out of complying, and think more about how to incorporate and build upon the baseline of security provided by PCI DSS. Or even better, think about how to remove your compliance burden all together by outsourcing it to a third party.
As with any information security regulation or guideline, you need to keep your eye on the ultimate goal. When executing a compliance program, some organizations follow the letter rather than the spirit or intent of the requirements. The end result may be that they were able to check off all the compliance boxes, declaring their network compliant, but not really be secure. Remember, if you follow the requirements and seek to make your network as secure as possible, you are almost guaranteed to be compliant. But, if you gloss over the requirements and seek to make your network compliant, there is a fair chance that your network could still be insecure. It could even happen as soon as a few minutes after your assessors leave!
Major retailers and larger enterprises are well aware of the PCI DSS—and have been aware of it for years. They have dedicated teams that focus on security and on PCI DSS compliance. They have the resources and the budget to bring in third-parties to assess and remediate issues. The scope of PCI DSS affects almost every business, from the largest retail megastores down to a self-employed single mother working from her home computer. If the business accepts, processes, transmits, or in any other way handles credit card transactions, they must comply with PCI DSS.
Summary
The purpose of this book is to provide an overview of the components that make up the PCI DSS and to provide you with the information you need to know in order to get your network PCI DSS compliant and keep it that way. We’ve discussed how larger Compliance-Driven Alphabet Soup Initiatives can really confuse the business side of operations. Security is a business issue, and a good security program puts a framework in place to address issues like compliance before they become a problem.
Each major area of security covered by the PCI DSS is discussed in some detail along with the steps you can take to implement the security measures on your network to protect your data. Anton and Branden, your humble authors for the next 15 chapters, are established information security professionals. We’ve been there and done that, and we have acquired wisdom through trial and error. We hope our experience will help you implement effective solutions that are both secure and compliant.