Identity Theft Expert Speaker ; Regulators:Thanks PCI, but we’ll take it from here

/in /by

Identity Theft Expert Speaker Robert Siciliano www.IDTheftSecurity.com ; Regulators:Thanks PCI, but we’ll take it from here

Much has been said since PCIs inception. The following article does an excellent job of summarizing the crux of the issue. Unfortunately for the credit card industry and retailers as a whole, PCI is considered (and I believe) a self serving entity to stave off government intervention. Its hard to fathom that the end may be near for PCI due to their self serving image. While significant effort has been made to change the way data is processed, there has been a lack of effort regarding implementing technology’s necessary to identify, authenticate and and make all accountable for the credit they have been authorized.

Government intervention will be a good thing for PCI. Heres why, most government officials know nothing about security. Politicians as a whole are clueless regarding most issues they are confronted with and have staff to brief them on the issues. Key word “BRIEF”. Worse, they interpret everything based on how it can get them re-elected.

This all means that PCI will sit in front of congress answering stupid questions that they have to be prepared to answer. They will have to go beyond the call of duties to satisfy some of the dumbest people on earth. That will require incredible due diligence.

January 9, 2009 – 3:20 P.M.
Regulators:Thanks PCI, but we’ll take it from here
TAGS:data breaches, data security, PCI, regulators, retail security
IT TOPICS:Government & Regulation, Security

The Payment Card Industry Data Security Standard (PCI DSS) being pushed by the major credit card companies has probably done a lot to stave off state and federally mandated controls for protecting customer credit and debit card data up to now. The big question as a new year begins, is for how much longer though?

More than two years after the PCI standard went into broad effect, data breaches involving payment card data continue unabated. Obviously it would have been unrealistic for anyone to have expected them to stop altogether just because of PCI. And it’s impossible to know how many compromises were averted because of the standard.

Even so, the number of data compromises involving payment card data being disclosed by businesses is only increasing, not decreasing. One reason is simply that state breach notification laws are forcing companies to disclose compromises that in the past they might not have. Another is the continuing lack of visible enforcement of PCI which has resulted in an environment where many companies, including large ones, are still not fully compliant with the mandate.

And that’s a problem for those hoping that a private industry initiative such as PCI alone will be enough to keep lawmakers at bay for much longer.

Already Massachusetts and Nevada have passed laws requiring companies to encrypt all sensitive customer data and implement measures for controlling access to it. The Massachusetts law, which seems to have a lot of people anxiously reviewing their security measures, was supposed to have gone into affect Jan 1 but has been pushed back to May 1. Nevada’s law went into effect on October 1.

As far back as May 2007, Minnesota passed a law known as the Plastic Card Security Act. Under the statute, companies that suffer data breaches and are found to have been storing prohibited credit or debit card data on their systems will have to reimburse banks and credit unions for the costs of blocking and reissuing cards. Attempts at passing similar legislation-most of which are sponsored by financial institutions–have so far failed in places such as California, Texas and elsewhere. But all its going to take is for another major retail breach or two for them to be revived.

The security requirements spelled out in these statutes are mostly the same as those mandated under PCI though they cover other data classes as well such as Social Security numbers and bank account information. The key difference is that the mandates in Massachusetts and elsewhere are coming from a government agency and carry the full authority of state law. Companies that suffer data breaches and are found to have been noncompliant with the regulations could find themselves exposed to greater legal and financial issues than the PCI standard generally provides for.

Here again, everything will depend on how vigorously these mandates are enforced. But it probably is going to be a whole lot riskier for companies to simply pretend like they are doing something, as at least a few appear to be doing, with PCI.

Identity Theft Expert Speaker; Why Technology Won’t Prevent Identity Theft

/in /by

www.IDTheftSecurity.com Why Technology Won’t Prevent Identity Theft http://online.wsj.com/article/SB123125633551557469.html?mod=googlenews_wsj

Identity Theft Expert Speaker; TJX Hacker Sentenced To 30 Years In Turkish Prison

/1 Comment/in /by

Identity Theft Expert Speaker Robert Siciliano CEO www.IDTheftSecurity.com comments;

WOW WOW WOW!! Ever see the movie “Papillon” with Dustin Hoffman? “Yaz” is screwed. Justice is served. Criminal Hackers, Carders globally are scratching their collective heads. Coordination by authorities cooperating worldwide is truly getting impressive.

It still bothers the heck out of me that the creditors make it so easy for a criminal to use a stolen card number. Over time, up and coming technology’s, if adopted will begin to solve the problem.

TJX Hacker Sentenced To 30 Years In Turkish Prison

Member of wardriving gang gets hard time for allegedly selling hundreds of thousands of stolen credit cards and personal information
Jan 08, 2009 | 01:49 PM

By Kelly Jackson Higgins
DarkReading
A Turkish court has sent one of the TJX hackers to prison for 30 years for his role in a rash of war-driving WiFi hacks on retailers that resulted in the theft of more than 40 million credit and debit cards.

Maksym “Maksik” Yastremskiy, 25, from Ukraine, was allegedly responsible for tens of millions of dollars in data theft worldwide. He’s one of 11 men charged with stealing more than 40 million customer credit and debit card numbers from OfficeMax, Barnes & Noble, Sports Authority, Forever 21, DSW, BJ’s Wholesale Club, and TJX. Yastremskiy was arrested outside of a Turkish nightclub in 2007 during an undercover operation.

The gang, which spanned the U.S., Ukraine, China, and Estonia, reportedly “sniffed” out vulnerable WiFi networks of various stores and installed malware that lifted customers’ data and credit card numbers.

“Thirty years is, of course, a very severe prison sentence for anyone to receive, and one that should give some people reason to reflect,” blogged Graham Cluley, senior technology consultant for Sophos, who also warned cybercriminals that authorities are getting better at cooperating worldwide to catch them. “Stop now. The rewards for cybercrime can sometimes be large, but you are at risk of ruining the rest of your life — and causing years of misery for your family and friends.”

Identity Theft Speaker Expert; Data protection trumps threat pursuit in SMBs’ 2009 security spending

/in /by

Identity Theft Protection Expert Speaker Robert Siciliano www.IDTheftSecurity.com comments on;

Data protection trumps threat pursuit in SMBs’ 2009 security spending

Lovely. A “full percentage point”. Enterprise networks continue to get harder dropping millions into security. SMBs are investing a full percentage point, which if you didnt already chuckle is like saying “we are doing NOTHING”. If your financial portfolio manager told you “Im going to increase your portfolio a full percentage point” would you keep him? Its just not satisfactory. Criminal Hackers are winning and this is why.

HERE:

By Linda Tucci, Senior News Writer
06 Jan 2009 | SearchCIO-Midmarket.com

IT executives at small and medium-sized businesses (SMBs) will spend a full percentage point more of their IT budgets on security in 2009 than 2008, according to a new study from Forrester Research Inc. The change will result from a shift in security strategy from computer security threat defense to corporate data protection.

Identity Theft Expert Speaker;SENATORS GREGG AND FEINSTEIN INTRODUCE BIPARTISAN MEASURE TO COMBAT IDENTITY THEFT AND PROTECT PRIVACY

/in /by

Identity Theft Expert Speaker Robert Siciliano www.IDTheftSecurity.com comments

Grandstanding is when politicians get up on a podium and tie in their name with laws that may get them re-elected. This particular piece of legislation has that smell. Identity theft protection and identity theft prevention begins with authentication and finishes with accountability. Putting a band-aid on the issue will not solve the problem. Beef up Real ID and lock down credit as we know it.

Here:

WASHINGTON – Yesterday, U.S. Senators Judd Gregg (R-NH) and Dianne Feinstein (D-CA) introduced bipartisan legislation to curb the growing epidemic of identity theft by making it harder for criminals to steal another person’s Social Security number. The measure, entitled the Protecting the Privacy of Social Security Numbers Act, prohibits the sale or display of Social Security numbers to the general public without an individual’s consent. It also requires government agencies to take steps to protect Social Security numbers from being displayed or accessed. In the past, this bill has been approved by the Senate Judiciary Committee, although the Senate has yet to pass it.

Senator Gregg stated, “As online activity and identity theft continues to increase, Congress must redouble its efforts to guard personal identifying information. An enormous amount of information is tied to a person’s Social Security number, and I’m pleased, once again, to join with Senator Feinstein to help keep it safe from fraud or other harmful uses. Our bipartisan legislation establishes strong, common sense prohibitions on the sale and display of Social Security numbers. This measure will help to protect against identity theft and enhance the privacy of all Americans, and I look forward to working with my Senate colleagues on getting it signed into law this Congress.”

The legislation would:

· Prohibit the sale, purchase or display of a Social Security number by any person without the number holder’s consent.

· Restricts the display of Social Security numbers on public records published on the Internet or in electronic form.

· In limited circumstances (such as for credit checks or law enforcement purposes), the bill would permit legitimate business and government uses of Social Security numbers.

Identity Theft Expert Speaker; Panel proposes expanded privacy in public records

/in /by

Identity Theft Expert Speaker Robert Siciliano www.IDTheftSecurity.com Comments;

Most of the comments by those polled below are legitimate concerns fraught with desperation and  lack of understanding of the problem.  The proverbial cat is out of the bag. Privacy is dead. Privacy is an illusion. While the masses say they want privacy, the reality is they want cheap goods and convenience. People will give up all their privacy for a free candy bar. While government can and should redact personal data and do what they can to sure up “private information”, the data is already out there. It is up to the individual to understand this and manage their circumstances.

The next generation is growing up via social networks. “Privacy” will be associated with words or phrases such as 8-track tape or “No Doc Mortgage”.

So when someone calls you with your dossier and they use this to extract even more data or to threaten you in some way know what is happening and how. Even if every SSN was redacted, that wouldnt stop identity theft.

HERE;

“Panel proposes expanded privacy in public records”

Iowa governments would have greater authority to black out personal information from public records under proposals recommended by a legislative committee.

Advocates say the proposals would protect citizens from identity theft.

But opponents say the unintended results could be alarming, particularly if the public is unable to differentiate between, for example, a convicted sex offender and another citizen with the same name.

“The public has more to fear from government records containing information about them of which they are unaware than the release of information pertaining to them,” said Bill Monroe, executive director of the Iowa Newspaper Association.

Lawmakers formed the Identity Theft Prevention Study Committee, which met in November, to consider how the release of personal information in Iowa could make residents vulnerable to identity theft.

Public concern heightened this year when privacy advocates complained about a land records site, IowaLandRecords.org. The Social Security numbers of thousands of Iowans from all 99 counties were listed on the site, including those of Gov. Chet Culver and Secretary of State Michael Mauro.

Administrators of the site quickly shut down the ability to view details of the records after the advocates pointed out the problem. The group says removing personal information from all the records – called redaction – will cost the state as much as $2.3 million, which includes $500,000 to update its computer programs.

Culver said in an interview this week that he agrees steps should be taken to redact personal information from public records that can be used to steal Iowans’ identities.

However, he said he was not sure how the state would pay for such efforts. County recorders, for example, have proposed increasing an electronic filing fee from $1 to $3 to pay for the redaction effort.

“I think protecting individuals’ identity is important,” Culver said. “Once it gets to the level of security risk, we should take steps to limit how far we go in terms of disclosing things like Social Security numbers.”

The committee made 11 recommendations, several of which would give governments more power to remove Social Security or bank account numbers.

Sen. Steve Kettering, R-Lake View, a member of the study committee, said there is no simple answer to the problem. Lawmakers must find the appropriate balance between protecting identities and maintaining public records that protect the public through transparent government.

“There isn’t an easy solution, and that’s the hard part,” said Kettering, who noted that detailed records are critical in his profession as president of Farmers State Bank in Lake View.

Open-records advocates generally agree that some sensitive information like credit card numbers should not be released. The problem arises if governments redact information such as dates of birth, addresses or other unique identifiers, said Kathleen Richardson of the Iowa Freedom of Information Council.

Richardson said lawmakers need to establish how frequently identity theft occurs through public records. She believes the problem is rare.

“I think there needs to be a demonstrated need of why we need to vacuum public records,” Richardson said. “We also have to carefully consider what our definition of personal information is and make sure it’s not so broad that it wipes out too much information.”

Sen. Steve Warnstadt, D-Sioux City, said the committee has tried to be sensitive to the concerns brought forward by openrecords advocates when making its recommendations. The recommendations will likely be used to help draft proposals during the 2009 legislative session, which begins Jan. 12.

“The point of this is not to restrict access. The point is to prevent identity theft and personal information from being disclosed from people who don’t have a legitimate reason to have that information,” said Warnstadt, the committee co-chairman.

Robert Siciliano
POB 15145
Boston MA 02215
Ph: 1 888 SICILIANO (888 742-4542)
e-mail: Robert@IDTheftSecurity.com
Web: www.IDTheftSecurity.com
YouTube: www.YouTube.com/stungundotcom
As seen on The Today Show, CBS Early Show, CNN, MSNBC, FOX, CNBC, Inside Edition, Tyra Banks, Sally Jesse, Montel, Maury Povich, Howard Stern, and in USA Today, Forbes, Cosmopolitan, Good Housekeeping, Readers Digest, Consumer Digest, Smart Money, New York Times, NY Post, Boston Globe, Los Angeles Times, Washington Times, Washington Post, Chicago Tribune, Security Management, AP, UPI, Reuters, and Entrepreneur.

Homeowner Jailed While the Burglar He Attacked Walks Free

/4 Comments/in , /by

Robert Siciliano Identity Theft Expert

There are few scenarios as disturbing as one’s home being burglarized or invaded. The thought of having an uninvited person enter your property while you are home or not, and then taking your stuff, holding you or your family hostage or committing violent acts is an unthinkable event most people are unprepared for.

A “home invasion”, is the crime of entering a private and occupied dwelling, with the intent of committing a crime, often while threatening the resident of the dwelling. It is not a legally defined offense (federally) in the United States. One would think that when a horrendous crime like this occurs that the intended victim can and should do whatever is possible to defend themselves.

In this disturbing article in the UK, a homeowner fought back and attacked his attacker, freed his family and got 30 months in jail.  This is a USA problem too and unfortunately, is not a new problem. In a court of law, people have been claiming “self defense” since the beginning of time. However, in a litigious society such as ours that defense is often abused which has required the courts to look very close at each incident. Unfortunately, justice isn’t always served and common sense goes out the window.

State to state courts have come to different conclusions as to what a homeowner can and cannot do when defending themselves from a home invasion. It is important to read up and do your homework to determine what your options are and what the laws in your state are.

To prevent a home invasion:

  1. Always lock your doors, even while you are at home
  2. Never open your doors to a stranger no matter who they say they are
  3. Install an alarm system and keep it on during the day while you are home
  1. Install security cameras that record motion 24 hours a day. This would help in court.

See Robert discussing home invasions on the Montel Williams Show

Robert Siciliano is a personal security and identity theft expert for Home Security Source. (Disclosures)