More Privacy Invaded

Yeah, I know - "This more privacy invaded thread has
continued way too long"....

But, I became curious about my card company's resp-
onse, so I called Discover to get their side of the events.

First, it seems that I was absolutely wrong when I sugg-
ested very early in the thread that the card company had
implemented this zip code authentication requirement from
afar, without merchant control/knowledge. Based on the
answers I received, the card company(Discover, in my
case, but I'm sure it's the same with others) offers the
merchant many levels/options for the authentication
process. It is then the merchant's decision to choose the
level/options suitable for their environment.

So, with this information, it would seem that a merchant
that accepts a stolen/lost card probably gets to eat the
charge if the eventual purchase is denied by the card
company. Thus, it appears that the gas station merchant,
in Brian's example, actually implemented the higher level
of authentication resulting in the infamous zip code entry.

The Discover representative with which I spoke, seemed
quite informed on the topic, and did mention a relation
to the upcoming Christmas season. Not that the higher
authentication level would be reduced after this season,
but just that might be a factor.

Again, I was wrong in thinking the card authentication
process was dictated solely from the carrier. So, I guess
one might find a different authentication level requirement
depending on what part of the country the card is used.
Or, even what part of the city.

Perhaps, some of the other responders had understood
this already, but my comments were incorrect.

Thanks,

Gary

 

Interesting stuff. Thanks for introducing a few facts into a forum
usually devoid of such nonsense.
--


Don
RCOS# 7
No Riding Today

2000 - Yamaha Venture Millenium Edition
http://www3.telus.net/public/dbinns/radium1.htm
http://www3.telus.net/public/dbinns/banff.htm
http://www3.telus.net/public/dbinns/kananaskis.htm
http://www3.telus.net/public/dbinns/walkercalgary.htm
http://www3.telus.net/public/dbinns/calgarybrowning.htm
http://www3.telus.net/public/dbinns/venture.htm
http://www3.telus.net/public/dbinns/gem.htm
http://www3.telus.net/public/dbinns/highwood.htm
http://www3.telus.net/public/dbinns/reynolds.htm
http://www3.telus.net/public/dbinns/sask.htm
http://www3.telus.net/public/dbinns/osoyoos.htm

 

The Security services that are subcontracted to minimize losses to
merchants, whether it is a gasolene station or a department store or bank
will not be the same Much like the check verification services used before
computers were in the picture.. A database is perfected by that Service
company and the information for that database is gathered in bits and pieces
from many different sources.. How secure is that database..? What
information about you, is contained in that database ? Who has access to
that database ?

When I fill out the application for a credit card, I sign it..AFTER I've
read the agreement with the credit card company or bank.. If I don't agree
with the terms of that contract, I decline the credit card.. If those terms
of use of that card, changes to terms that are unacceptable to me, I don't
use the card.. Simple.. The cards that I use, are ones that I've had for
years and am comfortable with their terms.. They've afforded me the services
that I need .. When they no longer provide me with those services or exceed
the inconvenience of the use of that card, I will take my business
elsewhere.

hmmm.. This thread has gotten completely off the wall.. You are right..

Bill Walker
Irving

 

( Gary is Serious, about his repentance)
‘‘Again, I was wrong in thinking the card authentication process was
dictated solely from the carrier. So, I guess one might find a different
authentication level requirement depending on what part of the country
the card is used. Or, even what part of the city.
Perhaps, some of the other responders had understood this already, but
my comments were incorrect.
Thanks,
Gary)!

‘‘GARY, your point is well taken Thank you again for submitting
this new information. You said it again, like a true Gentleman stating
some of your opinions being factually in error, as this thread
progressed.’’ (wink, Bjay)!

 

PCI (Payment Card Industry) Data Security Standards can be read here:
http://www.merchante-solutions.net/infosecurity/mandates.htm
or
http://tinyurl.com/a894e

I'm trying to figure out how to get around all these requirements, tho. My
company has a policy to adhere to these standards, but my particular system
doesn't contain any cardholder info.

 

I would not attempt to "get around" any requirements at all but to add more
on top of it if possible. Where I work, we don't store any data either but
we take security very seriously. Nothing gets transmitted in the clear.
Not email, Not IM's, Not anything. If something happens, anything at all
whether it is your fault, someone elses fault or nobodys fault, guess who
gets blamed? The guy that expoits a "work around" or fails to maintain a
secure environment. That person or company is usually out of business
shortly thereafter.

Since Sarb-Ox and other legislations, security is a big issue. You want an
interesting experience? Try to get a CISSP certification. To become CISSP
certified, one has to pass a 250 question multiple choice test. You are
allowed 6 hours to complete. Some don't finish the test in that amount of
time. Once you take the requisite training you will come away with a new
appreciation for Information Security.

As far as the recommendations on the webiste listed are concerned, they are
minimal.

Good Luck

pierce

 

I plan on getting around the security standards by not being connected to
the network that the card systems are on. I'm satisfied with the security
that I have in place already: SSL, SSH, 2 factor authentication, firewalled,
etc.

My main objection to the PCI standards are moving my app off my DB server.
It's just too costly.

 

Where I work, a NAT is just another bit that is on a firewall.

Every single connection that comes into or out of the company is
firewalled, nat'ed and proxied. That is a must. Anyting less than that is
irresponsible. Server security is another issue and the servers must meet
several requirements. The details of those requireents are too lengthy to
go into here. Suffice to say any service that is not necessary is
disabled. Unencrypted data connecctions are not allowed unless there is a
business reason for it and it must pass a review board to be permitted.

Do you have a security policy? Does every employee read and take a test on
the security policy every year? If they don't then your security
procedures is suspect at best and ineffective at worst.

For security to be effective everyone from the CEO on down must buy into
it. It is everyone's responsibility.

pierce

 

Yes, and yes. The firewalling, NAT'ing and proxying that I want is in
addition to our DMZ which secures access from outside. The security measures
I'm pressing for would secure further only those servers which are required
to have it under the PCI Security Standard.

And...more importantly (for me) will leave my systems alone.

 

Let me give you a bit of advice. Make your systems more secure. Make them
a model for your most valuable data servers. Don't get hung up in
implementation or the mechanics. Develop a policy that fits the entire
company. Once you have a policy, then you can drill down into the
specifics. Don't expect miracles from the board. You might even become
unpopular. Don't worry about it. Better to have the best security or go
overboard than to err the other way.

Did you know that most data thefts are done by employees? I have seen CFOs
with their fingers in the till. They are now in prison. I have seen
clerks steal hundreds of thousands. The nicest lady that we had at a
college I worked at stole over 30,000 dollars over a two year period. She
was tried and convicted. She is paying it all back, is now a felon, and is
generally screwed as she will never work at anything meaningful again. Why
was she able to steal for so long? The director was and is an idiot. This
is the same director that was discussed in "Shark Tank" earlier this month.

Do you have a change control process? Do you log every single change and
log it in a database? Sure it is a pain, but it is absolutely necessary.

We have several DMZs, many proxys, many firewalls, perform audits ever 3-6
months and we even have a group that examines all logs from all devices.
There are many other things that we do to ensure security including putting
antivirus/anti-malware/logging software on each workstation. We have
programs that over time look at usage patterns. If a user does something
in the least bit odd, we start examining what that user is doing.

Call it big brother but we have a lot at stake. The valuation of most
companies are little more than a rounding error on our balance sheet.

Check out Marcus Ranum's website. He has some good advice. The one I like
the best is "Don't run software that sucks". I know Marcus and like him a
lot. He was ahead of his time with his software.


pierce

 

A firewall and added burden on the network? That is incorrect, a fallacy,
or a lie depending on the source. I have not seen any modern firewall
impose any latency that would be considered excessive. If any company does
not have a firewall or two, NAT, and proxy between the internal company
network and the internet is asking for trouble.

A DMZ in not the last word in security. It is among the first and is among
the least.

Wall it, proxy it, log it and don't run software that sucks.
http://www.ranum.com is good for a start.

Do yourself a favor. Hire a CISSP and have him do an audit from top to
bottom. Prove to yourself that you are secure.

I won't work for a company that doesn't care about security. Maybe Sarb-Ox
will change the attitudes of CEOs as it firmly places blame on them if
security isn't what it should be. They are the ones that will spend time
in prison, not me.

pierce

 

Actually you are partially right and partially wrong. A firewall looks at
a packet and decides if it is permitted. A table looks like this:

src ip | dst ip | port | log | ...

It doesn't matter if the packet in incoming or outgoing. A sloppy firewall
admin that opens all ports is a fool. Open only those ports that are truly
necessary and in the direction needed. Everything else is blocked and
logged. That will stop a lot of spyware. An authenticating proxy will
stop most of the rest unless you are running IE.

A firewall isn't just job security. It does many things including a way to
determine when attacks occur and from where. How would you know when a
user is trying to do something strange like tunneling a connection to a
competitor?

Good luck.

pierce

 

That is just some old school rhetoric that he is repeating that's all. He
will learn. a poorly administered firewall is just job security. A good
security officer works hard for his money and gets no thanks at all.

Security without accountability is no security at all. Do you know what
websites the office secretary visited? Did she pass data to the
competition? What about the guy in the mailroom?

pierce

 

Maybe some one should turn up the music, Brian's getting ready to
'dance' again, lol

Vic

 

Firewalls have been used for years. When I was a kid working in the praire
hay fields of Ellis and Dallas Counties I would plow a firewall to protect
the field from...fire of course. If a fire was somehow started along the
road, or railroad, this firewall I had plowed would prevent the fire from
entering the fields. Usually the wall was 20' or less. For additional
security we used a fence, usually barbed. Hope this helps

....louie

 

Yes as a matter of fact we do. Between the firewalls, proxys, DNS, and the
actual servers, we don't miss much.

pierce

 

(morgan kane wrote):
‘‘BRIAN,I read it, so let me point it out here:
"but as I've found out over the years it's only because it's a job
security more than anything."
Suddenly that means something different now that you got called on it.''
MK.

(brian walker writes):
‘‘Morgan Kane,you really should learn what a firewall actually
do.
I believe I know what a firewall actually do. Now, since you
volunteered,
how about enlightening us on the topic? How does a firewall differ from
being an instrument to check packets against an access list to determine
whether to permit or deny? ’’ Brian)!

‘‘Brian, I Did not volunteer for anything.
google it.'' (morgan Kane):

    VIC says):    Maybe some one should turn up the
music, Brian's getting ready to 'dance' again, lol
      Vic)!

‘‘Brian's gonna have to do the fast Texas Two Step, on
this'un. Maybe even the Cotton Eye'd Joe (wink)’’ Bjay)!

 

(Finally someones knows what they are talking about, Louie, the man
wrote):
''Firewalls have been used for years. When I was a kid working in
the praire hay fields of Ellis and Dallas Counties I would plow a
firewall to protect the field from...fire of course. If a fire was
somehow started along the road, or railroad, this firewall I had plowed
would prevent the fire from entering the fields. Usually the wall was
20' or less. For additional security we used a fence, usually barbed.
Hope this helps
(louie!)

‘‘Louie, I heard that. Now we're talking here.. Hope this shuts
those wizzrds up, and hopeully they'll larn' sumpin'. I bet that is
exactly what that Computer's FW does, and that is, dousing out a dern
electrical dern fire, what else? heh hehe heh! BJAY)!

 

/. (Finally someones knows what they are talking about, Louie, the man
/wrote):
/ ''Firewalls have been used for years. When I was a kid working in
/the praire hay fields of Ellis and Dallas Counties I would plow a
/firewall to protect the field from...fire of course. If a fire was
/somehow started along the road, or railroad, this firewall I had plowed
/would prevent the fire from entering the fields. Usually the wall was
/20' or less. For additional security we used a fence, usually barbed.
/Hope this helps
/(louie!)

] ''Louie, I heard that. Now we're talking here.. Hope this shuts
]those wizzrds up, and hopeully they'll larn' sumpin'. I bet that is
]exactly what that Computer's FW does, and that is, dousing out a dern
]electrical dern fire, what else? heh hehe heh! BJAY)!

Yes, Bjay, those ITers just think firewalls. They don't know all there is to
know about them.

This conversation, and it being winter, reminds me of that '55 ford I had.
The firewall on that thing leaked pretty bad.
Sure let a lot of cold air in while driving northward... I sure could of
used some of the 'net help on that thing.

....louie

 

LOL. Reminds me of my '71 Triumph GT-6. The transmission tunnel cover
was made of pressed particle board, with a big rubber gasket that was
supposed to seal it to the firewall when you bolted it in place. One
January I had just replaced the engine/tranny with a junkyard unit and
was in a hurry to visit my girlfriend at nursing school in another
town, and I just put enought bolts in to keep that cover from blowing
off on the highway....

.... I should've bolted the whole thing down properly and made sure the
gasket was fixed in place....

.....That was the COLDEST weekend of my life!