Home » Archives for Doug Buan

Author: Doug Buan

data security configuration

How Misconfiguration Can Lead to Data Compromise

configuration: the way a computer or computer system is put together; a specific set and arrangement of internal and external components, including hardware, software and devices.

Source: Dictionary.com

Configuration is Key to Data Security

Did you know that just about every data security related compliance framework contains extensive requirements around configuration of hardware and software controls? Why? Because the way in which hardware or software is configured is about as important as having the device or software itself. For instance, having a firewall is a good thing, but it won’t do any good unless it’s configured to filter traffic between the internet and your computer network in a manner consistent with your security goals.

Some examples of the importance of secure configuration come from Trustwave’s 2018 Global Security Report where testing of thousands of web applications found that 100% were found to have at least one vulnerability. In addition, OWASP (Open Web Application Security Project) has security misconfiguration on their top 10 list of the most critical web application security risks for 2017. Lastly, the Verizon 2018 Data Breach Investigations Report (DBIR) recommends routine scans to identify misconfigurations before hackers do. Misconfigured databases, such as those directly connected to the internet and searchable by anyone on the internet, were a notable finding in the report.

Even on brand new computers, the default configuration for the onboard operating system is often not very secure. This is because computer manufacturers often have goals of ease of use, easy setup, or ease of establishing internet-based communications rather than security. As an example of this, I was recently setting up a new computer for my parents. As I was leafing through all configuration settings, I was surprised when I found that one of the default security settings was for the firewall to be turned off. Needless to say, I quickly turned it on.

How to Monitor Your Security Configuration

If you are a business owner or manager busy with running a business, you may not understand or have time to review your computer security configuration settings on a regular basis. For this reason, one of the security services that is included with Wind River Financial’s new Advanced Security Package (ASP) is Security Configuration Monitoring.

This is a service that monitors computer configuration against the relevant PCI Data Security Standard controls. It’s an automated service that detects configuration settings that are non-compliant and may weaken your business’s security posture. It does so on an ongoing basis which is important because sometimes employees intentionally, or unintentionally, change settings on computers on which they are working. It’s important that those responsible for a business become aware when settings are changed that may introduce a risk to the business which is exactly the purpose of this service.

Security Configuration Monitoring is but one of many data security related services that are available as a software agent download as part of Wind River Financial’s ASP. If we have not contacted you about enrolling in this program, you may be hearing from us shortly as it’s being rolled out in phases. If you have not been contacted but would like to get a jump start on it, give us a call or send us an email and we can get you started.

Who are you?

As a fraud expert, I recall a certain fraud conference I attended years ago with a presentation by one of the U.S. Attorney’s Offices in New York. The conference was hosted by the Int. Assoc. of Financial Crimes Investigators (IAFCI), an association for whom I now co-chair the Cyber Fraud Industry Group. The U.S. Attorney’s Office began their presentation with background music of Who Are You by The Who – the theme song of the original CSI TV series. They played this while running through a slide show of articles about identity theft which were endless. The salient point was that identity theft was already out of control at that time.

This memory is pertinent to discussions today about the Equifax breach and questions I’m getting from, seemingly, all directions. Most people are asking “what should I do?” Everyone from family members to clients are asking.

The issue has a long history and probably begins with the practice of entities using SSNs as a unique identifier for individuals. The SSN itself was only meant to be used for social security and I’ve heard that it’s actually illegal to use it for other purposes. However, I think you’ll agree that many entities still use it for identity purposes – both private and public sectors.

On top of this, the credit rating industry in the U.S. has private entities (credit reporting agencies) that make money by purchasing your payment history from creditors, creating profiles, and then selling a credit score to potential new creditors so that they can determine their risk. They also maintain consumer personal identifiers within the profiles that can be used to positively identify credit applicants. This is something U.S. financial institutions are required to do to help combat money laundering and other crimes. What could possibly go wrong with entities storing this sensitive information?

Another issue the financial services industry is struggling with are synthetic identities. These are identities that are completely false, but nevertheless, criminals are able to establish credit profiles at credit reporting agencies with the false identifiers and apply for credit under them.

Where does it end? That’s a good question. If I ask “Who are you?” giving me your first name may be enough if I know you. However, if I’m a financial institution and you’re applying for a loan or a credit card, I have to rely primarily on the credit profile as your “identity.”

This is where we turn back to the Equifax breach in which, at the time of this writing, was the compromise of approximately 143 million consumer profiles (about half the population of the U.S.) and 209,000 credit card numbers.

The compromised information can be used to open financial accounts such as credit cards, loans, lines of credit, etc. It could be used to file a false income tax return on your behalf in order to get an income tax refund. It can also be used for non-financial services related ID theft.

There are plenty of good resources for information on what to do now. One is the Financial Services Information Sharing & Analysis Center (FS-ISAC) and the Federal Trade Commission (FTC). These resources provide information that you can use to determine your personal best course of action that may be based on characteristics such as your age, your personal credit needs such as whether you need instant credit, or other parameters.

They also provide the links to complete any actions you may wish to complete such as checking to see if your information is known to have been included in the Equifax data compromise, signing up for credit monitoring, placing a freeze on your credit reports, placing a fraud alert on your credit reports, or taking other action.

Some actions you can take to be defensive against identity theft over the long term include:

• Filing your income tax return as soon as possible each year so that criminals can’t file a false one using your SSN

• Reviewing your credit reports each year free of cost (annualcreditreport.com). You can also run queries on the SSNs of your underage children to ensure that they come back blank or not on file. If they come back with accounts, you will want to investigate further and file consumer disputes on their behalf if necessary. This can be particularly important in the time period before your child graduates high school as they may be applying for student or other types of loans which is a bad time to find out they were the victims of identity theft with ruined credit.

• Utilizing credit monitoring services. There are some free services to do this such as certain credit card accounts that offer this as an included service, ¹Credit Karma, credit monitoring services offered by entities after they have been breached (Equifax is offering this), etc.

The Equifax data compromise was a large one, but they are certainly not the only one. Also remember that your information is on file with the federal government – several departments of which have experienced their own data compromises. The point being that you should assume your identity information is at risk and you should act accordingly over the long term while helping your children and older generations do the same. At the end of the day, if your credit becomes damaged from a fraudulent entry, you can file a dispute with the credit agency or agencies. Federal law requires the agencies to then take certain actions to verify with the reporting creditor or correct or remove the entry which should improve your credit rating situation.

So…who are you?

 

 

¹Wind River Financial does not endorse or promote any particular service. Those mentioned are for example purposes.

Do You Know Who’s On the Other End of That Line?

A certain type of scam has resurfaced recently – one that has been around for a long time in different iterations. We’ve blogged about this before, but perhaps it’s time for a reminder. What I refer to is a “fake authorization scam” and it works like this.

The fraud suspect is attempting to purchase a big ticket item or conduct a credit card cash advance in a financial institution. The card is declined and they have an excuse such as “it must be a transaction amount limit” or “a daily limit.”  They pretend to call the number on the back of their credit card or they have you call it. However, unbeknownst to you, the phone number has been changed on the back of this counterfeit card, and it rings to the cell phone of an accomplice of theirs.

Their accomplice is skilled at sounding like they work for the credit card issuer. They use common terms and professional sounding language. They indicate a reason that the transaction was declined, but that funds are available and they will walk you through a manual authorization.

They have you press certain keys on your credit card terminal and, unbeknownst to you once again, they have taken your terminal offline or into training mode. In this mode, any number entered as an approval code will appear as an approval even though the terminal is not communicating with the card issuer to obtain authorization.

The happy “customer” then goes on their way never to be heard from again. Then you receive a chargeback from the credit card issuer for “no valid authorization.” You call your credit card processor and insist that you spoke with the card issuer and they gave you an authorization code that approved on your terminal. Your credit card processor can only see that the card issuer has reported that the authorization code was not valid. Unless a valid code is provided, you’re going to lose the chargeback as the real cardholder wants their money back from this fraudulent transaction on their account.

You thought you were going to have a big sale and instead you’re sitting with a loss. The chargeback process does not seem fair. You did your best to “do it right” and you still got scammed. There are many frustrating things about this type of scam.

There are a few things you can do to help protect your business from this. First, never (and I mean NEVER), accept a customer’s cell phone if they say they’ve contacted their card issuer. Joint with this, do not call the number on the back of their card since it may have been modified. The phone number on the back of a card is for the cardholder only.

In the very rare event that a cardholder needs to contact their card issuer to get special permission to run a larger transaction, they can do so on their own while you, as the merchant, run the transaction the way it was intended. That is to insert (if it’s a chip card) or swipe the magnetic strip and get an approval.

If the card declines, it’s a sign that something is wrong. Are there other signs present that this customer may not be who they pertain to be? Was the sale too easy? Are they “buying” rather than “shopping?” Is the merchandise something they can easily resell on ebay?

We recommend asking for another form of payment at this point. If, at your discretion, you choose to attempt to run the card again, you’re increasing the chances of not getting paid for the transaction. We do not want this to happen which is why we recommend stopping at a first decline and asking for that second form of payment.

Better safe than sorry…

It’s not a matter of if, it’s a matter of when

As you may know, the continuous battle between hackers, malicious software, and data security gurus is a continual game of cat and mouse like many things. Some of you have heard the adage that “it’s not a matter of if, it’s a matter of when” you will experience a data breach.

In the data security arms race, bad guys are using very sophisticated means of exploiting computer networks around the world. These same tools are available for purchase or rental in criminal forums on the dark net. Although your first thought may be that they won’t come after you because you’re “not one of the biggies,” you should know that over 90% of data breaches are to small and medium businesses. The thought of much of this is scary and you may feel somewhat helpless. However, there are tools that can help with some effort.

First, we mention the importance of PCI compliance. Yes, the groans are audible as no one likes compliance – we don’t like to be told we have to do something that may distract us from running our business. However, about 1 in 5 businesses fail after a data breach due to related costs and reputation damage. It’s a very real risk. As a compliance framework, PCI’s goal is to be a tool that helps point out the weakest points in your network and data security so that they can be addressed.

As the first generation that has had to manage today’s technology, it’s important to understand that computer technology requires management. The “set it and forget it” approach will bring risks to your business. If we don’t have internal technical staff to manage it, we may have to contract with external IT resources to properly manage the systems that contain not only our business and employee information, but also the sensitive information on our customers – including credit card data.

A basic protection we should be using is an anti-virus/anti-malware solution which we’ll refer to simply as “a/v.” These solutions are changing a lot right now as they migrate from being signature based (has to recognize malicious software that has been added to a negative database) to next generation a/v which may use artificial intelligence, machine learning, or applied mathematics to do their job. The effectiveness of signature based a/v has come under fire as being too slow and having to rely on malicious software being added to a database before you are protected from it.

Some of the next generation a/v solutions can recognize malicious software in real-time. You can imagine the benefit.  We are linking a recent related article from the Wisconsin State Journal.

We should also mention that we are currently working with our PCI compliance partner, Trustwave, on developing a security tools bundle that will be available to our customers. The tools will include an a/v solution and other services to help our customers secure their computer networks. One of the best parts is that they will also help fulfill a number of PCI related requirements. Please watch for future communication on this.

Are your patients at risk?

Preventing card data breaches. 
Hospitals must meet numerous compliance requirements to ensure the security of patients’ financial and medical information, and for good reason – health care institutions are a major target for hackers and a frequent victim of data breaches. According to the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, 89% of organizations experienced data breaches. The damage inflicted by breaches can be far-reaching and costly. Ponemon’s study found that the cost of data breaches to the United States’ healthcare industry could be as much as $7 billion per year.

As these figures indicate, PCI compliance really isn’t an option – you simply cannot afford to risk your organization’s security with the ever-present threat of hackers and other cyber threats.

Is your organization PCI compliant? If the answer is “no” or if you are unsure, both your patients and your institution may be at risk. But not to fear, we’re here to help. Read on to find out how.

WRF has you covered.
Wind River Financial (WRF) can assess your environment for point-to-point encryption (P2PE) capability to help minimize PCI scope and risk. We will help you deploy P2PE to achieve PCI compliance. Better yet, we will establish a structure for P2PE in your organization that is sustainable and ensures your continued success after our work is done. After all, PCI compliances is a marathon, not a sprint.

The experience to get the job done.
At WRF, we have successfully partnered with several health care organizations in strategically deploying P2PE solutions. From assessment to implementation, education and training – we will work with you every step of the way. When it comes to PCI compliance and defense against breaches, we’re your one stop shop.

Don’t take our word for it.
We never get tired of compliments from clients. We take pride in serving our customers and stand behind our products and services. Exceptional customer service, seamless integration and the ultimate hospital “radar” system – these are just a few of the kind words our satisfied customers have shared in describing our services.

But don’t take our word for it – check out some of our testimonials to hear from the clients themselves and learn what the WRF advantage can mean for your organization.

What are you waiting for?
Contact us today to discuss your organization’s needs and find out how WRF can help you choose a P2PE solution that will prevent credit card breaches and ensure the security of your patients’ information.

The Lowdown on PCI Compliance for Hospitals

How to Keep Your Payment and Patient Data Safe and Secure

Medical centers and medical insurance providers are top hacking targets. Why? Because they are essentially “one stop shops” for full consumer profiles, allowing hackers to access a plethora of sensitive and confidential data.

The bad news
This data includes not only credit card information, but also consumer identifiers such as date of birth, social security number, address, telephone, email and more. This treasure trove of information can allow hackers to perform very extensive identity thefts, and it often carries some of the highest prices in online hacker markets.

PCI: protecting you
Payment Card Industry (PCI) requirements exist to protect credit card data, but may also help with HIPAA compliance by protecting sensitive patient information and safeguarding personally identifiable information (PII) and other sensitive details if implemented for these purposes.

The good news
While medical centers may be in hackers’ crosshairs, they also offer an ideal structure for protection against hackers. Allow us to explain. The fact that hospitals tend not to integrate credit card payment data with patient services, inventory or other data means they offer an excellent environment in which to deploy point-to-point encryption (P2PE).

What is P2PE? If you guessed a droid from Star Wars, you’d be wrong. P2PE is a state-of-the-art credit card security solution. A standard established by the PCI Security Standards Council, P2PE is delivered by a third party solution provider, and is a “combination of secure devices, applications and processes that encrypt data from the point of interaction (for example, at the point of swipe or dip) until the data reaches the solution provider’s secure decryption environment.”

WRF has your back
At Wind River Financial (WRF), we know our P2PE. We have successfully partnered with several health care organizations in strategically deploying P2PE solutions. We’ve worked with these clients to understand and strategize payment industry compliance and risk to ensure that credit card data is protected from hackers. But don’t take our word for it, check out some of our testimonials to hear from the clients themselves.

Interested in learning more? Contact us to discuss your organization’s needs and find out how WRF can help you choose a P2PE solution that will keep your patient and payment information safe and secure.

1099-K’s in the mail on January 31st

 

As you may know, the IRS requires that all credit card processors report gross credit card sales for merchant customers on an annual basis. We are quickly coming upon the time of year that this happens and 1099-Ks will be mailed to customers by 01/31/2017.

1099-Ks are a statement of payment card gross sales that are reported to the IRS as required by federal law.  You may wish to provide the 1099-K to your tax preparer.

Coming soon, Wind River Financial is building a website where customers can download a copy of their 1099-K, opt-in to electronic delivery in the future, and other functions.   We will communicate when this feature is available. 

 

E-commerce fraud protection tools can help you.

If your business is experiencing impactful e-commerce fraud and related chargebacks, you may want to consider a real-time fraud analytics solution.

Wind River Financial now partners with several solutions that use artificial intelligence to help identify fraudulent orders, decrease false positives, and even provide confidence in shipping internationally. Some solutions even cover fraud chargebacks if they did not detect the order as being potentially fraudulent. With chip card acceptance continuing to grow, online fraud is growing at a significant pace.

Contact us at 800 704-7253, info@WindRiverFinancial.com or contact us and let us help you explore the options that might best fit your business needs and save you money and time.

Are criminals using your website’s shopping cart to test stolen credit card information?

Does your business participate in e-commerce? If so, it may only be a matter of time before criminals use your website to test stolen credit card information. They also like to use e-commerce websites to systematically test different credit card expiration dates until they find the right one.

Wind River Financial is aware of specific cases of our client’s websites being used and it is definitely an increasing type of fraudulent activity.

Criminals often use “bots” or scripts that automatically input data so that they can test large numbers of credit cards in a short period of time.

We strongly recommend being proactive and putting protection in place to help avoid additional authorization or chargeback costs for the additional fraudulent transaction attempts.

Because Wind River Financial is seeing an increase in this type of activity, we recommend that customers consider options such as Google’s reCaptcha which is a free solution as detailed below and we also recommend that you contact your web developer to use this or another solution to help mitigate automated testing of stolen credit card numbers on your website. Doing so may help prevent excessive authorization fees and other risks to your business.

There are several ways that you can mitigate this type of activity including the following:

  • Ask your web developer to look at the IP address or addresses associated with the fraudulent activity. They can often be blocked individually, regionally, by country, etc. Doing something as simple as this often makes criminals go elsewhere.
  • Use a solution to help distinguish human from machine input such as reCaptcha (by Google). It’s a free product that helps stop bot or script activity on your website and is easy for legitimate customers to use. Your web developer should be able to help you use this solution.
  • Credit card gateways which all e-commerce merchants use often have anti-fraud solutions that may also help mitigate this risk.
  • If need be, you can take your website down for a short period of time to chase criminals elsewhere. However, criminals often return once your website is back up, so a more permanent solution is usually better. This option is not for all and should be considered a last resort.
  • Your web developer may be able to slow down authorizations per “X” amount of time if your website does not have high legitimate volume.

This is not meant to be an exhaustive list, but steps like this should help drive criminals off of your website.

Consider taking proactive steps to head this risk off before your business becomes a victim. Tools like reCaptcha can be effective on your website. Using anti-fraud tools from your credit card gateway may be an option, or potentially blocking foreign IP addresses if you do not conduct international business.

Your web developer may be familiar with other tools that may also be useful.

Visa Alert: Micros Users – Please Take Action

Wind River Financial would like to notify customers using Micros POS systems about an alert transmitted by Visa related to a potential breach and possible ongoing security concerns for merchants such as food and beverage establishments, hotels, and retailers using Micros hardware, software, and/or POS systems.  The alert provided by Visa explains the potential breach in detail and provides various Indicators of Compromise (IOC) that can be used to help search computer networks for the presence of potentially related malicious POS software or network communications with known or suspected criminal controlled web servers. 

We recommend that this information be forwarded to any internal or external IT support your business may have due to its technical nature.  Other proactive steps that can be taken are to change and strengthen passwords that Micros remote support (including any 3rd party providers) may use to support your onsite Micros systems, and to change and strengthen any passwords your business may use if you access Micros support online.  As an additional precaution, we recommend that any communications supposedly coming from Micros (or 3rd party Micros provider) be assessed for authenticity – especially if they request any type of confidential information or direct your business to make network changes.

Please note that this is the extent of the information available at this time.   Wind River Financial will continue to monitor the situation and provide updated industry intelligence as it becomes available.  Customers using Micros systems should contact their dealer/reseller/POS hardware provider with any related questions.

Alert from Visa