Thursday, February 19, 2009

Time the Avenger (also a great Pretenders song)

I made several entries in recent weeks regarding the Heartland breach and just wanted to close out, what became a little blog series about protection, encryption, education and how F5 solutions might have have made these non-existent. There are a lot of people affected by the breach, including myself. This is the notice I get when I login to my banking website:

Important Message - For Visa Check Card Users.

Visa® has notified ** Bank that Heartland Payment Systems, an independent merchant card processor, experienced a security breach in their organization. As a result, Visa® has provided ** Bank with a list of card numbers that may have been affected by the compromise. ** Bank is taking every precaution, notifying those individual clients affected, informing them that their Visa® card will be closed, and a replacement card will be mailed within the next few days. Please carefully review your account activity and immediately report any discrepancies. Should you have questions concerning the compromise, please visit the Heartland Payment System site at www.2008breach.com. If you received ** Bank's notification that your card was compromised and you have questions, please call us.  (bank name removed for my protection)  :-)

Luckily, I never use my debit card as a Visa so, in theory, I should be fine.  I’m still diligently reviewing my daily transactions to make sure nothing has gone astray but I do feel a little better about this than I did the Checkfree breach, since that was a backend connection via partners and I have no control over that.  But, here’s the catch.  Even though I feel somewhat ok, it’s still a daily ‘check’ to calm my wonders.  That’s the other part of breaches – aftermath.  Not necessarily all the press, new cards, and credit checks – a lot of times it’s the wait and wonder.  If your institution is involved in a breach and nothing bad happens to you, you think you might be cool.  But sometimes these things take time.  It’s not uncommon for a breach to be announced with all the expert articles covering the story.  A common theme in these articles is the ever present, ‘we’re not sure just how many records were compromised.’  10 months later only a byline appears somewhere but the compromised/sensitive information is still being sold or used somewhere in the crime-sphere.  Even if you were in the early bunch and got a new card, your troubles might not be over since there might have more information about you leaked than just a 16 digit code.  Combine that with info scraped from a social media site and an impostor still has the means to cause personal havoc.  When all the press has faded you can’t forget that you might still be at risk.  Even now, that Checkfree breach doesn’t get much press & you might have already forgotten about it.

Some good news is that authorities have now arrested three people in Florida in connection to the Heartland breach.  The trio were arrested after trying to use stolen numbers tied to the Heartland breach at a local Wal-Mart…but after a 3 month investigation….and these were low level crooks.  They were using some of the numbers as early as last November ‘08 even though the breach wasn’t announced until January ‘09.  It’s entirely possible to even get hit during an investigation since the authorities almost have to ‘let’ the criminals commit fraud just to gather evidence.

So as the stories dwindle, new cards arrive and the next ‘Breaking News’ breach hits, don’t let your diligence fade as your comfort returns.  Oh, and if you like ‘time’ in songs, here’s a great list.

ps

Thursday, February 5, 2009

Regulation Roundup

Most of my rants recently have been about the need to encrypt sensitive data, even on private networks, especially since breaches are hitting the news regularly now.  In 2008, Regulatory Compliance was a hot topic and PCI, HIPAA, GLBA, SOX and others receiving plenty of coverage throughout the year.  While some companies are still struggling to abide by ‘08 deadlines, ‘09 has a few of it’s own.  The following are just a few compliance deadlines for 2009 that might affect your business.

New e-prescribing regulations take hold April 1, 2009: Under the new regulations, any physician who electronically prescribes drugs covered under a Part D plan must comply with new CMS standards for communication of information between providers and Part D plan sponsors.  By 2011, there's a goal of universal e-prescribing under Medicare.  This does not mean that all Rx will now have to be sent electronically, just that those Doctors who are using an electronic system for Medicaid/Medicare scripts must abide by these rules.  There are a whole range of security challenges here from data transmission, to doctors using mobile devices, to massive breaches of such sensitive info, to storage.

FTC extends ID-Theft compliance Deadline to May 1, 2009: This is the ‘Red Flag’ rule.  Initially slated for a November 1, 2008 deadline, Red Flag requires any entity (including health care) that maintains ‘accounts’ or is a ‘creditor’ to implement anti-identity theft measures.  It’s supposed to protect consumers from fraud that is gained by using another person’s identity without their knowledge.  Written procedures that identifies suspicious activity (red flag), mitigates damage if their is a breach and staff training are all part of the regulation.  HIPAA alone does not make a health care facility compliant.

PCI-PoS/PED deadline July 10, 2010:  PCI is extending their guidelines for DSS to cover unattended Point-of-sale PIN entry devices.  These are those ‘Pay for your parking’ machines, ‘tickets for event’ kiosks, vending machines and any other terminal where a PIN might be entered.  First, by July 1, 2009, Triple-DES will be mandated for all debit transaction processing.  A year later, all fuel pumps (and like terminals) will need to have encrypted PIN entry pad, be able to encrypt the PIN itself and process using TDES. 

Each of these will require infrastructure security, identity and access management, encryption, acceleration, availability, storage, and a host of other technologies.  You don’t have to look far however to find a solution since F5 can help you succeed this latest round of compliance deadlines.

ps