Branden Williams' Security Convergence Blog

The PCI landscape is pretty scary out there. If you are a merchant or service provider that is looking for assistance, there is a long line of companies that are ready to help. What should you expect from your QSA? What should your assessment look like to get the best results?

VeriSign reviewed our findings from our customers and wrote a white paper entitled, "Not All QSAs Are Created Equal: What You Should Know Before You Buy" that talk about what you should expect. This paper is a FREE download! Go check it out!

Posted by Branden Williams at 12:11 PM | Permalink | Comments (0)

Well, it has happened again. I received a rather menacing looking note in the mail today. You know, one of those heavy stock sealed letters that has the perforated edges? Yeah. That kind.

Inside it looks like my information is on a lost tape from a bank. The funny thing is, I don't remember banking with this institution... ever. I have a feeling that one of the brokerage firms I use (or used) was backed by this institution, but nevertheless, I thought of an interesting type of phishing attack that I bet would work. When I looked through this notice, it did appear to have a corresponding breach on PrivacyRights.org. I have already placed my fraud alerts, so I should be good.

But what if it didn't? If I were to target specific individuals (i.e., spear phishing) and tell them that their information was compromised from a large bank and provided a number for them to call for more info, would they readily give me enough information to steal their identity? I think people have started to be wary about clicking on things or giving out information over email, but what about through the mail? Sure it won't have the same reach that electronic attacks will, but how much more lucrative could the loot get?

My thoughts are that it would work remarkably well against those individuals who don't have lawyers reading their mail, and especially some of the elderly population.

Posted by Branden Williams at 8:49 AM | Permalink | Comments (0)

Wired reports that a Citibank hack may be responsible for a recent ATM crime spree. Edit: Looks like some arrests have been made! I've discussed issues around hacking ATMs and challenges with skimming in the past, but this one appeared to be pretty lucrative. While bank networks are not impenetrable, attacking endpoints is becoming much easier and more lucrative.

Anyone remember the old days when you had to make sure the ATM you were going to use was real? Speaking of that... Ladies, you should beware of this.

Something of interest to me... As a consumer, do you check your bank statement with all of your receipts? Would you know if money started disappearing from your account in $10-$30 increments? Does the state of your personal financial situation dictate your attention to your bank account? I may be a dying breed, but I have been known to spend twenty minutes poring over a bank statement to figure out where I missed a dime.

Posted by Branden Williams at 7:51 AM | Permalink | Comments (0)

About a month ago an audio guy showed up to my house and pinned a tiny microphone to my shirt for a podcast on PCI. It is a joint podcast with John Pescatore of Gartner. The theme is on managing PCI Compliance.

Go check it out!

Posted by Branden Williams at 7:46 AM | Permalink | Comments (0)

I haven't written, called, emailed, faxed, or even sent you guys anything via carrier pidgeon. For that, I grovel at your feet and request my penance (tee hee, I love the occasional translation error, especially when it reminds me of the most beautiful thing I have ever seen). What have I been up to?

Last week was fun. Boston & Cincinnati in two days. Was great seeing many of you out there! Especially when a coworker and I started eating at the wrong party! This week, so far, I have met with the Visa CISP and Incident Response teams over two days, and I am headed home to fly out to Atlanta for a couple of customer meetings. If you are in town, drop me a line!

Some PCI News for you...

The PCI Security Standards Council has announced their community meetings for 2008. We will be there! They have also announced training dates for PA-DSS assessors.

I'm off to DFW!

Posted by Branden Williams at 6:41 PM | Permalink | Comments (0)

If so, shoot me an email! I will be there for the 5th 3rd Customer event tomorrow (if I can ever get out of Boston!).

Posted by Branden Williams at 7:38 PM | Permalink | Comments (0)

The ISSA has posted the electronic version of the journal, so if you are itching to read what is coming to you via the post, go check it out! My column this month is titled "Don't Get Cyberjacked!"

It may be the first time that the phrase "This ain't your daddy's security incident" and the word "stripper" appear on the same page (or ever) in that fantastic publication. Go check it out!

Posted by Branden Williams at 8:03 AM | Permalink | Comments (0)