Monthly Archives: March 2012

Fraud fears grow – “contactless” technology and your bank card

“Millions more British bank customers have been exposed to fraud through the latest credit and debit card technology, writes Channel 4 News technology producer Geoff White.”  this from an article on the Channel 4 website today (29th March)

I contacted one of our Senior Security Consultants for comment on this.

Will a lead lined wallet be the only solution?

This is nothing new as it was reported 5 years ago in late 2007. I recall reading that this new technology could put holders of such cards at risk from ‘contactless pick pocketing’

The main difference is that now other new technology such as Smartphones equipped with suitable, easily available software is now available to the bad guys to intercept the holder’s non-encrypted Name, Primary Account Number (PAN) and Expiry Date transmitted by the contactless card to the payment reader.

Normally, such information by itself should not lead to a successful fraud transaction as other details such as holder’s address, PIN and/or CVV number on the card are required to enable an approved card transaction to take place. So whilst the contactless card and card reader providers look to make their end of the transaction more secure e.g. by making the range from a reader to card very small or zero – a la Oyster – so making it difficult for the intercepting smartphone, as they too would have to be very close to the user to read the information. For example, if the reader range is limited to 2.5cm/ 1 inch radius then the interception technology typically has to be within 18cm / about 7 inches. Of course they may just look at encrypting the data stream from the contactless card to the reader just as online transactions are protected by SSL encryption.

Of course, if web sites such as Amazon have allowed card transactions to take place with only Name, PAN and Expiry Date details that goes against VISA and other card provider rules so they must review their practices as a matter of urgency. Meanwhile, whilst all this is going on, concerned users could go out and buy themselves a metal shielded wallet
for their cards to stop the ‘contactless pickpocketing’ of information by the fraudsters!

PCI DSS states that the CVV must not be stored anywhere except briefly when the card is authorised for use as payment then securely deleted. But the sellers of goods know they must use all the elements described else it will be they who will lose out as they are not
following the rules for using credit cards. It is the sellers who need to get their act together – I must admit I cannot remember any time when I have not been required to give all the details either over the phone, by post, email or Internet. Given that it was reported in the Channel 4 article that lists of websites which do not require CVV are shared by fraudsters though, clearly there is a huge risk being taken by the websites who allow this.

As for the contactless cards – like all new and emerging technologies -the initial security requirements will change in response to new and emerging threats as has always been the case. Users are more savvy now than ever they were so that helps as well in combating fraud. I take it you check your bank and credit card statements item by item on a monthly basis? If there has been fraud typically your bank will refund you after
an investigation and if the seller has been negligent they will be liable to fines and penalties and possible withdrawal of card payment services.

If you or your business need support with PCI-DSS compliance or other security related issues, you can visit the website http://www.advent-im.co.uk/pci_compliance.aspx

Advertisements

ARE YOUR BUSINESS CONTINUITY PLANS MORE FAWLTY TOWERS THAN BURJ AL ARAB?

We all know hotels are good in a crisis.

Thanks to uktv.co.uk for the splendid picture of customer service excellence in action or is that inaction...?

Over-booked?  Syndicate out guests to other hotels.

Guest unhappy with room?  Move them.

Laundry, catering, or other supplier lets you down at short notice?  Mmmmmmm……

Hotel is unavailable during a period of peak national occupancy (e.g. the Olympics)?  Let me see……

OK.  So a ‘can do’ attitude and tried and tested crisis arrangements can only do so much.  But what can we do?

The Olympics and other major events are a fantastic opportunity for additional and much-needed revenue for hotels.  However with a little bit of effort – and very little expense – we can protect your business from the potential devastating reputational and financial effects of unforeseen disruptions.

 Here are our top 5 tips for business continuity planning for hotels in 2012:

1.  If you don’t have one, get a business continuity plan now.  And if you do have one, make sure it is still fit for purpose.  If you are not sure how to do this, see our FUN 100 day Olympics Business Continuity Project Plan here.

2.  Make sure your plans factor in key suppliers that your business depends on.  And don’t assume that they have planned for the travel restrictions in place around Olympic venues – I can tell you now, a lot won’t have!

3.  Have a strategy for what to do with your guests if a hotel becomes unavailable for any reason.  Normally you would probably syndicate these out to other hotels, but what if there are no other hotels available and you have umpteen guests on the street and nowhere to put them?

  • Where are you going to move them to?  Are there unoccupied offices that you can access on a short-term lease that you can put day beds or similar in to?
  • How are you going to move them?  Taxi and coach companies will also be enjoying a bumper time so why time set up some strategic partnerships ‘just in case’?
  • What are you going to tell the rest of the world?  A well-managed incident can put column inches on your reputation.  A badly managed incident can have precisely the reverse effect

4.  Don’t assume the impact of major events is localised.  Your business might not be in the vicinity of an Olympic venue but your suppliers might be – or their suppliers – or even their supplier’s suppliers.  The impact on supply chain management was brought home to all of us in the tragic aftermath of the tsunami that stuck Japan a year ago

5.  Ensure your extant reporting processes (crime, utility failure and so on) feed in to your business continuity risk management framework to help identify priority actions for mitigating the impact or likelihood of disruptive events occurring

Mark Goddard – Advent IM Security Consultant

If you want assistance with your Business Continuity Plan, we can help.

We can also help with all aspects of hotel security from Information and physical, including secure card payments through PCI-DSS.

Visit our dedicated Hotel & conferencing webpage www.advent-im.co.uk/hotels.aspx

Is Your Business For The (Olympic) High Jump?

cat athelete

Terrible pun, I know. But if you saw something called ‘Business continuity planning for the Olympics’ you might stop reading.  But please don’t!  I am going to try something that no-one else has ever done before; make business continuity FUN!  I did think about trying to something else that no one had ever done before and beat the Cuban Javier Sotomayor’s 1993 high jump world record of 2.45 metres (8 foot and half an inch in old money) but I have a gammy knee.  You can watch the amazing Senor Sotomayor strut his stuff here in a 10 second video (no sound):

It is fair to say that good, earnest BC professionals like myself have, to date, largely failed to capture the imagination of the man in the street, the man on the Clapham omnibus, or in fact any man, woman, child, dog, cat (apart from the one pictured) or mammal of any description.  And it is unlikely that any career’s advisor has ever had their door beaten down by eager Year 11s desperate to know the best career path in to BC management.  Which is a shame really, because a Dara O’Briain (think ‘Mock The Week’) observed, “Business continuity is brilliant.” (Google it.  I can’t link you to it.  Too many naughty words I am afraid).  But as Mr O’Briain no doubt appreciates, BC is more than worrying about killer bees in the pick and mix and teaching HR how to dig latrines in the car park.

By the middle of April it will be less than 100 days until the Olympics start.  Think you don’t need a business continuity plan?  Think it is too late to get one in place before the Summer?  Think again!  This is your free, FUN 100 day Olympics Business Continuity Project Plan.

Day 1:                    Get management buy-in

Like our friend Javier, you’ll need some support.  He had Fidel Castro and you need your management.

As we know management have lots of people and projects vying for their attention so make your ‘pitch’ stand out to ensure it is successful:

– identify the right management sponsor(s).  They should have an interest in the continuity of the company from a reputational, financial, or just practical point of view

– Sell, sell, sell!  What are your business’s BC ‘drivers’?  Is it financial?  BC planning can cost almost nothing, but can save you a lot of money in the event of disruption to your income.  Is it cultural?  If you have a strong welfare culture the first tenet of BC planning is always the preservation of life.  Is it practical?  Do your customers expect you to have BC plans in place and are you sure that your key suppliers will continue to be there for you during a disruption?  In a recent exercise one of our clients asked over 30 of their major suppliers to provide them with copies of their BC plans.  Only two could!

– Publicise the fact that you are doing this and why you are doing it to the rest of the organisation (or that part of the organisation your BC project covers)

FACT: In a 2011 survey 85% of respondent organisations had experienced supply chain disruption in the past year and you might not be in the South East, but your suppliers, or even their suppliers, might be (http://www.bcifiles.com/SupplyChainResilience2011PublicVersion.pdf)

Day 20:                 The groundwork

Javier had a team.  Dietitians, trainers, conditioning coaches and doctors.  And you’ll need a team as well.

This is where your BC project really starts getting ‘out there’ (scary).  Before day 20 you should identify representatives from key business functions (IT, HR, Finance, Facilities Management, Operations and so on) to talk to.  Ideally you will get them together all at the same time, but you could speak to them individually (or as a hybrid of the two).  You may choose to prepare a pro-forma for them to complete and this information will form the bedrock of your BC plans.  Generally the sorts of things you would ask for are:

– their key business activities (e.g. for HR this might be Recruitment, reward and employee engagement)

– the resources (people, technology, information, premises and so on) these activities are dependent on)

– the impact on the business of not doing these activities

– how soon we would want these activities restored in a period of disruption; and

– how much electronic information they can tolerate losing in a disruption

Day 40:                 Bringing it all together

Most sportsmen and women have a strategy.  For Javier it would have been which heights to Pass or Attempt.  And you will need a strategy as well.

Obviously you can’t just stick all the information gathered in to a folder, photocopy it umpteen times, and present it to the business as their BC Plan.  They would rightly think this a bit crummy.  The information gathered needs some kind of rationalisation and this is where you start to develop your embryonic Plan.  You should be able to categorise the information from your representatives in to thematic areas.  E.g. Systems, People, Premises and Accommodation [some extra info for Hotels coming very soon] Suppliers and so on.  This can be rough bullet points or something more substantial.  You then need to find people to turn these thematic areas in to chapters for your Plan.  This could be the same or different people who provided you with the information in the first place.  You shouldn’t write the Plan.  This is a BUSINESS Continuity Plan and the Business needs to take ownership for it.

Day 60:                 The Plan

Javier had plans for training, meals and competitions and all sorts of other things and now you have yours as well.

There is no set format for a BC Plan.  It could be electronic, hardcopy, or a combination of both.  Your business representatives can help decide this.  After all, it is their Plan!

Day 80:                 Practice makes perfect

Javier was the best at what he did (recording 17 of the highest 24 jumps ever recorded) because he practised, and so should you.

There are lots of ways to practice business continuity and ‘test’ your Plan.  Communication cascades, systems recoveries, desktop exercises and full simulation tests amongst them.  You will need to decide what is right for your organisation.  The important thing is that you capture feedback and lessons learned from your tests and incorporate this in to revised Plans.

Day 100:               The end of the road?

Unlike Javier, who retired in 2001, your business continuity plans are never ‘over’.

You will need to regularly remind people about the business continuity plan, make sure people are trained to operate it, and ensure it is regularly tested and updated.  But well done; you got there.  And you may not get lots of gold medals and acclaim like our high-jumping marvel but you will have the satisfaction of doing a good job well and after all, as Dara observed, “Business continuity is brilliant.”

Mark Goddard – Advent IM Security Consultant and Business Continuity Professional

http://www.advent-im.co.uk/business_continuity.aspx

Security for UK legal professionals

After reading a discussion on Linkedin in the Lexcel group, entitled, “The Death of Lexcel” and asking the legal brains on Deferolaw.comwhat they thought about this, I thought it might be interesting to have a look at Lexcel in the context of ISO 27001.

The reason for this is that we have noticed an increased interest and uptake in this accreditation in the legal professions and so the discussion topic intrigued me as I wondered if there was any correlation. Whilst they are not competing accreditations, I can see some areas where there is a definite relationship.

Incidentally, whilst I thought it was a great attention grabbing topic headline, the Death of Lexcel would appear to be somewhat exaggerated…

ISO 27001 potentially maps across some areas and a practice with Lexcel may have the ‘nucleus’ to build on for this accreditation.

The Lexcel standard is very practice and client-focussed and has…

View original post 990 more words