hints of the barnes & noble pos hack

My lunch routine is pretty standard and well-known. I go to a Barnes & Noble and pick up a latte over lunch and read magazines that I don’t purchase. I’ve literally done this for years. Clearly I’m a store member and carry a card which I swipe every day for 10% off.

A few weeks ago I took immediate note of the missing card swipe device on the counter and asked if someone had broken their swiper. I got the response that HQ had come in and pulled them all off. Being the savvy person that I am, bells went off, I tuned them down, and went about my business.

As I’m catching up with security news today, sure enough I see word that B&N suffered a POS security breach. Every day that went by without the POS device at the store(s), was further indication that something bad went down and it wasn’t just an upgrade/replacement or glitch.

(Of note, like a good security geek, I don’t use credit cards willy-nilly, especially for tiny purchases like a latte; I’m all about cash for anything but huge purchases, so I wasn’t even at high risk of this.

These breaches always make me curious and I always have the same round of questions that will never be answered, because no one shares the information, not even in professional circles.

1. What did the attack consist of? Taking apart and adding something to the POS device? Skimmer over top? Code update?

2. Only 1 compromised device in each of 63 stores? Why only 1? Did the device/attack store up credit card info? Did it beam it out realtime via an Internet connection? Did it have access to penetrate the internal network/databases?

3. 63 stores affected in varied major metros. Sounds custom and targeted.

4. How did B&N find out about this? Someone else bring it to their attention? Monitoring? Why or why not?

These are questions not intended to cause legal issues or backpedaling or lay blame. They’re more about learning from mistakes so that I can be better informed and do a better job in my own security endeavors. PCI Guru has a nice follow-up piece.

the cyber insurance play

(Yes, the title makes me feel dirty as well, for using ‘cyber…’) I’ve been waiting on this case with PATCO Construction v Peoples United Bank to offer up some resolution for a while now, since I think it may set some important precedents. Alan Shimel weighed in earlier this month on it, particularly on the topic of individual accountability. (Disclaimer: I didn’t listen to the audio accompaniment.)

Toward the end, I was struck by:

Perhaps having breach insurance is the prudent, responsible business way to handle this? Does your organization even have breach insurance? Breach insurance is one way of managing your risk, but all it can do is replace money lost. Some breaches are hard to put a price tag on.

I can understand the PATCO situation, or maybe even the bank’s situation. But in the other example offered in the post, that of Wyndham Hotels and Resorts losing customer credit card information, how does insurance help those whose data is lost by a third party? Does it pay for credit monitoring (nearly useless)? Does it repay with gift cards that can be spent only with the negligent party (ridiculous)? I don’t think having a safety net is necessarily a solution for all parties involved. In fact, insurance may allow business to take less responsibility since it’ll just get a payout.

Ultimately, the idea of taking responsibility for security is a good one, but it cuts contrary to how the culture of America has evolved in the last 50 years to blame everyone else for anything that goes wrong.

the risks in such a connected world: naked pics

The Chief Monkey (honestly, I never know how to address him) has a great post up, How Your #Naked Pictures Ended Up on the Internet. The post illustrates a few key things.

1) Security question weaknesses.
2) You *are* sharing your information with others.
3) You *are not* just keeping files secret on only your phone.
4) You can’t trust other services/people, de facto. You have to put some thought into it.
5) What gets on the Internet and is tied to your name/identity, will haunt you.
6) Facebook is a great place to stalk people.
7) All of these weaknesses are borne out of making things easier for you, the user.
8) Staying safe and secure and yet still using all these technologies and services *requires* work.

As a warm-blooded guy who has internet access, I can attest to the uptick in porn sites featuring what are obviously pilfered personal pics from phones.

At some point, digital picture facial recognition is going to both help (to find out who people are to warn them) and explode (tie bad pics to your name forever) this problem.