Tuesday, October 2, 2018
Verizon's 2018 Payment Security Report, published Sept. 25, 2018, identified widespread vulnerabilities in financial services. For the first time in six years, a majority of survey respondents had not fully implemented security best practices or complied with the Payment Card Industry Data Security Standard (PCI DSS), researchers found. While 87.3 percent of respondents are securely transferring cardholder data, only 71.8 percent comply with PCI DSS methods for storing store sensitive data, according to the report.
"While PCI DSS compliance has been going up year on year, our observations in the field gave us an early warning that this positive trend could be coming to an end," Verizon researchers wrote. "In fact, the drop is probably a little bit less than we expected, with full compliance dropping just under 3 percentage points (pp) to 52.5%."
Rodolphe Simonetti, global managing director for security consulting at Verizon, urged global enterprises to implement sustainable data protection practices to stop further degradation of global compliance. "Consumers and suppliers alike trust brands to secure their payment data, so we must act now to remedy this state of affairs," he stated.
Verizon's PCI DSS qualified security assessors (QSAs) attribute varying levels of compliance among global businesses to "timing of geographical compliance rollout strategies, cultural appreciation of awards/recognition, or the maturity of IT systems." But the biggest culprit is a tendency to just meet the standard and think all is well, they noted.
"You can only achieve real risk reduction by building a program that addresses all aspects of creating a secure environment," Verizon researchers wrote. "Putting in place a control that just meets the standard, assuming that it will retain effectiveness despite changes, and banking on it always being followed brings to mind a famous saying: 'To keep doing what you're doing and expecting different results is the definition of insanity.'"
Security analysts point to Facebook's recent data breach as a case in point. Satya Gupta, chief technology officer and co-founder of Virsec, said early analysis points to a flaw in Facebook's "View As" feature, which he said was clearly built without thinking through security.
"Instead of just seeing through someone else's eyes, Facebook essentially lets you borrow their identity," Gupta said. "Armed with someone else's access token you can get to lots of private and highly privileged information." Additionally, millions of people use Facebook IDs to connect to other services where they store files, make purchases and conduct other private activities that thieves can exploit, he noted.
Ameya Talwalkar, chief product officer and co-founder of Stealth Security, expects the Facebook breach, which may have exposed as many as 90 million user credentials, to have a long-term ripple effect on other large enterprises. "We expect a significant increase in credential checking or password list attacks at other large online properties in the coming days," he stated. "This will result in increased number of accounts compromised overall, which will ultimately lead to more fraud losses."
Pravin Kothari, CEO at CipherCloud, cited another security flaw: user tokens that enable users to stay logged in to a service without re-entering passwords, enabling hackers to access accounts. He expects authorities to assess damages and impose heavy fines and penalties in the wake of the Facebook breach. "The real $50-million-dollar question is who did this impact, exactly?" he said. "Do any of those 50 million customers impacted reside in the European Community? If so, will this fall under GDPR, and how will it be treated?"
Gupta said airlines, banks and hospitals automatically disconnect inactive users from secure sites. Had Facebook implemented a similar feature, it may have avoided the data breach, he noted, stating, "It's a bad idea to let users stay logged on indefinitely while there is no activity."
Many people open Facebook and keep a browser tab open for hours or days while doing other things, Gupta observed. If they remain inactive on a banking site for more than a few minutes, they would be automatically logged out and prompted to re-authenticate. "This is a small burden for users and a no-brainer for security," he said. "There are also solutions that provide continuous authentication requiring users to confirm their identity if there is any unusual behavior."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.