It would be funny if it weren’t so damn plausible.

Diebold Accidentally Leaks Results Of 2008 Election Early

The folks at consumerist (excellent site, btw) just posted a copy of the disclosure letter geeks.com (aka computergeeks.com) sent to customers informing them that their credit card data may be compromised.

A few items that concerned me about the disclosure are…

Genica Corporation dba Geeks.com
1890 Ord Way Oceanside, CA 92056
January 4, 2008

[snip]

The purpose of this letter is to notify you that Genica dba Geeks.com (”Genica”) recently discovered on December 5, 2007 that customer information, including Visa credit card information, may have been compromised. In particular, it is possible that an unauthorized person may be in possession of your name, address, telephone number, email address, credit card number, expiration date, and card verification number.

Two things immediately jump out at me in this first chunk of text. The first is date of letter compared to the stated date of discovery.

Being a PCI-DSS guy I know that most merchant gateway providers require disclosure within 1 day of “a suspected compromise”. Granted, that is disclosure to the merchant gateway and not customers. However, computer geeks operates out of California which is on the forefront of disclosure laws. In fact the California Security Breach Information Act (SB-1386) states…

Any agency that maintains computerized data that includes
personal information that the agency does not own shall notify the
owner or licensee of the information of any breach of the security of
the data immediately following discovery

The other troubling part was “and card verification number”. This is the CVV2 that is NEVER to be stored per PCI directive 3.2.2.

3.2.2 Do not store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions

I am troubled by the fact that vendors still remain clueless on best practices and regulations that govern their actions. I am even more disturbed with the fact that (despite these regulations) implementing proper safeguards and demonstrating caution is in their customers best interests, but yet is still not done.

Best of 2007

• Gizmodo’s Most Popular Hits of 2007
• LifeHacker.com - The Best of 2007 Roundup
• Break.com - Top 10 Internet Videos of 2007
• arstechnica.com - 2007: The year in review
• Search Security - Top 10 Security Headlines of 2007

Tech

• IANA and ICAN rolling out IPV6 on Root Name Servers

Security

• Business Week - Homeland Insecurity

Privacy

• U.S. is “Endemic Surveillance Society” Says Electronic Privacy Information Center and Privacy International
• Eavesdropping on Bluetooth headsets

Apple

• Appletel - Ultimate Leopard Tweaking Guide

I have seen “pretexting” in the news far too much without commenting on it.

What is pretexting? According to wikipedia it is “the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone”.

So in other words its a specific type of social engineering. Or as I like to call it: fraud.

Lets not beat around the bush on this one. If you contact a company and pretend to be me in order to get information about me, or acquire a service or funds that you are not entitled to, you are committing fraud (and I will beat you down).

Having been the victim of both identity and credit theft, I take privacy very seriously. But yet even a thorough understanding of privacy and paranoia is still not enough.

The first time it happened someone forged my signature (convincingly too) to have all of my mail forwarded to Texas. The motivation on this one is still unclear, but it took the post office months to straighten my mail out.

The second time I was a victim of credit card “double-swipe”. While at a gas station in Ontario, CA someone swiped my debit card through a modified card reader. This reader recorded the information stored on the strip on the back of my card. They also recorded my CVV (the 3 digit code on the back of the card) and used the information to print a new magnetic strip and clone my debit card. It was used for ‘card in hand’ transactions in Toronto.

Neither of these events could have been prevented… by me. However with proper legislation our government could force private industry to implement effective safe guards against these sorts of attacks. Unfortunately until these safe guards are mandated or they become cost effective, they will never happen, and we as consumers will continue to suffer.

A prime example of this country moving in the wrong direction is the recent HP verdict. The top levels of the company condoned (nay, encouraged) pretexting and got off with no jail time.

And now we are seeing pretexting causing issues with xbox live.

We have to be clear with law makers that we will no longer sit by and let our personal data be stolen and sold.

Until we can convince law makers that this sort thing will not be tolerated all we can do is learn how to protect yourself and support organizations that are trying make things right.

Electronic Privacy Information Center (EPIC)
Identity Theft Resource Center
Privacy Rights Clearinghouse
Privacy Laws by State (source: Epic.org)

In case you haven’t been following security and privacy related news, last week Texas Attorney General Greg Abbot ruled that exposing SSNs in public documents violates state and federal laws.

To me, this is common sense and good news for the common good of everyone in Texas. Why would you want anyone printing your social security number in a public document? It makes no sense and is outright dangerous.

Now we have this little gem (source: computerworld.com)

The Texas House of Representatives last week passed emergency legislation that would absolve county clerks of civil or criminal liability for exposing SSNs in public documents “in the ordinary course of business.” [...] The ruling would require that clerks check each document for SSNs and remove them before making the documents public. Daunted by the task and fearful of running afoul of the law, county clerks asked state legislators to come to their aid.

This sounds like a group of people so set in their ways and fearing of change that they are unwilling (or too lazy?) to change operating procedure to comply with the law and the good of the general public.

I’m appalled that the Texas county clerks would ask legislators to exempt them from this law and I am even more disgusted with the fact that the legislators are considering it.

Apparently even the privacy concerns are bigger in Texas.

Well, not really.  This time it was only my debit card.

I received word, last Saturday evening, from bank (National City) that my debit card had been used for a ‘card-in-hand’ transaction at a gas station in Canada (they made a physical card containing my debit card information on the back strip).  The women from the bank asked if had been in Canada earlier that day.  After telling her that I was at home all day she informed me that my card number had likely fallen prey to the recent rash of debit card information thefts.

From what I was able to gather from previously reading about this, is that a number of merchants illegally retained debit card PIN information and the information was subsequently stolen and used all over Canada and Europe.

The woman from the fraud department at National City informed me that the transaction had occurred about an hour earlier, that she saw no additional fraudulent transactions (I verified with my online account view), that my card had been frozen to prevent further charges and that the bank maintains no liability policy.  In other words I was not responsible for the transaction in any way.  She asked that I stop by a branch and fill out an ‘Affidavit of Fraud’ and that a new debit card was being mailed first thing Monday.

All and all I was very impressed with quickness of detection and the fact that they took the initiative and corrected things.  They turned what could have been a disaster into only a minor inconvenience.

I am, however, unimpressed with the fact that government still has not passed any law that will hold the vendor(s) accountable for allowing the information to be compromised.  I am certain that once a law of this sort passes, the frequency of these sort incidents will drop like a stone.

The number of articles about this whole debacle indicate that hundreds of thousands of others have also fallen victim.  A couple from security focus are as follows:

Seven arrested in online fraud crackdown
Debit-card fraud underscores legal loopholes
Debit-card fraud continues
Citibank issues ATM fraud statement

Last week, revelation of yet another NSA surveillance effort against the American people has rekindled the privacy debate. Those in favor of these programs have trotted out the same rhetorical question we hear every time privacy advocates oppose ID checks, video cameras, massive databases, data mining, and other wholesale surveillance measures: “If you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these — as right as they are — is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

Two proverbs say it best: Quis custodiet custodes ipsos? (”Who watches the watchers?”) and “Absolute power corrupts absolutely.”
From Bruce Schneier’s blog

Every time I pull up google news I see a new example of our administration spying on its own citizens. Governmental domestic spying has infiltrated just about every facet of our communications. A few examples are as follows:

Government wants PayPal to help it find tax evaders
“Tax officials won permission from a federal court in San Jose to ask PayPal for account information for customers who have had money sent to financial institutions in 30 countries known to be tax havens”

EFF Has Evidence Of AT&T, NSA Spying [on us]
“The Electronic Frontier Foundation recently bolstered its class-action suit against AT&T by submitting evidence that the telecom provided the National Security Agency with open access to Internet traffic it handled.”

Google will have to turn over search data to the government
“The DoJ had subpoenaed search records from a one-week period covering 1 million random web addresses in an attempt to make its case for reviving the Child Online Protection Act, which was struck down in 2004.”

DOJ Subpoenaed Dozens of Companies in Addition to Google
“The Department of Justice has gone beyond Google in its quest for evidence to develop a case in preparation for an October trial in Philadelphia over the Child Online Protection Act (COPA).”

President Bush, NSA accused of wiretap abuse
“the National Security Agency (NSA) has and continues to engage in covert, extralegal domestic surveillance of American citizens and foreign nationals under a classified executive order signed by President Bush in 2002″

And if any negative word is uttered in the press or courts to combat these issues you will see the administration pull the same trick, every time. “Simply talking about these programs is aiding the terrorists”, and then they refuse to release any details and continue doing these things as if everything is fine.

“We the people” are powerless to do anything about it. Look at the large and whell funded organizations like EFF, MoveOn and the ACLU. I admire the fact that they are pushing on and challenging these things, but it hasn’t really made a bit of difference.

I’m not against Bush and I’m not against conservatives or republicans. I just think that these freedom destroying policies are killing our “land of the free” irreparably.