![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneFirst, Apple. Today they released a patch for OS-X to fix Bash, the question is how complete is the patch. Everything that I've heard thus far is that the patches for various *nix distros are partial and that a further patch will be required. So I don't know where that stands. I was not able to find the patch in Mac's Update service, but the direct links in the article worked fine. No computer restart required.
http://krebsonsecurity.com/2014/09/apple-releases-patches-for-shellshock-bug/
Now, Jimmy John's sandwich shop hack. 216 JJ's were compromised, the number of cards stolen is not mentioned in the article. Here's the problems, and I'm using the plural purposely. First, it was a service vendor, Signature Systems, that was compromised, so another 100 mostly mom & pop operations were also affected. They're spread all over the USA, no significant geographic clumping.
But the fun doesn't end there, oh no! Anyone who processes credit cards has to be certified to be PCI-compliant, there are different levels of certification depending on how what your credit card volume is. The auditor company who certified Signature Systems is the only auditor to have their accreditation CANCELLED by the processing card industry.
But wait, there's more! In addition to the auditor losing their certification and going out of business, one model of cash register system installed by Signature Systems was not certified as of late October 2013, and many systems were installed after that date! Even though lawsuits would be flying around regardless, these are going to be interesting because clearly Signature Systems was grossly negligent.
http://krebsonsecurity.com/2014/09/signature-systems-breach-expands/
And finally, my wife and I had an interesting experience in Las Cruces last week. While we were in town, every time I used my card on my wife's account, it was declined. We called the bank and we had a very healthy balance in the account, unfortunately my wife left her wallet at home, so we had to use my cards. Fortunately my account's card worked fine. We thought maybe it was because we were 100 miles from home, but we're frequently in 'Cruces, so it was odd. When we got back to Alamogordo that night, it was declined yet again at a bookstore (three Eric Clapton CDs). As it happened, the clerk also worked at the issuing bank, and she said a whole bunch of cards had been cancelled because of the Home Depot breech. Checked my mail the next day and there was a brand new, bright shiny card. The old one met the shredder. I got my Amazon account reconfigured, received a text message from DirecTV and got them reconfigured, and I think I'm now good.
http://krebsonsecurity.com/2014/09/apple-releases-patches-for-shellshock-bug/
Now, Jimmy John's sandwich shop hack. 216 JJ's were compromised, the number of cards stolen is not mentioned in the article. Here's the problems, and I'm using the plural purposely. First, it was a service vendor, Signature Systems, that was compromised, so another 100 mostly mom & pop operations were also affected. They're spread all over the USA, no significant geographic clumping.
But the fun doesn't end there, oh no! Anyone who processes credit cards has to be certified to be PCI-compliant, there are different levels of certification depending on how what your credit card volume is. The auditor company who certified Signature Systems is the only auditor to have their accreditation CANCELLED by the processing card industry.
But wait, there's more! In addition to the auditor losing their certification and going out of business, one model of cash register system installed by Signature Systems was not certified as of late October 2013, and many systems were installed after that date! Even though lawsuits would be flying around regardless, these are going to be interesting because clearly Signature Systems was grossly negligent.
http://krebsonsecurity.com/2014/09/signature-systems-breach-expands/
And finally, my wife and I had an interesting experience in Las Cruces last week. While we were in town, every time I used my card on my wife's account, it was declined. We called the bank and we had a very healthy balance in the account, unfortunately my wife left her wallet at home, so we had to use my cards. Fortunately my account's card worked fine. We thought maybe it was because we were 100 miles from home, but we're frequently in 'Cruces, so it was odd. When we got back to Alamogordo that night, it was declined yet again at a bookstore (three Eric Clapton CDs). As it happened, the clerk also worked at the issuing bank, and she said a whole bunch of cards had been cancelled because of the Home Depot breech. Checked my mail the next day and there was a brand new, bright shiny card. The old one met the shredder. I got my Amazon account reconfigured, received a text message from DirecTV and got them reconfigured, and I think I'm now good.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2014-09-30 07:51 pm (UTC)I wonder what other PCI audit delights have escaped detection so far..
Last time I experienced card fraud, the bank caught it reasonably quickly, declining the larger amounts attempted, and were fine with reversing the small test they began with. Meant having to tweak the card details in various accounts, of course, but no great hassle, and no loss.
no subject
Date: 2014-10-02 01:17 am (UTC)There's an interesting thing about PCI audits. Every company that's been hacked recently (Target, Home Depot, Michaels, etc) had all recently passed audits before the hack. After the hack, they failed. So it seems to me that the audits prove that the systems are strong against casual attack but totally worthless against serious attacks using zero-day exploits.
I've suffered because of fraud twice. Once I'd traveled to Phoenix to continue on to Las Vegas in a few days, checked my account and found a charge for $85 at a truck stop in North Carolina, somewhere that I hadn't been in four years or so. The bank didn't catch it, I found it by looking at my account online. They investigated the charge and I got my money back, and they had to re-issue my card. More recently, as a preemptive move, my local bank cancelled my card because of the Home Depot hack. I don't know if any actual fraud was found. Twice I've had banks call me about suspicious transactions that I'd made, one was for buying my Eos 6D system, some $2600 in one swell foop, the other during a Phoenix trip when I spent $100 each at two camera stores, 15 miles apart, for darkroom supplies that neither one had everything that I needed. With as much travel as I do to Phoenix, and the fact that the card was originally issued when I lived there, you'd think they'd know. I can understand the camera purchase looking strange as I'd never spent an amount like that on that card, but still. Likewise, you'd think they'd notice a charge in North Carolina as suspicious when I live in New Mexico and haven't had any charges indicating travel.
Financial institutions are doing better at detecting fraudulent charges, but they still have a way to go. They need to add a little more human moderation in them, such as the North Carolina charges.
no subject
Date: 2014-10-03 01:16 am (UTC)