Crowdsourcing Payment Security

30 06 2009

In my inaugural post to this blog, I wrote about many of the religious wars that break out today regarding payment security and specifically PCI. In the post I mentioned the OWASP PCI project, which is a solid step in the right direction, but to be clear, payment security encompasses a lot more than just PCI. PCI does a decent job at setting an audit bar for merchants and service providers, but now I’d like to focus on the broader topic of card not present security.

Recently, I was lucky enough to participate and contribute to a new O’Reilly book, Beautiful Security. While I’d love to tell you my chapter out-shined them all, in reality Mark Curphey’s contribution on Tomorrow’s Security Cogs and Levers was brilliant. Since the publishing, I have been speaking to a lot of people on the topic of payment card security and what I felt were some of its fundamental flaws that needed to be addressed. In my view, the root cause of many of the security pains around online payments is the reliance on a shared secret that is ultimately shared with hundreds or even thousands of parties within the life of a card. If there is a security crack in the armor within even a single organization of these thousands of handlers, the card account may become breached. Within my chapter, I laid out seven fundamental requirements for a new payment security model. They are:

1. The consumer must be authenticated
2. The merchant must be authenticated
3. The transaction must be authorized
4. Authentication data should not be shared outside of authenticator and authenticatee
5. The process must not rely solely on shared secrets
6. Authentication should be portable
7. The confidentiality and integrity of data and transactions must be maintained

OK, so none of these are a revelation, you knew this already. Well that’s why I am posting this here. I have since converted my Beautiful Security contribution into a wiki found here. My original writing is a high level design and we now want to take this to the next step. I am certainly not foolish enough to believe there are no flaws within it, nor is it detailed enough yet to implement. This is where the security and payments folks come in. This a call to action to read through the wiki, update it, and begin to flash out the details that could turn this into an actionable payment security system that could be implemented. There’s a quick summary of the goals on the wiki home page to address where we are heading. But hey, this is a wiki, so those can change too! If you have some expertise in online payments or information security (I know you do, that’s why you’re here), please take the time to help out and contribute.

Note: This post originally published on CSO Online.


Comments : Leave a Comment »
Tags: , , ,
Categories : PCI, compliance, security, standards

New Blog Up!

26 05 2009

Apologies for the cross-post, but here’s a quick link to my inaugural blog post on CSO Online, discussing issues around payment security and how you can help! You can subscribe to the new blog via RSS here. This won’t completely replace this blog but rather supplement it. :-)


Comments : Leave a Comment »
Tags: , ,
Categories : Blogroll, PCI, compliance, security management

Streaming Announcements

30 03 2009

Well March has been a BUSY month but I just wanted to post a bit of info out here about what’s been going on and what’s coming up.

First off thanks to David Campbell, Kathy Thaxton and Eric Duprey for inviting me out to SnowFROC in Denver! I had a great time and just like last year, there was a lot of interesting talks on Web Application Security. Also thanks, to Bill Brenner and Lafe Low at CxO Media, for getting me involved in their CSO Data Loss Prevention seminar in Chicago. You can find the lineup of presentations with video for SnowFROC posted here and the CSO Seminar presentations posted here. Bill Brenner wrote a good piece on my presentation here.

Today I had the pleasure of participating in a lunch time podcast for the Society of Payment Security Professionals (SPSP) with Michael Dahn and Anton Chuvakin. We talked about the current and possible future state of payment security, how or if risk management plays into this as well as the “security first” vs. “compliance first” mindset. Thanks to Michael Dahn for having me on. I will update this post with a link to the podcast once it’s up.

For those of you not aware, I also serve on the Board of Advisors to the SPSP and work with Trey Ford and others on their Application Security Working Group. You should check out more about them here and reach out to me if you’re interested in participating in the AppSec Working Group. The Working Group is currently working on a DRAFT Playbook for PCI 6.6 Requirements. Get involved.

Bill Brenner over at CSO online has also been so kind as to let me participate on the CSO Online blogs section of the site. That should give me more motivation to post more often. Warning – I may end up double posting at times here or linking directly to the new CSO blog.

Thanks to the guys over at Matasano Security for putting on a great TechTalk at Orbitz. Thomas Ptacek and Mike Tracey came on site to give their 7 Deadly Features of Web Applications to a good crowd. A good presentation covered by a couple of very smart guys. If I am able to get both internal and Matasano approval, I may post the video of the presentation here later.

I’m a little late on the news here but both the BSIMM (Building Security In Maturity Model) as well as OpenSAMM (Open Software Assurance Maturity Model) have been released. The latter is now an OWASP project. I am just now getting around to reading through these and hope to have some thoughts put around this topic soon.

Finally, I am scheduled to speak at the next OWASP Chicago chapter meeting, pulling out my SnowFROC presentation for those who were not able to come out. The Chicago OWASP meeting is tentatively scheduled for April 29th. You can subscribe to the OWASP Chicago mailing list here if you don’t already do so.


Comments : Leave a Comment »
Tags: , , , , , , , ,
Categories : PCI, application security, event, podcasts, speaking engagements

Beautiful Writing

23 01 2009

UPDATE: A decent round of commentary going on about this on the PCI Answers blog. I’ve added my two cents within the comments. You can read through the discussion here.

I have been lurking in a lot of the usual places lately listening and reading to all the commentary about payment security thanks to the Heartland Payment Systems incident. I’m not going to comment on the incident here, there’s already plenty of people offering up their opinions.

What do I want to mention about all this chatter? You are having the wrong debate! So many people in security are talking about what this means for PCI. Is PCI effective? Was their an issue with the assessment? To this I say “it doesn’t matter”. None of this is the root cause.

Jeremiah Grossman has a really good post on aligning incentives here. This is getting much closer to the real issues in payment security. Want to know more? Well this is where my shameless and disgusting self promotion comes in. :)

I have had the privilege of participating in writing a new book for O’Reilly, Beautiful Security. For those of you not familiar with the series, this is a follow-up to Beautiful Code and Beautiful Architecture. It’s a compilation where each author contributes a single chapter on a security topic, mine being securing ecommerce transactions. Below is the product description as found on Amazon:

Product Description
In this thought-provoking anthology, today’s security experts describe bold and extraordinary methods used to secure computer systems in the face of ever-increasing threats. Beautiful Security features a collection of essays and insightful analyses by leaders such as Ben Edelman, Grant Geyer, John McManus, and a dozen others who have found unusual solutions for writing secure code, designing secure applications, addressing modern challenges such as wireless security and Internet vulnerabilities, and much more.

Among the book’s wide-ranging topics, you’ll learn how new and more aggressive security measures work — and where they will lead us. Topics include:

  • Rewiring the expectations and assumptions of organizations regarding security
  • Security as a design requirement
  • Evolution and new projects in Web of Trust
  • Legal sanctions to enforce security precautions
  • An encryption/hash system for protecting user data
  • The criminal economy for stolen information
  • Detecting attacks through context

Go beyond the headlines, hype, and hearsay. With Beautiful Security, you’ll delve into the techniques, technology, ethics, and laws at the center of the biggest revolution in the history of network security. It’s a useful and far-reaching discussion you can’t afford to miss.”

Special thanks to Mark Curphey and John Viega for involving me in this project. Lots of other authors much smarter than I such as Anton Chuvakin, Mudge, and others. All author proceeds are being donated to charity (IETF), another fantastic reason to pickup a copy!

Let’s stop arguing about how to build a better band-aid. It’s time to start talking more about addressing the root cause issues, and spend less time on the religious churn and debate around specific compliance requirements.


Comments : 3 Comments »
Tags: , , ,
Categories : PCI, books, compliance, security

Introducing SPSP

2 07 2008

I was recently invited to participate on the advisory board for the Society of Payment Security Professionals which I happily accepted. The site explains the society best:

“The Society of Payment Security Professionals’ objective is to provide individuals and organizations involved in payment security with an online community to share information and access education and certification opportunities. Society members come from a variety of businesses including card brands, merchants, acquirers, issuers, ISOs, and more.  Though their organizations may vary, they all share one purpose:  to protect consumer data using the most current, viable technologies and processes.”

They also offer a certification, Certified Payment-Card Industry Security Manager (CPISM). Mike Dahn writes about the SPSP as well the certification on his blog here, here, and here.

We are now in the process of forming a working group on application security. If you have expertise on the topic and are interested in participating you can send me an email or leave a comment here. We’re open to any and all comers. It should be noted this is NOT about PCI but rather payment security in it’s entirety.

Looking forward to my new role on the AB as well as working with the Application Security Working Group.

AddThis Social Bookmark Button


Comments : Leave a Comment »
Tags: , , ,
Categories : PCI, security, security management, standards

Recent Readings (and listenings)

6 08 2007

I recently finished two books (OK one of them was audio), The Long Tail: Why the Future of Business is Selling More by Chris Anderson and Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks by Michael Zalewski. While they are both very different, they were both good reads and very appropriate topics for this blog. I would recommend both to regular readers here.

Ever since I finished the long tail a couple of weeks ago, I had been meaning to post on it and what it means to information security. Well while I was busy with other things a couple of people went it did just that. Over the weekend Mark Curphey wrote a 2 part post which sums up the book and how it relates to our field at a high level. Part 1 is here and Part 2 is here. I encourage you to read his posts if you have an interest in the economics of information security.

Another area that came to mind while reading this book (sorry, listening to this book) was the ever present topic these days of compliance. Organizations today have a number of regulations and laws that they must comply with in a given industry or geographic region. Some of these requirements make economic sense for the business, others are their to control the negative externalities of security. After reading (argh! LISTENING) to The Long Tail, I spent some time wondering how could a set of tools, processes, etc. make compliance economically sound and a choice organizations would make regardless of outside requirements (laws, regulations, etc).

I would like to challenge readers of this post to come up with some new ideas that would make these requirements that traditionally go against the rules of risk management and make them more sound for YOUR organization. The key here is every organization is different. What may make economic sense within mine, makes little to no sense in yours. That’s what makes the “one size fits all” approach of several regulations difficult on most companies today.

Have an idea? Post it here in a comment or send me an email!


AddThis Social Bookmark Button


Comments : 1 Comment »

Categories : PCI, Risk Management, books, compliance, economics, security, standards

Out of Hiding

7 06 2007

Well it’s been a while since I posted anything here. I have a million excuses, but I’m sure everyone has heard them all.

I have decided to take a change of direction in the PCI standard review that I most recently blogged about. After having several conversations with Mark Curphey, I’ve decided the best approach to the issue is working with him and several others on a new OWASP project – The OWASP Web Security Certification Framework.

It is our hope that this will be adopted and used to meet web application security requirements for PCI compliance and any additional regulatory requirements associated with this topic. Look for more on this standard this summer.

For those of you who don’t know Mark, I would highly encourage you check out his blog. He has a great security background working at places like Foundstone and ISS, as well as the original founder of OWASP. He’s currently working on a new startup that is taking off rapidly. I spoke to him about his new company and the work they are taking on, it’s very ambitous and fills a big gap in information security management software today.

If taking on the OWASP project wasn’t enough, I am also collaborating with Mark and others on something for the ISM Community. We’re creating a list of Tip & Tricks from the Field for the ISM Community Top 10. This will give readers a quick jump start on implementing key concepts for their Information Security Program.

Watch for more frequent updates and publications on these new projects.


AddThis Social Bookmark Button


Comments : Leave a Comment »

Categories : PCI, Risk Management, security, security management, standards

Addressing Externalities with PCI

2 03 2007

This is part 1 of a multi-part series on the effectiveness of PCI compliance on addressing security externalities.

A purely economical definition of an externaility is “a cost or a benefit arising from an activity that affects people other than those who decide the scale of the activity“. In computing, there are often unintended security costs that affect those that are not involved in the decision making progress. A good example of an externality in application security would be the shrinking of time it takes to go from prototype to production in recent web application development. Programming languages used to force developers to think about things like input validation and defining what is legal input. As 4GL languages and later web application development came about, the languages no longer required programmers to define input up-front. This (albeit minor) along with many other enhancements shrunk development time dramatically. The obvious externality here is a lack of security born by the users of the application built.

Within information security, there have traditionally been two ways of offsetting externalities – regulation and liability. In this series I will try and cover the PCI DSS, and in my very humble opinion, how effective it is in dealing with security externalities.

PCI DSS (Payment Card Industry Data Security Standard) is regulated by the various credit card associations and is meant to protect card holder data. It is made up of 12 high level objectives within 6 different areas of security.

Section 1: Build and Maintain a Secure Network

This section is made up of 2 high level objectives around network security and access. Given that network security is probably the most mature space within electronic security, this section is likely the least controversial. That being said, the devil remains in the details. One consistent issue with most security regulations is a tendency in getting to deep into the implementation of controls. Given broad diverse audiences, this is not an effective approach. I have often said the best regulations will state objectives that must be met and let the participating organizations define how they meet those objections. It is then up to an ‘independent’ third party arbitrator to determine if indeed those objectives are being met.

While part 1 is primarily a no-brainer, the PCI council still murks the waters a bit by adding redundant requirements and attempting to dictate control activities at times. Take the following 2 requirements:

1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP), and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN)

1.1.7 Justification and documentation for any risky protocols allowed (for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented

Is there a difference between these? It appears the second requirement asks for security features implemented presumably to mitigate the issues with the risky protocol, but who defines risky protocol? I have to believe FTP isn’t the only one. And why don’t I have to justify HTTP, SSL, SSH and VPN? If there is no business need for those to be open, why shouldn’t I close them on the firewall?

Here’s another redundancy:

1.3.5 Restricting inbound and outbound traffic to that which is necessary for the cardholder data environment

1.3.7 Denying all other inbound and outbound traffic not specifically allowed

OK, so technically we’re now discussing the cardholder data environment, but shouldn’t this be the case for any and all environments?

Next up:

1.3.9 Installing personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.

Not a bad rule, too bad it doesn’t mean anything. A simple requirement to install software does not buy us any extra security. This requirement would be better off to stick with allowing justified protocols that were covered in excess in earlier requirements. If a personal firewall is installed on a laptop but is configured to allow all, we’re not addressing the risk (but we are technically compliant with PCI).

Overall, nothing terribly controversial in section 1. Most organizations have been doing this stuff for a long time. To be clear, I think regulation is a good way to address externalities and it’s impossible to please everyone; I am just hoping we continue to refine this standard so it makes sense for all merchants and service providers. Stick to the objectives and avoid conflicts of interest.

Up next: Section 2


AddThis Social Bookmark Button


Comments : Leave a Comment »

Categories : PCI, economics, security

New Business Idea

22 01 2007

Yet another potentially massive breach of cardholder data has occurred. The latest involves TJX, a large retailer that owns brands such as T.J. Max, Marshalls and HomeGoods.

These seem to have become expected news, with large breaches being announced seemingly every couple of weeks. When chatting with an associate of mine who works in the PCI (Payment Card Industry) assessment field, it occurred to him that a very large number of these issues are occurring within offline traditional retailers. After thinking about this a bit it occurred to me, why couldn’t we take a ‘PayPal‘ payment model to the traditional retailers. This would allow the consumer to narrow down their points of trust to a single entity. We would establish this entity that would verify it’s security around cardholder data (through PCI or otherwise) where consumers could store their credit card information. The company would issue a form of a smart card that would authenticate the cardholder at the point of sale and conduct the cc transaction on the retailers behalf. In other words, the card is read in at the retail counter and transmitted to this company which verifies the identity of the cardholder. Once the cardholder is authenticated it must then conduct the credit card transaction on the store’s behalf and then submit a payment to the retailer. The credit card would never be handled by the retailer, thus limiting the sources of trust the consumer must maintain. Instead of a consumer having to worry about the security of the hundreds of retailers that handle their data, they would only need to be concerned about the one (or certainly a lot less). This doesn’t take the banks or card associations out of the equation, but does remove the biggest point of failure, the retailers.

Paypal seems to have done a pretty good job with this in the online transaction world. The logistics, I imagine, are a bit more difficult in traditional retail. There would be a significant cost in provisioning the cards, signing up retailers, and deploying the card reader devices. I imagine the service would be free to the consumer and initially free to the merchant. Ultimately it would be a combination of the card association business and the Paypal online model.

What do you think? Is this a feasible business? I’d love to see someone poke holes in the idea.

UPDATED 2/26: Updating this post to note the launching of G Cash by Globe Telecom in the Philippines. This appears to be the early stage of the service discussed in this post. It also removes some of the infrastructure requirements noted above. G Cash allows a mobile subscriber to pay bills, send cash to other subscribers, and make purchases at participating outlets and ties directly to your account. I hope this service catches on.


AddThis Social Bookmark Button


Comments : Leave a Comment »

Categories : PCI, security