Posts Tagged ‘data theft’

Interview with Struan Robertson technology lawyer with Pinsent Masons.

Tuesday, September 30th, 2008
Interview with Struan Robertson, technology lawyer with Pinsent Masons.
If you have sought expert legal advice pertaining to data an technology at corporate level you may be familiar with Pinsent Masons. If you have searched Google even on a cursory level data protection information you will likely be very familiar with out-law.com of which Struan Robertson is editor. 
Our privilege in running this interview is very much to the advantage of our readers. For this we thank Struan.
Introductory detail.
 
Name : Struan Robertson
 
Company : Pinsent Masons
 
Position : Legal Director, Pinsent Masons and Editor, OUT-LAW.COM
Marital status, family members : Married
 
Education / Qualifications 
I did my law degree and diploma at Strathclyde University - then somehow scraped my way through a beginner’s class in Java programming.
 
Pastimes / Hobbies : Running, skiing, movies
 
Q : What type of car do you drive? 
A : Chrysler
 
Q : What area of law do you most enjoy? 
A : Internet law. It develops far faster than other areas of law, which keeps it interesting, and for a technology enthusiast there’s nowhere else to be.
 
Q : Given that out-law.com was first registered over ten years ago, why is it do you think that Pinsentmasons were so far ahead of their time in seeing the benefits of investing in a legal information and discussion site distinct from their own domain? 
 
A : We weren’t first to register the name; we bought it in 1999 for, I think, CAN$5,000. More recently we were able to buy Outlaw.com (no hyphen) for US$25,000, though we never had any plan to use it. We launched OUT-LAW in May 2000. We aimed to become the leading online legal brand and the leading brand for online legal services.
The legal profession moves forward at glacial speed, so it’s not hard to stand out from the crowd - it just takes a bit of courage. Ours is a more innovative firm than most, I think - I’ve always thought this firm has a strong entrepreneurial spirit. Working on OUT-LAW felt rather like working at a start-up, but we’d have canned it if it hadn’t worked. Fortunately, it works very well for us. We take the view that clients won’t pay for basic legal information but they will pay for legal advice. So we’re giving away the basic legal information. Clients really appreciate that and OUT-LAW helps us to win their work. We recognised that people will use Google for legal research before coming to any law firm website, including our own - so we make sure that our pages are easy to find through Google. I’m surprised that so few firms do that.
 
Q : What are the work achievements of which you are most proud? 
 
A : This year we became the first law firm ever to win a Webby. That was a great accolade for us. But I suppose the thing that matters most is that we have also helped a lot of businesses over the past 8 years and we have won a lot of work directly or indirectly through OUT-LAW. Companies recognise from OUT-LAW that we know what we’re talking about and that we can communicate in plain English, not legalese. All firms claim to have those skills; we prove it.
 
Q : Do you believe that data compliance has become overly complicated for small business or that there is little excuse for non compliance in an era when information on compliance requirements and readiness is pervasive throughout the Internet? 
 
A : Most businesses will experience data compliance challenges and occasional oversights. Sometimes a problem is resolved easily by following free guidance; sometimes specialist advice is needed. Businesses in the UK are covered by laws that are fairly general in nature, that can be re-interpreted as technology moves on. That’s better, in my view, than the US approach where the laws change frequently because they are technology-specific. There are also more laws to keep up with in the US, at state and federal level.
 
Q : What general advice would you give to business startups with regard to data protection and compliance? 
 
A : There’s a lot of useful free guidance out there, so read that first. Do get advice from a specialist with your data collection notices, though, because if you get that wrong at the start, you can build a business on a collection of data that was unlawfully obtained. We don’t hear much about enforcement action, so people may think they can run that risk. But if you come to sell your business in the future, you can bet that the lawyers for the purchaser will hammer you down on price if they can argue that your database was built illegally.
 
Q : Do you believe that the traditional high street general practice legal firm is equipped to deal with compliance issues or that business owners ad managers should seek specialist advice in this area. 
 
A : As you would expect, I’d recommend seeing the specialist. You’ll find that many high street lawyers will recommend the same thing - we often get referrals from other  solicitors.
 
Q : Is there a compliance point beyond which a company can consider themselves to have done all they can do or is it possible for a company with good practice and intentions to suffer sanctions as a consequence of say a theft involving data? 
 
A : The sanctions for data thefts to date have generally focused on failings in systems and controls. If you follow best practice guidance, sanctions are less likely, though clearly a data theft can still be very damaging.
Q : With all the focus on cyber criminality and corporate responsibility, what responsibilities do you believe
members of the public have on an individual level in protecting their personal data?
A : Very few. The current Banking Code, which is part of most consumers’ contracts with their banks, sets certain expectations for online banking. It says, in effect, that users must keep their anti-virus and firewall software up to date or they could be liable if their accounts are cleaned out by criminals. But if weak security on a consumer’s PC is to blame, it’s not reasonable to hold that individual liable for the
loss for failing to install the latest patch. I suspect most banks would take the same view. But if one bank does try to hold a customer liable for his or her weak security, I can’t see a court upholding that requirement. The focus has to remain on effective layers of security. Consumers must be provided with identification and authentication systems that are secure and easy to use. We’re not there yet. For as long as websites continue to ask for your mother’s maiden name, there is work to be done.
 
Visitors, want to see more who’s who in data? Then watch next weeks who’s who in data.

If you liked that post, then try these...

UK phone and email privacy (or not) on May 28th, 2008
UK Communications database: Several steps too far? .

"Thumbs" up to pix.ie on August 5th, 2008
Tuesday push recommendations are made easy by candidates like pix.

Tags: , , , , , , , , ,
Posted in Data Privacy, Data Security, Who's who in the data industry, data protection | No Comments »

Dirty dozen card data theft variables.

Wednesday, August 20th, 2008

12 Serious data theft breach area you must take control off if you use card payment services.

  1. Wireless networks. As pointed out by Tom from databackupie in his comment on our post about the Irish card payment system scam on the weekend of 16th and 17th of August, wireless networks are rarely adequately secured and very easily breached. The popularity of a small number of broadband providers can make hacking their clients an easily replicated job once a singular overall hack method is successful. In the Eircom example which Tom referred to, there are Netopia decrypters available on the web. This type of hack is device specific and breaches at device rather than encryption level therefore making the hack quick and the method near uniform. If a business with a payment service system does not isolate that system (i.e. uses the same broadband for general use) or uses a wireless connection (even if it is encrypted) on the connection used for payment services, hacking it can be all too easy. Add to this that there are many business using unencrypted wireless systems and you can see that the pickings are rich. Intent is in many cased the only required ingredient as the data is there to be breached without any significant know how. Wireless networks are the biggest non social engineering risk a business will face when protecting card services data.
  2. Social engineering. This is simply a huge area. It involves a level of human contact. This can be by phone, post, directly at the store or to a staff member outside of work. The general aim is to gain trust by asking seemingly innocuous open questions which are intended to cause the subject to unwittingly part with information which will assist with a breach. A very good example is the card services scam about which Tom commented. In that case, people entered premises under the pretence of representing card services and fitted devices to the payment system thus giving themselves full access to the data required to defraud card holders.
  3. The enemy within. Earlier we discussed Netopia (Broadband device commonly used by Eircom) and now we enter the area of Utopia. In a perfect world all staff could be trusted. Unfortunately this perfect just does not exist so every data protection policy must assume that every manager and staff member is capable of playing a starring role or taking a but part in fraud. This complicates security as staff by the nature of their employment must have access to physical areas, communication devices and data stores. The enemy within was in years gone by a potential suspect for cash (and possibly goods) theft. That generally required cash or goods to leave a premises on person. Data theft if far more complicated as data can travel through phone line, cable, antennae and hand held device. The data enemy within can now acquire vast monies without carrying any when leaving the premises. This is a huge risk area and while data transfer general leaves a trace it can be very difficult to follow. Protection in this area involves policy in staff selection, monitoring and reporting and any weakness could end in considerable cost.
  4. Mail order. Any facility which allows persons to make purchases by card without ever having to meet the vendor are open to abuse. Your card services provider and bank will provide guidelines for dealing with mail order. If you are allowed to process mail order you will likely as a part of your procedure have limits and requirements to send to card address only. If you adhere strictly to all the requirements laid down, fraud will be less likely to succeed and you will be innocent of any wrong doing if it does. Any system is open to breach even if adhered to correctly. With mail order, any failure to adhere to procedures by any member of your organisation shift the blame and possibly the financial burden. Mail order should be the domain of experienced staff.
  5. Stolen cards. An unreported stolen card may not be your responsibility but suspicions should be acted on without infringing on the rights of the suspect. A good starting point is to contact law enforcement and relevant card services support while buying time with the suspect and noting any specific details or appearance points. Mark Sullivan pointed out the possibility of showing the suspect a product similar to the one they have which is positioned close to security cameras. He wasn’t sure about the ethics of guiding potentially innocent shoppers towards cameras and either am I. If it is legitimate it sounds like a good idea. Stolen cards generally have a short life and it is common for users to make significant purchases while they are “fresh”. Card services will be alert to unusual spending patterns on a card if you communicate your suspicions.
  6. Improper procedure. Card services are a supplier of yours. They provide a service and earn a commission. You however have responsibilities in your part of any transaction. If you do everything by the book, card services (or a client who has failed to report a card as stolen in an acceptable time frame) will generally take the hit. If however you skip or fail to properly complete procedures (even if these errors are not the proximate cause of the security failure) you may be sanctioned. These sanctions can range from financial responsibility and complete removal of facility to a limitation on the amount or type of card payments you can receive. This is only fair as the co-operation of retailers (in and off line) is a critical part of the defense of card payment services and one without which a widely usable level of service could not be offered.
  7. PIN in sight. It is very common for consumers to fail in covering their PIN entry. Many PIN entry terminals have no collar or a collar which blocks only a small part of the viewable window to the keypad. Staff must guide consumers (by verbal communication or physical leading manoeuvre of the entry device) to a position from which neither staff nor other shoppers can see the PIN entered. If an intended perpetrator gains a consumers PIN all they need then is temporary access to the card or to steal the card. This make the consumer a target and puts them in potential danger beyond fraud.
  8. In store card theft. This type of distraction theft commonly takes place after a criminal sees a purchasers PIN (see 7. above) and the combination of card and PIN gives the criminal a short period of time (if the shopper is aware of the theft) to acquire cash from an A.T.M.
  9. In store terminal theft. In the story which started this we discussed terminal replacement through social engineering. A less sophisticated example is terminal theft. This should be reportable in a busy environment on the next card purchase requirement but it is common for a store with more than one terminal to continue as if nothing happened until the mystery of the missing terminal is reported to a supervisor.
  10. Cancelled subscription commissions. If you pay commissions to sales agents based on sales, be carefull about how you treat credit card sales. This type of scam is common in network marketing environments in which an online sales agent has great sales success which you reward. In time the sales are cancelled or the payments are found to be fraudulent but their is no sign of the commissions you paid or the agent you paid. This has happened in environments with many agents. It is not likely that you would get in to this position if you followed procedure and this therefore increases your exposure.
  11. Terminal down card payments. Chip and pin has been around for some time so the incidence of manual payment is low. Every processor will have strict rules for terminal down situations. They could run from contact card services for each sale to no sales allowed. If you breach this, even with the best of intentions you expose yourself to the risk and during a very high risk period.
  12. Cash refunds. If a criminal acquired a card which can be used for purchases but not A.T.M. withdrawals they could make a purchase from you (availing at the same time of cash-back) and later come back with the product for a refund based on any acceptable reason. If this refund is in the form of cash the criminal has succeeded. Ensure your refunds policy is in accordance with card services and involves detailed recording and claimant identification.

If you liked that post, then try these...

iphone user data protection issue. on June 24th, 2008
Refurbished iphones contain previous owners data.

Interview with David Whitelegg of itsecurityexpert.co.uk on September 23rd, 2008
Interview with David Whitlegg of itsecurityexpert.

Tags: , , , , , , , , , , , , , , , , , , , ,
Posted in Data Privacy, Data Security, data protection | 1 Comment »