Canada and the rest of the world have done what?
*ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…* On Wed, Dec 25, 2013 at 11:57 AM, Bourque Daniel < [email protected]> wrote: > Canada and the rest of the world have done it. At some point, when > customers will be tired to pay for all the frauds (you pay for it, not the > credit card companies), something will have to move... > > Daniel Bourque > > > *De *: Maglinger, Paul [mailto:[email protected]] > *Envoyé *: Wednesday, December 25, 2013 08:41 AM > *À *: '[email protected]' <[email protected]> > *Objet *: RE: [NTSysADM] RE: 40 Million CC breach at Target.... > > > Wal-mart is big enough that they might get away with it. I seem to recall > that Visa and Walmart got into a spat over fees and basically Walmart said > they wouldn’t take the cards. Visa backed down. > > > > The article did make a valid point – converting the card readers would be > very expensive. > > > > -Paul > > > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Ken Schaefer > *Sent:* Wednesday, December 25, 2013 3:48 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > Chipping is something that a bank needs to do – not something Target can > enforce – unless one wants to mount the argument that Target should decline > all business from customers that have non-chip cards. That seems like a > recipe for corporate suicide, and doesn’t take into account online > transactions. > > > > Cheers > > Ken > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Jon Harris > *Sent:* Wednesday, 25 December 2013 2:07 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > I believe in the case of Target that cloning was thought to be what the > attackers wanted to do or at least that was what appeared to be the target > of their intrusion. I believe the one of the articles I read indicated > that all the information to clone was what was taken. Chipping has been a > long standing argument both pro and con by those in the financial industry > here in the states for a couple of years I believe. As Micheal has said > (at one point) many companies here in the states do the minimum they have > to until they have their ass bit by an attacker. Unlike from my very > short reading of news articles they don't face the same penalties that many > companies do outside the country for lax security. > > Personally in an ideal world hackers once identified would be tried and > executed by a very painful method by a third party (one with no axe to > grind something similar to what the Hague is supposed to do but only for > criminals). > > Jon > > ------------------------------ > > From: [email protected] > To: [email protected] > Subject: RE: [NTSysADM] RE: 40 Million CC breach at Target.... > Date: Tue, 24 Dec 2013 08:40:16 +0000 > > All credit cards have magnetic strips for backwards compatibility reasons > (all of my CCs have chips – I have a dozen issued across three countries, > and they all have both), but don’t chips merely prevent cloning? It doesn’t > stop someone using them at a “card not present” sale (e.g. an online store). > > > > Is it going to be adequate security; or is it going to be financially > feasible security? > > > > All security is risk management. You can avoid, accept, transfer or > mitigate a risk – and which you choose comes down to a set of factors, > including cost. > > > > What’s the difference between “adequate security” and “financially > feasible security”? I’ve never heard this distinction between drawn before. > > > > Cheers > > Ken > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Micheal Espinola Jr > *Sent:* Tuesday, 24 December 2013 2:42 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > Re-read the information about the Target breach, and reconsider what I > have said. This would not effect people outside of the US that do not use > credit cards with magnetic strips. > > Its not just a matter of reading the strip directly, but as well as the > technology involved in how that information is further processed. > > Ken, please pick a point are you going to choose to argue against/for: Is > it going to be adequate security; or is it going to be financially feasible > security? > > > -- > Espi > > > > > > On Mon, Dec 23, 2013 at 7:27 PM, Ken Schaefer <[email protected]> wrote: > > How do you know “they should not have happened”? Perfect security is, > pretty much, impossible. So, statistically, there will always be some level > of breaches occurring, including some level of severe breaches. How do you > know we aren’t at a level that makes monetary sense? Would you be prepared > to, say, halve your income (because prices are double), simply to have 5% > or 10% fewer security breaches? > > > > I don’t see how any recent serious breach is related to the use of > magnetic stripe media or re-use of stolen phones, so I don’t really > understand what you’re saying there. > > > > Cheers > > ken > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Micheal Espinola Jr > *Sent:* Tuesday, 24 December 2013 2:20 PM > *To:* [email protected] > > > *Subject:* Re: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > I can only assume they dont, since historically (generally speaking) there > have had serious breaches that should not have happened. I've been > involved with POS systems, banking systems, as well as various wifi-devices > - and for years, there's been a lot of foolishness. Business rarely does > what it should - and instead only does what it has to, or can financially > bet against. > > - Banking: We (the US) still allow a system that relies heavily on > magnetic strip media. > - Telco: We (the US) still allow a system were cell phones can be > stolen and reused. > > > -- > Espi > > > > > > On Mon, Dec 23, 2013 at 6:31 PM, Ken Schaefer <[email protected]> wrote: > > Your rant presupposes that there isn’t “decent security” already in > place. What evidence do you have that there isn’t? > > > > Cheers > > Ken > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *J- P > *Sent:* Tuesday, 24 December 2013 12:43 PM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: 40 Million CC breach at Target.... > > > > /rant on > > I have one question that rings in the back of my mind, they (banks > creditors merchants etc..) charge all sorts of fee's, > sometimes i'have heard of fees larger than a bill thats due- > Why cant they take a piece of that to get some decent security into place? > > /rant off > > Happy holidays and a prosperous new year to all > > > > > > > > > > > Jean-Paul Natola > > ------------------------------ > > From: [email protected] > > > Date: Mon, 23 Dec 2013 08:10:19 -0500 > > Subject: Re: [NTSysADM] RE: 40 Million CC breach at Target.... > > To: [email protected] > > *>>**That's a pretty fair analogy - and both statements are true. On the* > > > > > > > *other hand, banking is much better understood - experience with banking > goes back hundreds of years, with concomitant expertise in many fields in > dealing with the risks in banking. The experience around computing is much > more shallow, and the risks are not as well known, nor has nearly as much > thought and practice gone into mitigating them.* > > > > > Okay, so how about when banking relies upon computing? Which risk profile > comes into play, then -- the hundreds of years, or the shallow > years/decades? > > Whether or not YOU use online banking, it is almost assured that your bank > provides it and that others are aware of its existence. Do you think that > your bank is providing such a service without any reliance upon 3rd > parties? Do you think that because you aren't using the online services > from your bank that your data would be unimpacted? > > (Hint: I'm sure that some of the people impacted in the Target breach, as > in the TJX breach before it, were *not* online users) > > > > > *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> > *Providing Virtual CIO Services (IT Operations & Information Security) for > the SMB market…* > > > > > > > > On Sun, Dec 22, 2013 at 10:31 PM, Kurt Buff <[email protected]> wrote: > > On Sun, Dec 22, 2013 at 6:59 PM, Andrew S. Baker <[email protected]> > wrote: > >>>Amazon's cloud is external to its customers - Amazon's staff, > > procedures and infrastructure are a risk to its customers. > > > > > That's as illogical a statement as the following: > > > XYZ Bank's technology infrastructure is external to its customers - XYZ > > Bank's staff, procedures and infrastructure are a risk to its > customers... > > That's a pretty fair analogy - and both statements are true. On the > other hand, banking is much better understood - experience with > banking goes back hundreds of years, with concomitant expertise in > many fields in dealing with the risks in banking. The experience > around computing is much more shallow, and the risks are not as well > known, nor has nearly as much thought and practice gone into > mitigating them. > > > >>>Except when suborned or perverted by money, patriotism or blackmail: > > > http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 > > > > > And how does you maintaining your infrastructure on-premises, but having > to > > rely on 3rd party telecommunications mitigate the above risk in any way? > > It's not just that specific incident - that's but one example, and in > this specific instance, there was no remedy - trusted parties were > subverted, and the same can happen in other fields. I'm not arguing > for perfection here - just a recognition that complexity brings risk, > and that keeping things simple and under more control is usually wise. > > Indeed, for some businesses, especially small ones with no IT staff, > or very limited IT staff, going with a public cloud might make sense. > But if a business has good IT staff, I'd venture that migrating most > or all of their infrastructure to a public cloud isn't their best bet. > > Kurt > > > > > > > > Mise en garde concernant la confidentialité : Le présent message, > comprenant tout fichier qui y est joint, est envoyé à l’intention exclusive > de son destinataire; il est de nature confidentielle et peut constituer une > information protégée par le secret professionnel. Si vous n’êtes pas le > destinataire, nous vous avisons que toute impression, copie, distribution > ou autre utilisation de ce message est strictement interdite. Si vous avez > reçu ce courriel par erreur, veuillez en aviser immédiatement l’expéditeur > par retour de courriel et supprimer le courriel. Merci! > > Confidentiality Warning: This message, including any attachment, is sent > only for the use of the intended recipient; it is confidential and may > constitute privileged information. If you are not the intended recipient, > you are hereby notified that any printing, copying, distribution or other > use of this message is strictly prohibited. If you have received this email > in error, please notify the sender immediately by return email, and delete > it. Thank you! >
