Law enforcement agencies detect data breaches before businesses do because the former seeks evidence of the cyber crime, reports a networkworld.com article.

Unlike law enforcement agencies, businesses don’t go undercover in hacker forums. Nor do they get court permission to bust into enclaves of cyber thieves. Businesses don’t have moles. It continues: Law enforcement agencies interview imprisoned cyber crooks. The FBI does a lot of undercover work.

Law enforcement may then approach a company and say, “You’re being victimized; we have the evidence.” But often, the company may be skeptical of such a claim. Admittance means facing government response and upset customers

The law is always buffing up on its skills at fighting cybercrime to keep up with its evolution, such as a drastic decrease in solitary criminals and an increase in complex crime rings. These rings have all sorts of technical tricks up their sleeves, including hosting their own servers and changing up their communication methods to vex law enforcement. It doesn’t help that some foreign countries don’t place an emphasis on fighting cybercrime.

The evidence that the law presents to the business when that time comes is rock solid, though again, the company may lack aggression in its immediate response. The company’s legal counsel is commonly the first person to get the forensics report. Upper management usually gets involved before the IT department does. This is all part of keeping legal control over potentially harmful situation. 

If you feel like you are starting to get the flu, going to the doctor’s office can get you some medicine and get you on the road to recovery. But, there’s no pill or surgery that can protect you from medical identity theft—which can kill you. Literally. The thief who steals your identity doesn’t mean to kill you; he just wants to obtain free medical care on your dime.

If a thief has access to your personal information, he can pose as you and see doctors and have procedures done—for free or for a nominal copay. The crook uses fake IDs and phony insurance cards to pull off this scam.

The problem really starts kicking in when the imposter’s medical situation gets tacked onto your medical record—since they are posing as you. This can result in a number of harmful outcomes for you. Not only can it potentially cause misdiagnoses, you could be issued a prescription to a drug that you have a fatal reaction to.

Just think about it for a moment: Someone else’s medical condition getting integrated with yours. This can cause a lot of problems. You could be denied medical coverage or lose your current coverage because of false information in your medical records. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) protects your right of access to your medical records. If someone else is pretending to be you and accessing your records, you might not be able to access your own records. That’s a scary thought.

But even you are lucky enough not to suffer any negative consequences to your health as a result of the medical identity theft, cleaning up the mess can be enough to give anyone a heart attack.

So how can you prevent becoming a victim of medical identity theft?

• Protect your mail: Install a locking mailbox so no one can access your mail.
• Keep medical documents secure: Keep all of your hard copy medical documents in a file that locks. If it’s in cyberspace, make sure the files are encrypted and not in folder on your desktop that says “Medical.”
• Shred all medical documents: Make sure to properly dispose of your medical documents so you don’t become a victim to dumpster-diving thieves. This includes digital files as well.McAfee LiveSafe (put tm in here and links this) service comes with a digital shredder that uses higher than government standard file shredding—don’t rely on simply putting something in the “trash bin” on your computer and then emptying it.
• Leave medical cards at home: Only take them when you are visiting the doctor. If you’re worried you might need them in the event you have an accident and need immediate medical treatment, memorize your health ID number. If you’re unconscious upon arriving at an ER, you’ll get treated anyways—it’s the law. Simply provide your medical card after the fact. Don’t carry identity cards either: Identification cards or Social Security number cards should also be left at home in a safe place. Since many medical systems use these numbers as your identifier on the policy, you don’t want them falling into the wrong hands. And with access to these cards, a thief could easily create the fake credentials needed to commit medical identity theft.

How low can scammers go? The latest is phony Facebook profiles that use identities of deceased victims of Malaysia Airlines Flight MH17—claiming their credit cards were stolen from the crash debris.

“Death hunters,” says Ukrainian MP Anton Gerashchenko on his Facebook page, are collecting jewels, cash and credit cards off of the victims. His post urges victims’ relatives to “freeze their credit cards, so that they won’t lose their assets to terrorists!”

The Dutch Banking Association assured next-of-kin that they’d be compensated for the fallout of credit card theft.

Journalist Phil Williams was at the crash site and pointed out that it was obvious that wallets and handbags had been stolen. Just about all the handbags had been opened, he reports. Looting is apparent, he says.

Mark Rutte, the Dutch Prime Minister, used the term “utterly disgusting” to describe how the rebels had treated the corpses.

But beyond the site is even more alarming activity: fake Facebook accounts. At least five phony FB accounts have been set up in the names of deceased Australians—including three kids. Facebook has since shut down the pages.

The pages provided a link to a video claiming to reveal footage of the airliner’s crash. However, users instead were directed to a website full of pop-up ads for fishy-looking services. The lure to this site was a malicious link tagline: "Video Camera Caught the moment plane MH17 Crashed over Ukraine. Watch here the video of Crash."

You can imagine how many people—not necessarily next-of-kin, took the bait and made the click. Though these particular fraudulent pages were closed down, this doesn’t mean more won’t appear.

Is this common after a disaster?

It seems to be more common, as criminals are capitalizing on current events to perpetrate scams generally within a 24-48 hour period. 

Tips for spotting these scams for consumers in general:

Thinking before you click, doing research and not being so impulsive will keep consumers from being baited by scammy links, titles and stories. 

Tips for family members of the deceased:

They should cancel credit cards, create fraud alerts through their country’s credit bureaus, and once death certificates are obtained they need to submit them to the credit bureaus. Otherwise set up Google alerts with the decedents’’ names to monitor any chatter on social sites that may turn up their likeness in a stolen social media identity theft case. 

What is data synchronization? This technology synchronizes data between two or more computers and/or the cloud and automatically copies changes that are transacted between devices.

File synchronization is used for home or small business backups when the user copies files to a flash drive or external hard drive. The syncing prevents creating duplicate files.

For superior syncing, take a look at GoodSync with its 30-day free trial. After which, for $30 (or use 33% of discount code “rsici”), you can continue using its battleship of features. GoodSync provides remote service and also syncs with many online services.

Now let me tell you how well GoodSync works for me. Like most, my operating system resides on my C Drive. I keep my C Drive clear and free of all data so all it has to do is operate my system and contain updates, drivers and security patches. My D Drive is the DVD/CD Rom drive and My E: drive has all my data, taking up over 75 percent of the three-terabyte internal drive. My primary data is on Drive E, and this is backed up by a cloud service and then synced to my external three-terabyte F: drive.

Now, every two hours, GoodSync automatically syncs my external F: and internal E: drives. Even though all my data is in a cloud, what if my internal drive crashes? Downloading everything would be a pain. That’s where GoodSync comes in. Plus, though the cloud has its virtues, assessing data from it on a daily basis is surely not one of them.

You’ll be pleased with GoodSync’s efficient main window. Some of GoodSync’s offerings include file filtering, bidirectional/unidirectional syncing, syncing of deletions, and job scheduling.

Version 9 can include numerous sources and single files in one job. If you create files on your mobile, GoodSync will automatically download them. It supports SkyDive, Windows Azure, Google Docs, Amazon Cloud Drive and Amazon S3.

Don’t let the lack of flamboyant design fool you; GoodSync is as good as they come, and for tech savvy users, is a breeze. In particular, not-so-tech-savvy users will be quite impressed with the many options but will need more time to catch on. Read more about that here.

GoodSync stands out from other syncing programs because it displays files from both destination and source on the right side of its main window, while the status shows on the left side. It’s best to use a dedicated destination folder for your sync.

As for connecting to online services, GoodSync supports SFTP, FTP and Webdav.

Another point is that for every PC that you wish to remotely sync, you will need a license.

There really isn’t any reason why you shouldn’t download GoodSync and take advantage of its 30-day free trial.

You have nothing to lose (literally!) with GoodSync. Get going on it.

Robert Siciliano is a digital life expert to GoodSync discussing identity theft prevention on Youtube. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. 

Tapomoy Koley, Sr Associate - Projects at Cognizant Technology Solutions

Yes it seems so.

* The countries where EMV adoption is high the CNP fraud percentage share is increasing.

* The countries where EMV adoption is low is having more POS and ATM frauds. 

Check out the European central bank press release and report:

a) http://www.ecb.europa.eu/press/pr/date/2014/html/pr140225.en.html

b) http://www.ecb.europa.eu/pub/pdf/other/cardfraudreport201402en.pdf?e50b929264594aabb07bba92a0a26b3f

Like (2) Reply privately Flag as inappropriate 4 days ago Stanislav P., Fernando Fonseca like this

Alexandre Augusto, Incident Manager at Tata Consultancy Services 

Yes I think so, but about risk percentage and fraud, its depend of which country we are talking about. For example, In Brazil the levels of fraud is too high and in the other way the security controls is also too high with also high level EMV adoption

Paul Watson, Payments Solutions and Financial Services Consultant

As Mr. Koley points out, EMV is certainly plugging a security hole. Is it THE answer? Obviously not, as CNP transaction volume continues to grow. But, just because it doesn't plug every hole, doesn't mean it shouldn't be implemented. It is a very big hole!

Christian McMahon, Product Manager at Merchant Link

I don't believe EMV is a security solution, it's more of a fraud prevention solution (two different ideas). I think EMV will work very well in retail and somewhat in restaurant, but not so well in Hospitality/lodging since there are so many card not present transactions (reservations, back office, web payments, etc..) Further, I am unsure how fast EMV will be adopted without government fiat. My hospitality customers are largely waiting to see how much it will cost, what behavioral changes Americans must buy into, and whether the fraud risk benefits outweigh their internal network support and hardware costs. I still think that EMV + other technologies (such as tokenization, encrypted devices, and single use cards) combined are truer security.

Like (4) Reply privately Flag as inappropriate 4 days ago Bill Poletti, Alexandre A. and 2 others like this

Tom Beck, Product Manager at TD Merchant Services

If other countries are any indication, the answer is yes. But as other indicate, there are no "final" answers to payment security. It will always be a moving target.

Like (1) Reply privately Flag as inappropriate 4 days ago Ira C. likes this

Michael Hopewell, Senior Consultant, PCI QSA, PA-QSA

If based on statistics, I think EMV is useful technology to reduce the rate of fraud. With regards to information security then this revolves around people, process and technology. Because of this, I would say that EMV is not "THE" solution to payment security as often there is a vulnerability due to people and process.

Like (3) Reply privately Flag as inappropriate 4 days ago Erana R., Ira C. and 1 other like this

Abraham Motana, Software Development

If I applied and utilized in earnest, it is secure, however the processes to acquire a transaction is acted upon by people; from the developer on the card acquiring device, a operator in a merchant, people involved in keys management etc. at any of those stages processes could be compromised, then your payment security falls flat. I think the true value can be measured by the secure payments vs the fraudulent ones.

Like Reply privately Flag as inappropriate 4 days ago

John Miglautsch, For 30 years, growing both sales and profits. Catalog and eCommerce companies are my sweet spot

Looking at adoption in other countries, fraud does move away from card-present situations. But eCommerce and Catalog companies should be working now to improve their encryption from end to end. Historically the fraud moves to internet attacks. Most of the merchants I talk with are not preparing for 2015.

Like (2) Reply privately Flag as inappropriate 3 days ago Erana R., Bill Poletti like this

Bill Poletti, Retired

As noted earlier, EMV does nothing to address fraud in the growing CNP channels. It only addresses the shrinking face2face transaction channels. Fraud WILL and IS migrating to CNP.

I recently read an article on the quiet development of quantum computing solutions. It does not seem very far off. Though this might seem a little off-topic, quantum computing will end encryption as we know it. That will render the estimated U$31 billion in infrastructure upgrades for EMV a total waste.

I might have a "glass half empty" view and attitude, but EMV has been sold as the complete security solution which is clearly isn't. It will reduce fraud in a shrinking face2face acceptance market but meets no long term growth acceptance channels. It just gives a false sense of security to the average and sub-average cardholder.

Like Reply privately Flag as inappropriate 3 days ago

Bill Poletti, Retired 

We will see more of this as EMV rolls out.

http://www.itproportal.com/2014/07/04/brazilian-hackers-steal-up-to-375b-in-what-could-be-the-biggest-electronic-theft-in-history/

Like Reply privately Flag as inappropriate 3 days ago

Christian McMahon, Product Manager at Merchant Link

So I've heard that the thieves migrate to the lowest hanging fruit (ie. from Europe, to Asia, to Canada and North America as each rolled out EMV) basically running to where EMV was not. I know they are not going to give up. They might focus more on card not present or will they double their efforts to try to crack the EMV magic. I've been trying to figure out what's the next "thing" after EMV? Obviously any technology will have to support mobile as it's growth in the payments space is on a tremendous upward track. Thoughts?

Like (1) Reply privately Flag as inappropriate 3 days ago Ira C. likes this

Parama Raj, at Planet Payment Inc 

There is enough to be earned by fraud now from the earlier technologies. When the focus shifts to EMV, in my opinion there are sufficient opportunities in EMV to result in significant losses. Advances in electronics since the introduction of EMV will enable fraud to effectively compromise EMV and then create havoc. Implementations of CHIP and PIN might not be as secure as it appears to be. Take the example of the photo card, very quickly it was shown that the fraud reductions reported were skewed.

Like (2) Reply privately Flag as inappropriate 3 days ago Ira C., Bill Poletti like this 

Enkelejda BALLIU (POPA), MSc. Banking Professional, Bank Card Management, Risk and Fraud Subject Matter Expert

Simple, No. EMV is the secure way for card present transactions always when is implemented correctly and combined with other measurements of preventing and/or detecting fraud. Yes, it is true the thieves have migrate they activity to non EMV countries. This because a cloned EMV card will be used through magstripe in a non EMV environement which is a pure magstripe transaction as the CHIP will not be read ( the cloned card will not have a chip so will be swiped or entered in ATM). This is the traditional way for them to secure fast cash. The criminals today aim to steel big data through data breaches, This is the fraud biggest trend. They will try to use them mostly in non EMV environemet. So it is important that the industry to implement unified security measures globally and imlementimg EMV in non EMV countries now is a must. If we cut the source of usage of the stolen data for me is crucial to prevent the data breaches. EMV helps a lot.

Like (1) Reply privately Flag as inappropriate 3 days ago Ira C. likes this

Bill Poletti, Retired

And even AFTER the US implements EMV, there is still a huge non-EMV environment that will be exploited in CNP. EMV is ONLY effective in card present and only for a limited time. When quantum computing is developed, EMV will no longer be an effective tool against fraud. The Brazillian fraud case is an example of what will happen because cardholders will become complacent. After all, EMV has been sold as the complete security solution for bankcard.

Parama - For 18 years, almost to the day, I have been pointing out that EMV is not the total solution. By 2000, it was obvious that the industry should not pursue EMV because of the booming e-commerce CNP growth. Retail face2face is shrinking by comparison. Now, EMV is being implemented globally and card fraud is starting to migrate to the path of least resistance. Everybody is pushing EMV, but ignoring CNP exploding fraud.

Like Reply privately Flag as inappropriate 3 days ago

Gary Smythe, President and Co-founder at Catalyst Card Company

It seems to me that the decision has already been made and that EMV migration has begun. The discussions regarding whether or not we should pursue this technology in the US are moot. Let's all work together to make the transition as successful and secure as possible, and let's tackle CNP to improve the entire environment. In other words, let's move on.

Like (3) Reply privately Flag as inappropriate 3 days ago Enkelejda BALLIU (POPA), MSc, Ira C. and 1 other like this

Bill Poletti, Retired

Oh, the decision has been made. The marketers, consultant and vendors have sold it to the world. The lawyers will take over when it doesn't work as predicted.

Like Reply privately Flag as inappropriate 3 days ago

Tom Beck. Product Manager at TD Merchant Services

But for CNP scenarios, there is no reason to think EMV provides much security. It is card verification schemes that add a bit of security in that case. Maybe they day will come when every computer will have a scanner and allow fingerprint ID (like the iPhone). That adds the security of cardholder identification, but again, it is certainly not 100% secure.

Like Reply privately Flag as inappropriate 3 days ago

John Miglautsch, For 30 years, growing both sales and profits. Catalog and eCommerce companies are my sweet spot

Heartland sent me two white papers on their CNP and especially reducing PCI risk profile. They seem to be working hard on CNP.

Like (1) Reply privately Flag as inappropriate 3 days ago Ira C. likes this

Bill Poletti, Retired

Just dust off SET and modernize it a little. It would work until quantum computing destroys cryptography as we know it today.

Like (2) Reply privately Flag as inappropriate 3 days ago Bo L., Ira C. like this

Tom Beck, Product Manager at TD Merchant Services

SET will encrypt everything (on top of existing encryption), but other than having your own digital signature, I don't see this as anything but another encryption scheme. Still, it would not hurt. :-)

Like Reply privately Flag as inappropriate 3 days ago

Bill Poletti, Retired

A FULL implementation of SET (3KP) would require the cardholder to use their own asymmetric key pair and digital certificate. To get that certificate, the cardholder has to apply for it using credentials and authentication information supplied by the issuer. Not perfect but better than only supplying CVC2 / CVV2 (which can be intercepted).

The merchant would not "see" the card number until after the authorization is complete, then only if the acquirer allows it. The critical information is encrypted by the cardholder in an OAEP envelope directly with the public key of the payment gateway. It's all there to secure CNP. What would be needed mostly is an upgrade of RSA key lengths to RSA 4096 at the ROOT CA and RSA 2048 for the rest of the keys. Would also be nice to integrate ECC with equivalent crypto strengths. (I have a bit of familiarity with SET.)

BTW, though SET was studied extensively, there has never been a successful attack, academically or otherwise, against the protocol or protection scheme.

But quantum computing could take down any scheme based on crypto.

Like (2) Reply privately Flag as inappropriate 3 days ago Tom B., Ira C. like this

Ira Chandler, CTO at Curbstone Corporation

@BillPoletti What's old is new again! SET was a great architecture. We need way more than EMV, obviously. Seems like my cards are constantly being replaced for CNP fraud. Have had two replaced in the last 4 months, Visa and Amex. We need a COMPREHENSIVE payments solution, and we are a decade away from that. I suspect the EMV will be delayed past the 10/2015 target anyway. As a Payment Service Provider who is PCI validated, we are always amazed at the level of ignorance and denial of the merchants for the PCI standards.

Like (2) Reply privately Flag as inappropriate 2 days ago Bill Poletti, Enkelejda BALLIU (POPA), MSc like this

Ira Chandler, CTO at Curbstone Corporation

WE SEE THE IMMEDIATE SOLUTION to be educating the merchants, through their acquirers, as to the different SAQ flavors (A, B, C, D...) and forcing them to perform **effective** Self-Assessment Questionnaire completion/validation/submission. Only when a merchant actually works through an SAQ-D can they appreciate the vulnerabilities, the solutions, and the importance of real security in their systems. ONLY WHEN THE MERCHANTS become educated and fully implements the Industry Security Best Practices (PCI DSS) will we make a dent in the theft of cards and the resulting fraud.

No single acquirer we have worked with really has a pro-active education ability that they implement to get merchants more secure. The most they can do is insist on a quarterly scan. Big deal. Only when the acquirers take an active and effective role in forcing merchants to be DSS compliant will we see improvement.

No merchant we have engaged was ever aware of the Prioritized Implementation resources at PCI that help them get DSS compliant. This resource is excellent, and eases the overwhelming burden of compliance to a systematic, digestible process. But nobody is telling the merchants about it. We are NOT a consulting organization, but we spend huge blocks of time educating our licensees as to the requirements of PCI and the resources available. Why are the acquirers not doing this? They have the most to gain. Unless they are happy passing the costs of the fraud to the card-holders... If the acquirers had to pay for fraud out of THEIR pocket, we would have the most secure system in the World!

Like (2) Reply privately Flag as inappropriate 2 days ago Bill Poletti, Enkelejda BALLIU (POPA), MSc like this

Christian McMahon, Product Manager at Merchant Link

 Both Target and Neiman Marcus were deemed to be PCI compliant at the breach event. In my view, PCI is the bare minimum for security. 3.0 is better, but still, quoting Stan from Office Space: "What do you think of a person who only does the bare minimum?"

Like Reply privately Flag as inappropriate 2 days ago

Bill Poletti, Retired

@ Christian - At what point does PCI-DSS vendor compliance attestation break down and merchant due diligence creates a distrust of that compliance attestation?

Like (1) Reply privately Flag as inappropriate 2 days ago Ira C. likes this

David True, Payments, Loyalty, and Mobile Advisor

I trust this is an ironic question. Is a >20 year-old technology, built before ecommerce to address questions, one of which (offline authorization) is irrelevant in the US, the answer to payment security? Of course not.... Is it event worth investing in for US merchant might be a better question.

And that the rest of the world is doing it doesn't, for better or worse, carry much weight in the US. Think metric system.

Bill Poletti, Retired

The issue in the states has always been the business case. Current estimates of U$31 billion to convert to EMV. How much will fraud be reduced by that investment? When one considers that a large percentage of card present fraud and card counterfeit fraud will migrate to other acceptance channels, the investment is a target for question.

The biggest issue I have is that EMV has been sold as the total card security solution. Careful analysis of authorization data and all acceptance channels would seem to indicate otherwise.

Like (3) Reply privately Flag as inappropriate 2 days ago Paul Watson, Tom B. and 1 other like this

Christian McMahon, Product Manager at Merchant Link

@Bill. Agree totally.

David True, Payments, Loyalty, and Mobile Advisor

@Bill you need not be so circumspect; it is pretty damn clear that for many participants, the ROI would be better if spent on a solution that works for both card present and card not present transactions. Target's announcement of rapid EMV adoption is more PR, to repair their reputation, than anything else.

Like (1) Reply privately Flag as inappropriate 2 days ago Bill Poletti likes this

Tom Beck, Product Manager at TD Merchant Services

Bill, you clearly know more than me about SET. Thanks for the details.

Bill Poletti, Retired

Visa and MasterCard provided one person each to co-author SET. I was the one selected from MasterCard.

Like (1) Reply privately Flag as inappropriate 2 days ago Tom B. likes this

Uldis Berzins, Head of Business Development, Baltics at Oberthur Technologies

 EMV is the answer for face2face and CNP environments if card schemes make a logical move.

A cheap reader ( a few euros or $) turns EMV card into one-time-code generator which can be used to approve CNP transactions. CAP (Chip Authentication Programme) specs are out there. Schemes should extend the CVC2/CVV2 infrastructure to handle 6 digit OTCs - so that issuer can verify the OTP. That would enable to drop 3D-Secure protocol .

Total migration to EMV/EMV OTC would largely make PCI DSS obsolete as there would be no value in stealing PAN data as transactions can not be made without keys on card.

Disposing off with PCI-DSS would be huge saving for everyone from merchant to issuer.

Like (1) Reply privately Flag as inappropriate 1 day ago Enkelejda BALLIU (POPA), MSc likes this

Bill Poletti, Retired

A few dollars each in the US card environment can be many billions of dollars. Pretty much everyone in the US participates in e-commerce and have several cards against which they charge e-commerce purchases. Anything more expensive than free will not be accepted, particularly by consumers.

It is doubtful that the US card infrastructure will spend more over the already U$31 billion mark for EMV deployment. After all, basic EMV has been sold as THE COMPLETE SOLUTION for bankcard security.

Consider the massive loss of that entire investment when quantum computing becomes a reality. And it's not that far away if it isn't already working.

How will all the lawyers react when EMV cards start to get compromised via e-commerce?

Randy Smith, Founder and Chief Editor Mobile Wallet Media, Founder and CEO MobilePayUSA, a TechCrunch Disrupt Award Winner 

EMV is an answer, but is far from being the best answer. EMV does not solve CNP fraud. The answer lies in a technology I originated some 10-15 years back. Just this year OnDot Systems and TSYS announced mobile card-lock tech. Read my latest two articles on this very subject at MobileWalletMedia.com: 1) http://www.mobilewalletmedia.com/OnDots_Remote_Control_Card_App_May_Kill_Need_for_EMV_Transform_Security-140506.html and 2) http://www.mobilewalletmedia.com/The_Card_Fraud_Solutions_War_Has_Begun_Could_Lock_and_Key_Derail_EMV_140521.html.

But's this is just the tip of the iceberg. I welcome providing my solutions an a single industry top player for compensation. Either that or I will be writing about them soon and sharing with the whole industry. If you want to lead and possibly avoid leakage of your innovation being exposed earlier than you would like, contact me soon to talk business.

Bo Lin, Service Leader & Principal Engineer, Transaction Security division, UL

@Bill re "... It would work until quantum computing destroys cryptography as we know it today."

Does the above apply to post-quantum cryptography, such as the newly proposed "Supersingular Elliptic Curve Isogeny Cryptography", the not too old NTRU, and the very old (1978) McEliece? Never mind the 10 and 15 year range of the possible feasibility of quantum computing.

- my personal opinion -

Bill Poletti, Retired

@ Bo Lin - I have not investigated post-quantum cryptography. I have read and heard that we might not have to wait 10 - 15 years before quantum computing is feasible. I did a quick lookup and have found some interesting reading.

Simoun Ung, Technopreneur

EMV is not the answer to Payment Security. It helps prevent fraud in a card-present environment but doesn't eliminate fraud in a card-present environment. I have yet to see a case made for EMV helping to mitigate fraud or enhancing security in a card-not-present environment which is where the growth in processing volumes seem to be headed with e-commerce and m-commerce.

Like (1) Reply privately Flag as inappropriate 1 day ago Bill Poletti likes this

Chris Wilson, GAICD, Head of Information Security & Governance at Indue Limited

There is no one answer. Preventing fraud will always involve multiple controls. EMV is one control, but it won't succeed by itself. It's been successful in Europe, Canada and Australia in reducing counterfeit cards and skimming.  As others have pointed out, it won't do much to prevent CNP, other than the knock on effect from limiting card skimming (but that may be substantial).

The real question should be:what is the pay-off from an investment in EMV for latecomer countries such as the US. Cards will be around for a long time. Online transactions are still only 6% of total retail transactions. I suggest that implementing EMV with secure POS terminals will still reduce fraud significantly in the US (and wherever US tourists go).

Making PINs compulsory will also help significantly.

Meanwhile new payment methods have their own risks and will require new controls to prevent fraud. How will Host Card Emulation affect fraud rates? At first sight it looks like a big problem, but if implemented properly it could reduce the frequency and value of CNP. Time will tell!

Like (2) Reply privately Flag as inappropriate 1 day ago Bill Poletti, Enkelejda BALLIU (POPA), MSc like this

Rob Nathan, Chief Technology Officer at CardConnect

EMV is definitely not THE Answer. Here is a white paper we recently released that might shed some additional light:

http://www.cardconnect.com/wp-content/uploads/Payment_Security_White_Paper.pdf

Armando Rivas, Gerente de Administracion Desarrollo al Cliente Externo

Speaking of NO definitive solution, but it is a big step to control fraud. In my country the use of EMV reduced almost to zero, frauds in credit card and debits. Now in these last years has increased fraud not face cards (as in many countries). In my opinion in this case of fraud by non-face cards, plays a very important role EDUCATE, to users. Customers should be on knowledge that is high risk placing their data in unsafe websites, and also the answer EMAIL requesting their account data. This subject is of much discussion, would spend days talking about this. Bottom line is NOT debitiva solution, but it is a breakthrough, and I think sifras so indicate. Best regards.

Armando Rivas

Douglas Braun, President & CEO at Internet Payment Exchange, Inc. and Owner, Internet Payment Exchange, Inc.

EMV is a valuable tool for verifying card credentials. It does NOT, however, address the breach problems that have received so much press lately, such as, the Target breach. A multi-tier approach using EMV and card cloaking at the device level is a more responsible solution. Card cloaking frequently includes card fingerprinting (i.e. magnetic stripe clone detection) that can mitigate some of the risks EMV was designed to handle. Here's another White Paper explaining the issues and benefits of a multi-tier approach.

http://info.ipayx.com/overcoming-card-security-threats

Like (1) Reply privately Flag as inappropriate 21 hours ago Bill Poletti likes this

Adrian Hope-Bailie, Product Development Manager at Stanchion Payment Solutions

EMV is required to patch up a broken system. EMV is ancient tech and so are cards. Instead of investing billions in EMV the US should be pushing for real-time push payments initiated by the payer via their financial institution of choice.

All you need to make a push payment is a phone with an internet connection and your FI's app (or wallet provider for the more savvy). Almost zero additional investment required by the merchants or acquiring institutions.

Problem is VISA and MasterCard have a lot invested in cards and card tech so I imagine they won't go lying down if the US Fed suddenly moved for push payments or even just real-time consumer ACH as a first step. I have been trying to standardise this idea at http://openpayee.org and would appreciate feedback

Probir Sengupta, Product Manager at Opus Software Solutions 

Everyone knows that EMV will not resolve CNP fraud. But, it WILL reduce card present. People living in the USA should look at the rest of the world to ascertain the positive impact of EMV. So, we must use EMV, 3-D Secure, OWASP compliant e-commerce systems, PCI DSS, etc. Each one will help in its own wasy

Bill Poletti, Retired 

Solutions need to be invisible to the consumer. They will know to plug their card into a reader at the point of sale. Anything related to e-commerce must operate securely in the background. It's one of the reasons Amazon is so successful and PayPal is popular and other solutions have not been widely accepted.

Probir Sengupta, Product Manager at Opus Software Solutions

Mr. Uldis Berzins should not be dismissive of PCI DSS. The hundreds of controls of PCI DSS encompass all manner of threats and risks to cardholders - not just restricted to PAN numbers in transit

If a stranger stopped you on the street and requested your e-mail address and birthdate, would you give it to that person? A rational person would never give up this information.

This is the same guard you should have when giving out your personal information to set up an online account, setting up a social account or to get some bargain or great deal on a product or service. Most people will give up all their data for 10% off at a shoe store.

Many people blindly give out personal information online or in person to get that bargain. Sometimes, these choices are made by people who claim to value their privacy.

Those same people may not know that every time you log into free unencrypted WiFi you are most likely revealing everything you communicate on a PC, laptop or mobile? This is why an encrypted connection like one provided with Hotspot Shield is very necessary. 

A study from Carnegie Mellon University, conducted by Alessandro Acquisti, turned up some very interesting results.

He sent some graduate students to a shopping mall near Pittsburgh. The students were instructed to offer a $10 discount card, with an extra $2 discount to shoppers in exchange for their shopping information. Half turned down the extra offer. The $2 wasn’t enough to get them to reveal their shopping cart items.

Another group of shoppers was offered a $12 discount and the choice to exchange it for $10 if they desired to keep their shopping data private. Ninety percent decided to keep the $12 discount, which meant they were willing to reveal their shopping data.

What gives?

It looks as though if people already have ownership of private data from the get-go, they’re more likely to value it. If it’s yet to be acquired, however, the value placed on it is less.

So getting back to cyber space then, have you ever wondered if the data, that the online advertising industry collects on you, is truly scrambled so that it’s not possible to identify individuals?

Acquisti conducted another experiment. With a webcam he took snapshots of about 100 campus students. It took only minutes for him to identify about 30 percent of these nameless students by using facial recognition software.

He then went a step further and gathered enough information on about a quarter of the identified students via Facebook to guess a portion of their Social Security numbers.

Acquisti showed how simple it is to identify people from scratch because they leave a data trail in cyber space—and this includes photos. This shows how easy it is for criminals to use Facebook to steal a person’s identity.

Though it would violate Facebook’s terms of service to register a fake birthdate, the user needs to be aware of the tradeoff: Identity thieves love to find birthdates.

Facebook says that the user can control who sees personal information. So you just have to weigh the pros and cons. Is receiving well wishes on your birthday worth the risk of a thief using your basic information to steal your identity?

And by the way, thieves can use your Facebook profile photo to help steal your identity. Maybe this is why some people use their baby’s or dog’s photo for their Facebook photo?

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. 

If you’ve ever seen a movie where the bad guys are using ongoing, invasive hacking to spy on their “enemy,” you have some familiarity with an advanced persistent threat (APT).

This term usually refers to an attack carried out by a group that targets a specific entity using malware and other sophisticated techniques to exploit vulnerabilities in the target’s systems. It is often done for intelligence gathering with political, financial or business motives.

For example, an APT aimed at a corporation could take the form of Internet-based malware that is used to access company systems, or a physical infection, such as malicious code uploaded to the system via a USB drive. These kinds of attacks often leverage trusted connections, such as employee or business partners to gain access and can happen when hackers use spear phishing techniques to target specific users at a company.

Remaining undetected for as long as possible is a main objective with these attacks. It is their goal to surreptitiously collect as much sensitive data as they can. The “persistent” element implies that there is a central command monitoring the information coming in and the scope of the cyberattack.

Even though APTs are not usually aimed at individuals, you could be affected if your bank or another provider you use is the target of an attack. For example, if attackers secretly gather intelligence from your bank, they could get access to your personal and financial information.

Since you could potentially be affected by an APT attack on an entity or company that you do business with, it’s important that you employ strong security measures.

• Use a firewall to limit access to your network.
• Install comprehensive security on all your devices, like McAfee LiveSafe™ service, since malware is a key component in successful APT attacks.
• Don’t click on attachments or links you receive from people you don’t know.
• Keep your personal information private. Be suspicious of anyone who asks for your home address, phone number, Social Security number, or other personal identifying information. And, remember that once you share personal information online it’s out of your control.
• Check to see if the websites you share sensitive information with use two-factor authentication. This is a security technique that uses something that you know, such as your password, and something you possess, such as your phone, to verify your identity. For example, your bank may ask for your password online, as well as a code that it has sent via text message to your phone. This is a 2^nd layer of protection and should be enabled for sensitive information.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!