It’s Shopping Season!

It’s definitely that time of year. Black Friday, then Cyber Monday… It’s Shopping Season!

I can practically hear the delivery drones buzzing overhead, bringing lots of toys for nice kids of all ages.

The naughty kids, however, are having even more fun. Cyber Monday shopping is like, well, Christmas for hackers. Pinging e-tailer servers and seeking vulnerabilities like unencrypted payment systems is even better than peeking inside advent calendars. The treasure inside is likely to be much more lucrative, you can bet on it.

The sheer number of transactions this time of year gives the advantage to the malicious, and the secretive nature of holiday presents is really just a gift to the criminals. How many times have you heard this: “Sweetie, don’t look at the credit card bill until January, I don’t want to spoil the surprise!” Well, I’ll tell you what the real surprise is - trying to identify and remember each of those umpteen line items on last month’s statement when you finally get around to reviewing it. How easy would it be to not notice a few relatively small purchases?

It’s just not reasonable to think that consumer-level audits are a reasonable level of protection. It is our responsibility to move up the stack and safeguard at the payment system level. The Payment Card Industry Data Security Standard (PCI-DSS) demands encryption for full compliance, but the program itself is not mandated by the US government and is voluntary for participation. The PCI Security Standards Council invests a lot of effort into the program and they’ve made a ton of progress, but there is still a great deal of work left to be done. For example, FIPS 140-2 completely satisfies the Data Security Standard, but is not an explicit requirement. As you well know, that leaves a lot of leeway for participants to cut corners and reach compliance while still containing vulnerabilities.

SafeLogic will be devoting resources to pursuing more accountability, higher participation, and an increase in FIPS-validated encryption in PCI-DSS in 2014, so stay tuned for more information. In the meantime, do your part as a consumer – shop with retailers who participate in PCI-DSS, review your own statements, and report any suspicious activity. The more information that you can provide to your bank or credit card provider, the better our chances will be to identify the holes in the system. We must all help fix the problem and expose potential vulnerabilities.

And if we succeed, our devious counterparts in the future will have to resort to low tech options to disrupt our holidays… like shooting down those delivery drones!