It’s Shopping Season!
December 4, 2013 •Ray Potter
It’s definitely that time of year. Black Friday, then Cyber Monday… It’s Shopping Season!
I can practically hear the delivery drones buzzing overhead, bringing lots of toys for nice kids of all ages.
The naughty kids, however, are having even more fun. Cyber Monday shopping is like, well, Christmas for hackers. Pinging e-tailer servers and seeking vulnerabilities like unencrypted payment systems is even better than peeking inside advent calendars. The treasure inside is likely to be much more lucrative, you can bet on it.
The sheer number of transactions this time of year gives the advantage to the malicious, and the secretive nature of holiday presents is really just a gift to the criminals. How many times have you heard this: “Sweetie, don’t look at the credit card bill until January, I don’t want to spoil the surprise!” Well, I’ll tell you what the real surprise is - trying to identify and remember each of those umpteen line items on last month’s statement when you finally get around to reviewing it. How easy would it be to not notice a few relatively small purchases?
It’s just not reasonable to think that consumer-level audits are a reasonable level of protection. It is our responsibility to move up the stack and safeguard at the payment system level. The Payment Card Industry Data Security Standard (PCI-DSS) demands encryption for full compliance, but the program itself is not mandated by the US government and is voluntary for participation. The PCI Security Standards Council invests a lot of effort into the program and they’ve made a ton of progress, but there is still a great deal of work left to be done. For example, FIPS 140-2 completely satisfies the Data Security Standard, but is not an explicit requirement. As you well know, that leaves a lot of leeway for participants to cut corners and reach compliance while still containing vulnerabilities.
SafeLogic will be devoting resources to pursuing more accountability, higher participation, and an increase in FIPS-validated encryption in PCI-DSS in 2014, so stay tuned for more information. In the meantime, do your part as a consumer – shop with retailers who participate in PCI-DSS, review your own statements, and report any suspicious activity. The more information that you can provide to your bank or credit card provider, the better our chances will be to identify the holes in the system. We must all help fix the problem and expose potential vulnerabilities.
And if we succeed, our devious counterparts in the future will have to resort to low tech options to disrupt our holidays… like shooting down those delivery drones!

Ray Potter
Ray Potter is the Founder of SafeLogic, which was spun off from his previous venture, the Apex Assurance Group consulting firm. He brings over 20 years of security and compliance experience, including leading teams at Cisco and Ernst & Young, to the operations team at SafeLogic. Ray loves playing guitar and flying airplanes.
Popular Posts
Search for posts
Tags
- FIPS 140 (102)
- FIPS validation (83)
- Encryption (68)
- cryptography (63)
- NIST (60)
- CryptoComply (58)
- SafeLogic (58)
- Industry News (54)
- cryptographic module (51)
- Conversations (49)
- CMVP (48)
- RapidCert (46)
- compliance (39)
- Ray Potter (33)
- SafeLogic News (33)
- Event (27)
- federal (27)
- CAVP (23)
- Cybersecurity (22)
- algorithm (22)
- #LoveOurCustomers (15)
- OpenSSL (14)
- government (14)
- CryptoCompact (13)
- Cryptology (12)
- DoD (12)
- FedRAMP (12)
- RSA (12)
- compatible (12)
- partners (12)
- NSA (11)
- healthcare (11)
- AES (9)
- Apple (9)
- Cloud (9)
- FIPS 140-3 (9)
- Wearable (9)
- award (9)
- health (9)
- security (9)
- time (9)
- HIPAA (8)
- Homeland Security (8)
- IoT (8)
- Suite B (8)
- hack (8)
- testing (8)
- whitepaper (8)
- CMMC (7)
- agency (7)
- client (7)
- constrained devices (7)
- Advisories (6)
- Approved Products List (APL) (6)
- HITECH (6)
- holiday (6)
- lab (6)
- vulnerability (6)
- Acumen (5)
- CEO (5)
- Dual EC DRBG (5)
- Google (5)
- Google Glass (5)
- ICMC (5)
- Microsoft (5)
- NIST 800-171 (5)
- NIST 800-53 (5)
- OpenSSL 3.0 (5)
- Safe Harbor (5)
- Wes Higaki (5)
- Whit Diffie (5)
- ePHI (5)
- healthIT (5)
- heartbleed (5)
- mHealth (5)
- procurement (5)
- vulnerable (5)
- C3PAO (4)
- HHS (4)
- HITECH Act (4)
- Mark Minnoch (4)
- Samsung (4)
- Vegas (4)
- archive (4)
- attack (4)
- blog (4)
- breach (4)
- breaches (4)
- deadline (4)
- encrypt (4)
- health IT (4)
- innovation (4)
- military (4)
- procure (4)
- AFCEA (3)
- Air Force (3)
- BSAFE (3)
- BouncyCastle (3)
- CSE (3)
- Common Criteria (3)
- DFARS (3)
- DISA (3)
- EMM (3)
- FIPS 186 (3)
- FIPS-approved (3)
- HIMSS (3)
- HIPAA Safe Harbor (3)
- HITECH Safe Harbor (3)
- Heartbleed Bug (3)
- Implementation Guidance (3)
- Implementation Under Testing (3)
- InfoSec (3)
- NVLAP (3)
- National Institute of Standards and Technology (3)
- New Year (3)
- OCR (3)
- OpenSSL 1.1.1 (3)
- PHI (3)
- POA&M (3)
- Snowden (3)
- advisor (3)
- blackberry (3)
- budget (3)
- bug (3)
- competition (3)
- connected (3)
- constrained (3)
- data at rest (3)
- editorial (3)
- forum (3)
- goals (3)
- healthcare IT (3)
- iPhone (3)
- liberty (3)
- magazine (3)
- open source (3)
- patriotic (3)
- privacy (3)
- public sector (3)
- queue (3)
- revalidation (3)
- software (3)
- speaking (3)
- transition (3)
- vulnerabilities (3)
- 3PAO (2)
- ACVP (2)
- BA (2)
- BAA (2)
- CIO (2)
- CSEC (2)
- CSP (2)
- CoIT (2)
- Coalfire (2)
- Cyber Defense Magazine (2)
- Cyberattack (2)
- DIY (2)
- Defense Industrial Base (2)
- Diffie-Hellman (2)
- ECDH (2)
- EHR (2)
- FBI (2)
- FIPS 197 (2)
- FIPS 199 (2)
- FIPS ready (2)
- Facebook (2)
- FinalCode (2)
- Firefox (2)
- Forbes (2)
- HIPAA security controls (2)
- Historical (2)
- Historical Status (2)
- IPsec (2)
- IPsec VPN (2)
- Java (2)
- Jawbone (2)
- Jawbone Up (2)
- Level 1 (2)
- Level 2 (2)
- Level 3 (2)
- Level 4 (2)
- MFA (2)
- MSFT (2)
- Maribel Lopez (2)
- Marine Corps (2)
- Marines (2)
- Mark (2)
- Marquess (2)
- Module in Process (2)
- Mozilla (2)
- NIST 800-111 (2)
- NIST 800-38 (2)
- NSS (2)
- Naughty List (2)
- Navy (2)
- Nest (2)
- Nest thermostat (2)
- Network Security Services (2)
- OpenSSL 1.0.2 (2)
- Pentagon (2)
- Poodle (2)
- President (2)
- RNG (2)
- RSA BSAFE (2)
- RSA Security (2)
- SHA (2)
- SPRS (2)
- SSL (2)
- SSL VPN (2)
- Samsung Galaxy Gear (2)
- San Francisco (2)
- Securonix (2)
- Silicon Valley (2)
- Smart Fridge (2)
- Steve Marquess (2)
- Suite A (2)
- TLS (2)
- TLS 1.3 (2)
- U.S. (2)
- U.S. Armed Forces (2)
- UK (2)
- US (2)
- US Armed Forces (2)
- USA (2)
- Up (2)
- VPN (2)
- Walt Paley (2)
- Webinar (2)
- Wired (2)
- accelerate (2)
- achieving safe harbor (2)
- achieving safe harbor in healthcare (2)
- acquisition (2)
- archive list (2)
- armed forces (2)
- article (2)
- backdoor (2)
- benchmark (2)
- breach notification (2)
- business associate (2)
- business associate agreement (2)
- case study (2)
- checkmark (2)
- code (2)
- competitor (2)
- constrained device (2)
- consultant (2)
- consultants (2)
- consulting (2)
- cost (2)
- cyber terrorism (2)
- data in motion (2)
- developer (2)
- doctor (2)
- entropy (2)
- excellence (2)
- fast (2)
- federal acquisition (2)
- federal procurement (2)
- federal shutdown (2)
- finance (2)
- firmware (2)
- founder (2)
- freedom (2)
- goal (2)
- gold (2)
- guest (2)
- hardware (2)
- hurdle (2)
- hybrid (2)
- iOS 6 (2)
- key management (2)
- leader (2)
- legacy (2)
- mandate (2)
- maturity (2)
- medal (2)
- overlap (2)
- patch (2)
- patches (2)
- patient (2)
- penalties (2)
- pilot (2)
- post-quantum cryptography (2)
- re-validation (2)
- regulated industry (2)
- research (2)
- rival (2)
- security breach (2)
- session (2)
- shutdown (2)
- solution (2)
- speed (2)
- sponsors (2)
- startup (2)
- sunset (2)
- support (2)
- team (2)
- technology (2)
- terrorism (2)
- terrorist (2)
- use case (2)
- vendor (2)
- year (2)
- year end (2)
- (ISC)2 (1)
- 21st Century Cures Act (1)
- Active Status (1)
- Alliance for Digital Innovation (1)
- Amazon (1)
- Android (1)
- Army (1)
- BYOD (1)
- Boeing (1)
- Brent Cook (1)
- Bruce Schneier (1)
- CCEVS (1)
- CES (1)
- CIO Prime Views (1)
- CIO Story (1)
- CIOstory (1)
- CNET (1)
- CNN (1)
- CNSA (1)
- CNSS (1)
- COTS (1)
- CSF (1)
- CTR_DRBG (1)
- CUI (1)
- Cameron (1)
- Chris Conlon (1)
- Columbia University (1)
- Commercial Solutions for Classified (1)
- Cryptographic Technology Group (1)
- Cryptsoft (1)
- CsfC (1)
- Cupertino (1)
- Cyber Monday (1)
- D-FLIP (1)
- DEA (1)
- DES (1)
- DHS (1)
- DIU (1)
- DIUx (1)
- DNA (1)
- DOJ (1)
- Daniel Franke (1)
- David Cameron (1)
- David Hook (1)
- EPCS (1)
- Erlich Bachman (1)
- Extended Support (1)
- FCA (1)
- FF1 (1)
- FF3 (1)
- FIPS Compliance (1)
- FISMA (1)
- FITARA (1)
- FOM (1)
- FOM 2.0 (1)
- FPE (1)
- FUD (1)
- False Claims Act (1)
- Fear and Loathing (1)
- Fed (1)
- Federal IT Sales Summit (1)
- Fitbit (1)
- Florida (1)
- Forbes Magazine (1)
- Fourth of July (1)
- Frank McDonough (1)
- G.18 (1)
- GCHQ (1)
- GNU (1)
- GNU Project (1)
- GSA (1)
- Galaxy (1)
- Galaxy Gear (1)
- Gartner (1)
- Gartner Symposium (1)
- Gavin Belson (1)
- Globo (1)
- GnuPG (1)
- GoBe (1)
- Golden Globes (1)
- Govie (1)
- Govies (1)
- Grammy (1)
- Grammys (1)
- HASH_DRBG (1)
- HBO (1)
- HIIPA (1)
- HIPPA (1)
- HIT (1)
- HITRUST (1)
- HITRUST CSF (1)
- HMAC (1)
- HMAC_DRBG (1)
- HUD (1)
- Healbe (1)
- Heartbeat (1)
- Hebdo (1)
- Hooli (1)
- Hummer (1)
- Humvee (1)
- Hunter S. Thompson (1)
- IBM (1)
- ICMC 2013 (1)
- ICS (1)
- ICS-ISAC (1)
- IPB (1)
- ISO (1)
- ISO 19790 (1)
- ISO 24759 (1)
- ITexpo (1)
- ITexpo West (1)
- ITexpo West 2014 (1)
- Immix (1)
- In Progress (1)
- In Progress List (1)
- Inauguration (1)
- Industrial Control System (1)
- Infogard (1)
- Intel (1)
- Investigatory Powers Bill (1)
- Iron Mountain (1)
- JAR (1)
- JCE (1)
- JITC (1)
- JLTV (1)
- JSSE (1)
- Jack Barker (1)
- Jawbone Up24 (1)
- Joint Light Tactical Vehicles (1)
- KAS (1)
- KBKDF (1)
- Kamala Harris (1)
- Katie Arrington (1)
- Kestler (1)
- Kris van Riper (1)
- LRSB (1)
- Lee (1)
- Lee Kestler (1)
- Legacy List (1)
- Legacy Validation List (1)
- Legion (1)
- LibreSSL (1)
- LinkedIn (1)
- Linux (1)
- Lockheed (1)
- Lockheed Martin (1)
- Lopez Research (1)
- MDMPP (1)
- MDPP (1)
- MIT (1)
- MWC (1)
- Macintosh (1)
- Marissa Mayer (1)
- Mark Amtower (1)
- Matt Caswell (1)
- Matt Cornelius (1)
- Matthew Cornelius (1)
- Matthew Green (1)
- Maturity Model (1)
- Memorial Day (1)
- Michael Leonard (1)
- MicroStrategy (1)
- Microsoft Surface (1)
- Miramar (1)
- Multifactor (1)
- NCSL (1)
- NSA Suite B (1)
- Nevada (1)
- Nike+ (1)
- Nobel (1)
- North Korea (1)
- Northrup (1)
- Northrup Grumman (1)
- OCS (1)
- OMB (1)
- ONC (1)
- OSL (1)
- OSSL 1.1 (1)
- OSSL Foundation (1)
- OVS (1)
- Office 365 (1)
- Oracle (1)
- Orlando (1)
- Oscars (1)
- Osh Kosh (1)
- Oshkosh (1)
- Outlook (1)
- Oval Office (1)
- P-256 (1)
- P-384 (1)
- PC Mag (1)
- PCI (1)
- PCI-DSS (1)
- PIN (1)
- PIN code (1)
- PIN number (1)
- PM (1)
- PQC (1)
- PRISM (1)
- Padding Oracle On Downgraded Legacy Encryption (1)
- Palazzo (1)
- Palo Alto (1)
- Paris (1)
- Pence (1)
- Pied Piper (1)
- Pilgrims (1)
- Poison (1)
- Poodlebleed (1)
- Presidency (1)
- Prime Minister (1)
- Prius (1)
- Protection Profiles (1)
- Pulse Secure (1)
- Q4 (1)
- Quantum Dawn (1)
- Quest (1)
- RAR (1)
- REDCOM (1)
- RFP (1)
- Ralph C. Jensen (1)
- Ralph Jensen (1)
- Raytheon (1)
- Readiness Assessment Report (1)
- Rebranding (1)
- Redmond (1)
- Richard Hendricks (1)
- Rijndael (1)
- Rohit Sethi (1)
- Ryan Thomas (1)
- SC Magazine (1)
- SC-13 (1)
- SC-28 (1)
- SC-8 (1)
- SLED (1)
- SP (1)
- SP 800-113 (1)
- SP 800-56 (1)
- SP 800-77 (1)
- SP800-131A (1)
- SP800-90A (1)
- SSLv3 (1)
- Samsung Galaxy (1)
- Sands (1)
- Sands Expo (1)
- Satcom (1)
- Schneier (1)
- Sean Kerner (1)
- SecureAuth (1)
- Security B-Sides (1)
- Security Compass (1)
- SecurityToday (1)
- September 22 (1)
- Sergey Brin (1)
- Seth Rosenblatt (1)
- Sethi (1)
- Signal Magazine (1)
- Simon (1)
- Skipjack (1)
- Skunk Works (1)
- Skunkworks (1)
- Skydrive (1)
- Snooper's Charter (1)
- Softshell (1)
- Sony (1)
- Speck (1)
- Squanto (1)
- St Regis (1)
- StateRAMP (1)
- Steve Jobs (1)
- Surface (1)
- Susan McAndrew (1)
- Sweet32 (1)
- Symantec (1)
- TLS 1.1 (1)
- TLS 1.2 (1)
- TSMC (1)
- Taming the Transition (1)
- Taming the Transition: Marketing & Sales Tacti (1)
- Tanuj Gulati (1)
- Target (1)
- Target breach (1)
- Tesla (1)
- Theresa May (1)
- Thomas (1)
- Tim Hudson (1)
- Tisquantum (1)
- Tizen (1)
- Tom Cruise (1)
- Toyota (1)
- Toyota Prius (1)
- Triple DES (1)
- Trump (1)
- U.K. (1)
- U.S. Air Force (1)
- U.S. Army (1)
- U.S. Marines (1)
- U.S. Military (1)
- U.S. Navy (1)
- US Air Force (1)
- US Army (1)
- US Marines (1)
- US Military (1)
- US Navy (1)
- USMC (1)
- United Kingdom (1)
- United States (1)
- United States of America (1)
- Up24 (1)
- Vectra (1)
- Vectra Networks (1)
- Venetian (1)
- Verify (1)
- WEST (1)
- WEST 2020 (1)
- Wall Street (1)
- Weaved (1)
- Websense (1)
- WhatsApp (1)
- White House (1)
- Wiebe (1)
- Wired.co.uk (1)
- Wireless U (1)
- WolfSSL (1)
- Yahoo (1)
- Yier Jin (1)
- Yoics (1)
- You're fired! (1)
- Yubico (1)
- abbreviation (1)
- abbreviations (1)
- achieve (1)
- acronym (1)
- acronyms (1)
- administration (1)
- advantage (1)
- appointee (1)
- archival (1)
- assurance (1)
- authentication (1)
- autumn (1)
- aviation (1)
- background (1)
- ban (1)
- banish (1)
- banished (1)
- banishment (1)
- banned (1)
- batterygate (1)
- benchmarks (1)
- best (1)
- bid (1)
- blue angel (1)
- blue angels (1)
- bold (1)
- browser (1)
- bugs (1)
- calendar (1)
- capitol (1)
- certicom (1)
- challenge (1)
- champ (1)
- champion (1)
- channel (1)
- checklist (1)
- checkmarks (1)
- chief (1)
- chip (1)
- chipgate (1)
- choice (1)
- choose (1)
- chosen (1)
- cipher (1)
- citizen (1)
- citizenship (1)
- co-founder (1)
- codebase (1)
- codies (1)
- comment period (1)
- comparison (1)
- compete (1)
- competitive (1)
- competitive advantage (1)
- complaint (1)
- complaints (1)
- complete (1)
- concurrent (1)
- confusion (1)
- congress (1)
- contract (1)
- crime (1)
- criminal (1)
- critical infrastructure (1)
- cryptographer (1)
- cybertech (1)
- data (1)
- data center (1)
- data centers (1)
- data security (1)
- dates (1)
- david hume (1)
- debt ceiling (1)
- decryption (1)
- deploy (1)
- deployment (1)
- development (1)
- dictionary (1)
- differentiator (1)
- disambiguate (1)
- download (1)
- drones (1)
- eBay (1)
- eBay breach (1)
- eHealth (1)
- eWeek (1)
- editor (1)
- editor-in-chief (1)
- effort (1)
- elliptic curve cryptography (1)
- embedded (1)
- emerging (1)
- engineer (1)
- engineering (1)
- enterprise security (1)
- executive (1)
- exhibit (1)
- exhibit hall (1)
- expectations (1)
- expert (1)
- expertise (1)
- experts (1)
- expiration (1)
- expire (1)
- extended (1)
- fall (1)
- faq (1)
- finalist (1)
- finalists (1)
- financial (1)
- fines (1)
- fintech (1)
- fips inside (1)
- fiscal (1)
- fiscal year (1)
- fitness tracker (1)
- fitness trackers (1)
- fix (1)
- fixes (1)
- flight (1)
- forecast (1)
- format-preserving (1)
- format-preserving encryption (1)
- fraud (1)
- frempetitor (1)
- frempetitors (1)
- frenemies (1)
- frenemy (1)
- furlough (1)
- future (1)
- global (1)
- globee (1)
- glossary (1)
- goose (1)
- gotcha (1)
- gov (1)
- gov't (1)
- guest blog (1)
- guest post (1)
- hashed (1)
- head-to-head (1)
- heads up displays (1)
- hill (1)
- hiring freeze (1)
- history (1)
- home automation (1)
- homeland (1)
- honor (1)
- honored (1)
- hospital (1)
- human rights (1)
- hume (1)
- humor (1)
- hurdles (1)
- iMessage (1)
- iOS (1)
- iOS 7 (1)
- iPad (1)
- iToilet (1)
- industry (1)
- intellectual property (1)
- interim final rule (1)
- international (1)
- interview (1)
- issues (1)
- kratos (1)
- launch (1)
- law enforcement (1)
- libgcrypt (1)
- malicious (1)
- maverick (1)
- medals (1)
- medical (1)
- medicine (1)
- meek (1)
- milestone (1)
- mobile security (1)
- mobility (1)
- mocana (1)
- money (1)
- multi-factor (1)
- multi-factor authentication (1)
- musings (1)
- national cybersecurity strategy (1)
- naval aviator (1)
- need for speed (1)
- neglect (1)
- network (1)
- new (1)
- new OSSL (1)
- news (1)
- nominate (1)
- nominated (1)
- nominee (1)
- nominees (1)
- offload (1)
- opportunities (1)
- opportunity (1)
- outsource (1)
- panel (1)
- parallel (1)
- passwords (1)
- past (1)
- patient data (1)
- philosopher (1)
- philosophy (1)
- physician (1)
- piece (1)
- pilots (1)
- plane (1)
- plans (1)
- platinum (1)
- post (1)
- presentation (1)
- press release (1)
- priorities (1)
- priority (1)
- prize (1)
- profile (1)
- proposal (1)
- proposed (1)
- proud (1)
- provider (1)
- public (1)
- public comment (1)
- public comment period (1)
- public list (1)
- quant (1)
- quant self (1)
- quantified (1)
- quantified self (1)
- queue length (1)
- quinquennial (1)
- re-validate (1)
- reflection (1)
- regulations (1)
- representatives (1)
- required (1)
- requirement (1)
- researchers (1)
- reseller (1)
- revalidate (1)
- revenue (1)
- revoke (1)
- revoked (1)
- rights (1)
- rivals (1)
- roadblock (1)
- roadmap (1)
- rsa conference (1)
- sales (1)
- salted (1)
- savings (1)
- scalability (1)
- season (1)
- security software (1)
- select (1)
- selected (1)
- selection (1)
- self-driving (1)
- self-driving car (1)
- senate (1)
- senators (1)
- server (1)
- servers (1)
- silver (1)
- simplify (1)
- smart cars (1)
- smart home (1)
- smart toilet (1)
- smartwatch (1)
- sole source provider (1)
- sole-source (1)
- speak (1)
- speaking session (1)
- specialization (1)
- stand for (1)
- standards (1)
- start-up (1)
- state (1)
- stealth mode (1)
- stigma (1)
- story (1)
- strategy (1)
- success (1)
- summer (1)
- sunet (1)
- sunset date (1)
- sunsetted (1)
- symposium (1)
- talk (1)
- tech (1)
- technical (1)
- term (1)
- terminology (1)
- terms (1)
- threat detection (1)
- threats (1)
- toilet (1)
- top gun (1)
- training (1)
- trophy (1)
- unicorn (1)
- use cases (1)
- value (1)
- vendors (1)
- website (1)
- whining (1)
- whistleblower (1)
- whistleblowing (1)
- wifi (1)
- wrap (1)
- wrap-up (1)