Heartland response – Minimizing the damage of breached data
Bruce Schneier often talks about the response to data breaches, like the recent Heartland incident. In a recent post, Bruce discussed how data breach notification laws encourage companies to improve their security.
While I’m all for encouraging companies to improve their security and see how breach notification laws can help with that, now that a breach has occurred, the next step should be to try to minimize the subsequent damage.
One method for minimizing data loss might be a bit controversial, but could also have a major impact on identifying the use of the stolen cards. Here’s the idea (try not to judge it until you read the rest of the post): The credit card companies that cancel the impacted cards should privately publish the canceled card numbers to merchants.
This probably needs more explanation. If the credit card companies had a certain set of merchants where they had very good working relationships – maybe some of the large online merchants, for example – they could give those merchants the list of card numbers that had been canceled. Then those merchants could look for the canceled cards being used and flag that activity – and anything associated with it – as suspicious. Since it is likely the bad actors will use the cards in batches and they won’t know which cards were canceled versus which were not, this is one way the credit card companies could help minimize the damage to the merchants.
Some people may be concerned about the privacy of credit card companies sending out credit card numbers. There are three things to keep in mind about this. First, the credit card numbers they would send out would not have any other information associated with them – they would just be card numbers. Second, since the cards themselves would have been canceled, they are no longer owned by any person but are, instead, owned by the credit card companies themselves. So there shouldn’t be any privacy concerns. Third, I am not advocating that the card numbers be published on the internet for everyone to see. Instead, they should be delivered via a secure mechanism only to merchants that are well known, trusted, and are interested in using them to take action.
What would be the right way to make this collaboration happen?
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- November 2009 (3)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
- January 2009 (8)
- December 2008 (5)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
