m: Well, all the small businesses would lie. Right? If you’re a small outfit, and the choice is “Either I say yes to everything or my business is destroyed…” What’s the choice?

s: When did you start taking PCI compliance seriously?

m: At some point just prior to fall of 2005, we concluded that PCI applied to us because we’re a merchant who accepts credit cards, and so we had Responsibilities. I don’t remember there being a good enough dialogue about it, or even any dialogue. Was there some point that I said, “Yes, I agree that if I would like to continue accepting credit cards as an Internet merchant I additionally agree to comply with this 100-point list?” I don’t remember ever doing that. I don’t remember ever saying, “Dear VISA, yes, I agree, I’ll do it!”

s: What is the impact of PCI/DSS on small businesses?

m: Well, if it continues to be generally ignored by the vast majority of small merchants and small hosting companies, then the impact will be slow and steady.

It’s a matter of how aggressive the credit card processors and the PCI SSC themselves decide to get on their customers. Sure, my payment processing company… could decide to demand from me an attestation of compliance. They could hold this over my head and say, “we will REVOKE your credit-card processing privileges if you do not submit your attestation of compliance.”

Imagine us asking thousands and thousands of customers who have previously been on auto-pay to “please, hand-write me a check from now on.” And customers in 40-something countries. Good luck.

s: It’s fair to say you would go out of business.

m: It might not kill us, but it would cripple us. But that credit card processor, in making that decision to revoke our privileges, would of course be cutting themselves out of thousands of dollars of revenue every month that we paid them. They would be killing one of their customers. So, they’re torn in two directions.

s: Do you feel that the PCI SSC took appropriate input from merchants?

m: In reality, 95% of the merchants would have not been capable of providing substantive technical feedback to the committee.

s: How come?

m: Because 95% of merchants are not technical operations. They are business that are selling coffee on the corner, or they’re selling widgets, and their cardholder data environment doesn’t consist of much but a plastic box with a phone line connected to it.

s: What do you think that implies for their ability to comply with PCI/DSS?

m: The jaw-dropping, gasp, oh-my-goodness implication of PCI/DSS is for all the “Laura’s Online Candle-Shop” and “Best-Fishing-Lures-in-Arkansas Dot Com” and the small Internet merchants with online shopping carts. These are my customers. I know a lot of them have shopping carts that are not million-dollar-a-month e-commerce operations. They are not Amazon. They are modestly successful online merchants.

Now these millions of small businesses, and the small-to medium-sized web hosting companies that are called upon by these small merchants, have a 100-point checklist of things that are not terribly understandable and are broadly interpretable and in many ways onerous to the point of absurdity for a small operation.

s: Do you think that PCI/DSS will cause consolidation in the web hosting industry, or that there will be fewer small businesses as a result?

m: I don’t think the American public or the international public is going to shed a tear if there is bloodletting consolidation of the web hosting industry. Where they would take up arms would be if Laura and Sam and Bob can’t open candle shops online. If that becomes impossible, or unrealistic, or incredibly expensive, there’s going to be pushback.

s: You think that people won’t miss the mom-and-pop web hosting companies?

m: Most web hosting companies are noticed by their customers when something breaks. The future of baseline web hosting is like the future of the electric company. Who gives a damn who you buy electricity from? You expect it to work 100% of the time. When it doesn’t, you’re annoyed and it’s disruptive. You don’t have a relationship with your electric company the way you do with your corner coffee shop or brewery.

s: Why is that?

m: The nature of commoditization, I guess.

s: Sounds like you’re suggesting that what will happen with the web hosting industry is similar to what happened in the telephone industry.

m: Sure, or any of the utilities that we all take for granted. Now, everyone assumes that cell phone service is going to work, your cable is going to work, there’s going to be water when you turn on the spigot. Web hosting companies will need to grapple with that commoditization and provide services that impress or delight or become more part of the daily workflow of the customer, rather than being part of some background thing that [you only notice when] something breaks.

s: Do you think there’s value for the public in having a variety of hosting options, or is it simpler to have it centralized?

m: The web hosting industry has got to be incredibly confusing for a customer right now. There are tens of thousands of hosting operations, many of which are 1, 2, 3, 4 dollars a month… Talk about a race for the bottom! How low can you go? It’s below the threshold of constituting commerce. A dollar a MONTH? I think the industry would benefit greatly from a culling.

I have in my mind that perhaps half of all “web hosting companies” are a one-man show with someone who has another job, whether a student or some sort of professional. Those folks are in no way equipped to ensure the security of credit card data or to fix a server when it breaks. There’s such a low barrier to entry in the web hosting industry right now.

s: What do your peers in the industry think of PCI/DSS?

m: People are flabbergasted at the absurb impossibility of the vast majority of web hosts from ever approaching PCI/DSS compliance. Laura’s Candle Company? She’s required by PCI/DSS to ONLY host her web site that accepts credit cards in an environment that is itself PCI/DSS compliant. The only hosting that she’s allowed to use under PCI/DSS [requires 8 separate devices]: hardware firewall, application firewall, log audit system, and all that business. However, the vast majority of companies load up customers onto one box, and then get a new box. Then they load up customers on that, and then get a new box. And so on.

I know someone who has a hosting account with one of the top ten hosting companies. When she wants to FTP or SSH into her server, she goes to server 192 dot domain name dot com, and that machine hosts FTP, SSH, web, database, DNS, SSL, POP3, etc. It hosts all services. Bang, right off the bat, that’s not a PCI/DSS compliant hosting environment. For these web hosting companies, it’s a shaking of the foundation.

s: Do you think it’s realistic to expect small business owners to comply with PCI/DSS in the near future?

m: As a small business owner myself, I’m both the operations guy and the people manager. We have always hired new staff as we identified a clear and defined role, and more importantly, had the revenue to pay that person a fair wage and benefits. We’ve got this daily pop and crackle of operations plus customer service. We do not have the extra thousands or tens of thousans of dollars a month to, oh, just staff up!

Stopping customer service is not a viable option. Stopping operations pop and crackle is not a viable option. So who do I pull off? Where do I find the right staff or the right expertise to start working through the things that are required of PCI/DSS? I don’t know.

If I ran a technical operation that had 1000 operations employees, I could say, “Hey! pull team B-13 off of their raised floor construction project. They are now the PCI/DSS regulation security team.” That sounds fine. That’s something that a big operation could pull off. If I was in a position to hire three new engineer sysadmins next week, then I’d surely put one or maybe two of them on PCI/DSS. “Hey, we’ve got to rewrite this code,” or “Hey, we’ve got to reconfigure this network,” We’ve got to do this, we’ve got to do that. But like many small businesses, we barely keep up with what’s going on right now.

s: This economy must be especially hard.

m: That’s right. We’re watching customers shut down their gardening blogs and their chess club web sites. These sites were important to them until they lost their jobs, and now they’ve got to figure out what the priorities are in terms of monthly expenses.

s: How much do you think this is going to cost you?

m: Well, of course if our credit card processor tells us it’s going to cost us an extra 1% of every transaction, that’s measurable. If they, like I’ve heard from other web hosts, decide that until we submit our attestation of compliance, we’ll have an extra $19.95 a month nuisance fee, then it’ll be $20 a month for the foreseeable future.

Another potential angle on cost: Will our customers begin demanding some sort of certification / attestation? “My credit card processor tells me that I’m only allowed to host with a PCI complant host so I really need to know.” If our only answer is “no,” we’ll lose customers. Our growth will be stifled, and we may shrink as an operation. So, we could wither, or be crippled or killed, or just be taxed by PCI/DSS.

s: Basically, you’re saying that PCI/DSS could cause small businesses to go under.

m: Yes, if it was enforced vigorously. I should go on record as saying that I support the general idea of having standards for how credit card data is handled on behalf of your customers. People should use secure best practices and due care to ensure that credit card data is not released to hackers in Des Moines or Denmark or Indonesia. We must avoid that. Good! Let’s have some standards.

s: What is the purpose of PCI/DSS?

m: To push cardholder data security downstream to the merchants who handle it first.

s: Do you think PCI/DSS is at all effectve?

m: Yes. I would say that PCI/DSS is effective in encouraging– let’s say urging or demanding– entities that handle personal information, including card holder data, card numbers and whatnot, to review the security procedures. It provides a not-valueless checklist of things to think about when handling this sensitive information.

s: What is the future of PCI/DSS?

m: First, I’ll say that no more than 20% credit card merchants will be PCI/DSS compliant, truly, in the next decade. It will be a slow and gradual process. At some point, a team of brilliant security engineers is going to come up with something that renders plaintext credit card numbers like telegraphs. There will no longer be a concept of entering some numbers that magically allow you to move money around.

s: You think our financial transaction system will evolve beyond credit cards into something different?

m: Yes, that is exactly what I mean. Even the biggest, most responsible badass security processors with awesome security practices keep getting compromised. The data at rest is inherently vulnerable, and so will continue to be a succulent target. We need to make the target less tasty. [We need] a transaction system that could– perhaps magically– ensure that the transation was legitimate, and it isn’t just a string of not very many magic numbers. When smart guys and gals invent that, we will begin forgetting about PCI/DSS compliance in its current form.

s: Do you think that the credit card companies should be focusing on changing the system?

m: For all I know they have teams of ten thousand in underground bunkers who are developing the next great payment transaction processing technology. If they are, that’s great. That’s awesome. I have no idea what they’re doing, but I hope they are. I hope they are not believing that a short string of numbers is the tool of the future.

The letter went on to state that BofA had reviewed her account and saw “no evidence that your account has been misused in any way. We will continue to monitor activity on your account, and if we detect suspicious transactions, we will notify you.” BofA also informed her that “we will close your existing account and issue you a new account number and credit card(s).”

Imagine if your doctor sent you a letter informing you that “you’ve contracted an undisclosed disease from an undisclosed third party. Take these pills and carry on as before. We’ll monitor your symptoms and notify you if you show signs of further infection.”

The underlying subtext here is that a) my friend’s information was probably compromised through a merchant that she has done business with; b) she does not have the right to know who that was; and therefore c) she must continue to do business as usual without the ability to change her behavior based on the fact that the merchant did not safeguard her information appropriately.

BofA referenced a web site where they talk about data compromise:

http://www.bankofamerica.com/compinfo

According to this site, “When a data compromise occurs Bank of America is notified by multiple sources, including Visa®, MasterCard®, American Express® and law enforcement agencies when our accounts have been included in a data compromise… Unless the merchant announces the breach to the public, we are unable to provide the name of the merchant or where the data breach has occurred.”

In other words, the credit industry is facilitating willful ignorance in order to protect their fundamentally broken system. If you or I found out where exactly the breach happened, we might not be so inclined to give our credit-card numbers to the end merchant or payment processors involved. Customers are not provided with the information we need to make educated decisions about who we trust with our information.

Truth be told, the fundamental problem isn’t with the end merchants, anyway. The problem is that our financial infrastructure rests on the broken concept that a short string of numbers can be used to move money from one person’s account to another. This string of numbers has to be kept “secret,” but it also has to be given to dozens of people throughout the course of a day in order to conduct routine transactions.

Here’s my favorite section of BofA’s data compromise FAQ:
“Is it safe to use my new card?
“We are confident that this was an isolated incident and that the steps we have taken will ensure the continued security of your account. Please continue to use your new account as you normally would.”

Yes… an “isolated incident,” just like the other 285 million records that were compromised last year. Take these pills and carry on.

When upper management is notified of a data breach, they have to choose between:

a) Announcing publicly and in a timely manner, which would result in major reputational damage, financial drain, loss of business, and potentially huge lawsuits.

b) Keeping quiet and hoping that no one ever finds out (in which case, nothing happens).

Of course, usually upper management doesn’t find out at all. There is little incentive for IT staff to report compromises all the way up the chain, since it just makes them look bad. System administrators fear that if they detect a compromise on their own servers, managers will accuse them of doing a bad job. Also, the breaches have to be detected in the first place– and often security staff are overworked and have limited resources for tuning IDS or following up on alerts.

The bottom line is that no one is motivated to do a good job detecting and publishing breaches– not corporations, not upper management, not IT staff, and in many cases not even security teams themselves. Ethics can hardly compete against real financial incentives and fears for job security.

Don’t Companies Have to Report Breaches?

Many states have data breach notification laws, but these tend to have major loopholes. Importantly, they don’t provide clear guidelines for deciding whether a “security breach” happened. As a result, if an attacker destroys important evidence or if the company does not retain records that would explicitly prove inappropriate access, then the company will probably decide that they are not required to report. Customers affected never even hear that there was concern about a breach in the first place.

The assumption is that the data is secure unless there is explicit evidence which proves otherwise. This is backwards! When log retention creates a liability, companies have reduced incentive to collect or retain detailed records. If we assume the data is secure unless there is proof otherwise, then there is no reason for companies to work to retain evidence.

The irony is that companies with the worst security practices, who do not keep logs or configure IDS systems effectively, are the ones who get off scot-free because they do not collect or retain the evidence of a breach.

What about the proposed federal Data Accountability and Trust Act?
The Data Accountability and Trust Act which passed the US House of Representatives last month does nothing to address this loophole. It requires that “Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data…notify each individual…”

OK, so what is a “breach of security”?

“(1) BREACH OF SECURITY- The term `breach of security’ means unauthorized access to or acquisition of data in electronic form containing personal information.”

How do you decide if there has been “unauthorized access to or acquisition of data”? The bill does not provide any guidance. As long as the organization does not keep records which would *prove* that confidential data was accessed or exported, their legal counsel may advise them that they do not have to report. I am not a lawyer, but I have seen this happen repeatedly with respect to existing data breach regulations.

How Can We Fix This Loophole?
Here are some ideas:

• Assume insecurity. Companies should be able to produce access logs and records which confirm that the data has been kept safe, rather than vice versa. This will motivate companies to collect and retain access logs in much greater detail than they do now.
• Proactively audit large organizations that retain lots of personal data.
• Publish yearly certificates based on audit results, the same way health inspectors publish certificates for restaurants. This way the public can decide which companies to give our information to, based on how well they secure it.

Today, the vast majority of security breaches are never reported. When you examine the incentives and the myriad of holes which exist in reporting regulations, it’s easy to understand why. Detailed logging and monitoring practices result in greater liability. Reporting incidents to the public can lead to financial ruin. There’s little incentive for organizations to do a genuinely good job tracking access to confidential data.

In this backward system, it’s a wonder we hear about any breaches at all. The fact that we do hear about data breaches frequently should make you stop and think about the number that are *really* occurring, but are never detected, let alone reported. Speaking from experience, I can tell you that the data breaches you hear about are just the tip of the iceberg.

The document reveals that the DHS is storing the reader’s:

• Credit card number and expiration (really)
• IP address used to make web travel reservations
• Hotel information and itinerary
• Full Name, birth date and passport number
• Full airline itinerary, including flight numbers and seat numbers
• Cruise ship itinerary
• Phone numbers, incl. business, home & cell
• Every frequent flyer and hotel number associated with the subject, even ones not used for the specific reservation

Again, here is the full record. The anonymous reader obtained his/her travel history using Edward Hasbrouck’s excellent guides. Check out his site for more info!

Thanks a ton for sending this in. If anybody else gets a copy of their ATS travel record, send it in! We’d love to see them and compare.

Reverse of the United States Great Seal Novus Ordo Seclorum “A New Order of the Ages”

“Death of Anonymous Travel”
DEFCON 2009 – PDF
MD5sum: c772681c37c9ad5d210c19c12eb43095

Thanks to everyone who sent in comments, suggestions, and encouragement. (Special thanks to the EFF lawyers for reviewing this beforehand– you guys rock!)

I’ll have the full list of references (vendor marketing materials, news articles, FOIA docs, etc) up in the next week, so check back!

Abstract:
Worldwide, people who use cars, buses, trains, and carry cell phones are tracked in increasingly centralized corporate and government databases. This capability is still in its infancy, and has been facilitated by communication and payment systems which are linked to identification and refer to centralized electronic databases.

* Collate and disseminate information about current known travel monitoring practices;
* Discuss technical and social solutions for maintaining personal privacy and the freedom to assemble;
* Encourage greater transparency and public control over data collection and use.

“Self-Service Check-In: You Will Need a Major Credit Card”
and then in small print:
“For Identification Only”

Yes, apparently American Airlines will only give boarding passes to individuals who have been thoroughly vetted according to the strict standards of American Express, Mastercard, or VISA (and perhaps Discover).

“A paper trail is an identity thief’s best friend. Sign up for paperless statements and you can rest easy knowing all your account information is locked away safely online.”

Ahahahahaha!…ha… ha… When’s the last time you heard about millions of credit card numbers being stolen from the mail? Somehow I don’t recall identity theft being such a big deal before online financial systems started taking off. In much the same way that the Bush administration linked Saddam Hussein to 9/11, credit card companies are now campaigning to link “identity theft” and… paper.

This brilliantly twisted marketing campaign:
1) Fuels the “identity theft” fear-mongering, increasing identity theft protection sales.
2) Reduces the number of individuals who will be able to independently verify and access statements down the road
3) Saves Citibank money on paper (which also benefits the environment, but that isn’t Citibank’s motivation)
4) Instills a false sense of security regarding the safety of web-based account management systems
5) Increases customers’ risk of identity theft by promoting the use of insecure, online web based account management systems (which will subsequently lead to more “identity theft protection” sales… yay!)

I’d feel a lot safer if all of my account information were locked away in my own fireproof filing cabinet. Unfortunately, it’s clearly not. Less than a month ago Citibank sent me a new card because one of their payment processors lost millions of people’s account information, including mine.

An identity thief’s friends are the vast legions of computers running Windows with Internet Explorer that people use to login to their online accounts (with re-used passwords such as “fluffy2009″). Identity thieves are also pretty chummy with payment processors such as Heartland, who recently lost over 100 million of credit card numbers.

Identity thieves’ best friends in the world are the credit card companies themselves, who have created a system rife with holes, and subsequently profit from their own systematic failures through scams such as “identity theft protection” services.

What chutzpah.

Sounds like a protection racket to me. “A protection racket is an extortion scheme whereby a powerful entity or individual coerces other less powerful entities or individuals to pay protection money which allegedly serves to purchase protection services against various external threats. Those who do not buy into the protection plan are often targeted by criminals…” (Wikipedia)

Equifax’s scare tactics include: “Don’t become a statistic. Every year, millions of people fall victim to identity theft.” Experian writes, “Specialized criminal gangs increasingly work outside of the United States to gain access to account information. They then perpetrate crimes online…” Discover advertises “Identity theft occurs every 79 seconds and affected 8.4 million people last year.”

Funny– at the same time, the Big Three lobbyists have been trying to convince Washington that “identity theft isn’t as big a threat as people think.” Represented by the Consumer Data Industry Association (CDIA), these very same companies lobbied intensely against laws “empowering consumers to freeze access to their credit histories to prevent identity theft.” (USA Today, 2007) Credit companies also routinely sell consumers’ financial and contact information, subjecting people to solicitations including bait-and-switch loan swindles or identity theft scams.

Credit bureaus have fought against widespread use of fraud alerts and similar techniques which require that they proactively verify consumer identities before, say, new accounts are opened in consumers’ names. Last year Experian sued identity theft protection firm, LifeLock, for activating fraud alerts on behalf of hundreds of thousands of clients. Experian “claimed that alerts should be entered only when people have already been victimized by identity theft or have legitimate reasons to believe that they are at imminent risk.” (Network World, 2008.) I’ve heard that “identity theft occurs every 79 seconds.” Does that count?

Having put himself through MIT on a credit card, Blake Brasher, author of “Infinity Day Weekend,” knows more than anyone I’ve ever met about how to wrangle with the credit industry. The roboticist-turned-painter writes, “I had an obnoxious encounter with Discover card a month ago. I called to negotiate a special APR and they tried to get me to sign up for their identity theft protection service. The guy wouldn’t take no for an answer, and very nearly tricked me into signing up.

“I finally said, ‘Actually, I want to close this account. You’ve convinced me that using this card is not safe and to protect myself from identity theft I want to close the account.’ So he transferred me to someone in the accounts department.

“The woman who answered… explained to me that actually, my Discover card account has built in, free fraud protection, and that if someone tried to commit a fraud with my account I would not be liable at all. They scare you into thinking you need this extra service, but if they scare you too much and you threaten to close your account to keep it safe they go ahead and let you know that you don’t actually need it.”

There are obvious steps that credit companies could take which really would reduce the risk of identity theft– such as taking further measures to verify identity, reducing sales of personal data, using PINs, etc. However, credit companies won’t support measures which reduce their own profits. “Identity theft could be made as obsolete a crime as cattle rustling or high-seas piracy,” reported MONEY Magazine several years ago. “…[It's] now possible to request a freeze on your credit report, stopping anyone from granting new credit without your approval. Why isn’t this brutally simple and effective solution more widespread? Simply put, it disrupts the free flow of credit information on which consumer lenders and data sellers depend.”

When credit companies play both sides of the game, there are reduced incentives for them to build secure systems. Rather, they have found a way to profit from crime. By fighting consumer protection measures and selling personal data, credit companies increase consumers’ risk of identity theft. As long as credit companies can scare enough people into paying them for “protection,” they can actually make money from the results of their own recklessness– thus passing the costs of identity theft on to consumers or merchants, and reducing or even eliminating financial incentives for genuine, systematic improvements.