Thursday, December 25, 2008

Countering Credit Card Fraud With a Cool Head and Common Sense

In March 2008, Maine-based supermarket chain Hannaford Bros. admitted that credit and debit card numbers were stolen from its systems during the authorization transmissions. In what the Massachusetts Bankers Association (MBA) called a "large retail data security breach," over 4 million credit and debit card numbers may have been taken. By the beginning of April, nearly 2,000 instances of fraud had been reported as a result of the breach.

"We sincerely regret this intrusion into our systems," Hannaford Bros. President and CEO Ronald Hodge said at the time, "which we believe are among the strongest in the industry." In a "customer Q&A" document posted on its website, the company insisted that its security measures were "above and beyond" industry standards.

For its part, the MBA released a statement assuring New England consumers "that this was not a problem caused by banks."

The security went "above and beyond." The banks were not at fault. So who, then, is responsible for protecting the customers' credit card information? And what exactly were these standards that Hannaford Bros. went "above and beyond"?

You are responsible, period

It's simple: If your firm handles a customer's credit card transaction, you are responsible for protecting the information. The standards to which Hannaford CEO Hodge was referring are embodied in the Payment Card Industry Data Security Standard (PCI DSS).

For small and medium-size businesses (SMBs), compliance costs are proportionately higher than for Fortune 500 firms, and "regulatory burden" is a familiar (and unpopular) concept. However, as a comprehensive standard designed to help businesses proactively protect consumers, the PCI DSS is a good investment. With over $3 trillion in credit card purchases in 2007, there is a lot of protecting to do.

Like other payment processing companies, SecureNet Payment Systems and Sage Payment Solutions both have very "safe" sounding programs, Credit Card Vault and Sage Vault, respectively. The programs allow you to store credit card, electronic check and other sensitive data in a secure, reliable, PCI-compliant environment without having to store this data on your local servers. The technology can be seamlessly integrated into your current applications. But the real solution involves "low-tech," too.

First line of defense: awareness

In this web-wild, computerized world, it is easy to fall into the trap of thinking that all the thieves' tools are high-tech, as are the precautions and defenses. Not so, according to Ricardo Harvin, website development manager for the U.S. Chamber of Commerce. "Despite the real threat of theft by outsiders," he writes in Uschambermagazine.com, "in most cases when company information is stolen, it involved either someone working for the victimized company or a nonemployee who has access [to] that data."

Protecting your customers and their credit card data is a multifaceted endeavor. Depending on the nature of your business, it can include analysis of Web assets, database design and administration, network access control and more. It may seem a daunting task, but you will go a long way toward safeguarding your customers and your business by

  • cultivating a company environment of alertness and care;
  • having strict, enforced policies for card processing;
  • storing only the data you need, only for as long as you need it, and offsite if possible;
  • providing access to customer data only as required to transact business; and
  • maintaining both high- and low-tech security measures.

It is a combination of technology and common sense that will help your business avoid fraudulent transactions. The role of merchant today is more complicated, certainly, but you are not alone in this challenge. Small-business associations and industry trade groups can be a great source of information about what is working for other businesses like yours. And there is one more underutilized tool: pressure tactics.

MasterCard is now publishing the interchange tables, the byzantine formulas and rate structures that set merchant processing costs. According to a study by Amy Dawson and Carl Hugener of Diamond Management & Technology Consultants*, "Once transparency comes to credit card pricing models ... merchants will use the information to force an unbundling of interchange fee structures. The interchange structure as we know it will disappear." (Report is titled, "A New Business Model for Card Payments.")

SMBs can use their aggregate strength to force some overdue revisions of the pricing structure of credit card processing. Once a candid, open negotiation on these matters can commence, savings in this area can be redirected to creating ever safer systems, onsite and off, for the protection of your customer's credit card accounts.

This article provided by Scott McQuarrie who has devoted a lifetime to developing his world-class expertise in electronic security, video surveillance and the myriad technologies involved in both fields. His firm has its major web presence at Video Surveillance Systems, although he maintains several other security related websites.

Scott has a comprehensive knowledge of the design and installation of large commercial video surveillance, alarm and card access systems, which made him a top professional at Honeywell. Among his numerous accomplishments, then and since, are the complete system design and project management for various universities, prisons, airports and corporations. Top clients have included Lockheed, L3, ATK and 3M.

In 1990 Scott founded his first security company, going on to build several security-related firms into regional and national powerhouses over the years. In 2000 he turned his focus to the Internet, which opened up a national and international market for his talents. Scott has other security related websites, including Security-Guy.com, which you can visit for more information.

Tuesday, December 16, 2008

Working Proxies and Why Free Proxies Break

If you want to obscure your identity and IP address from a particular web site you visit, then you'll need to find some reliable working proxies. there are lots of reasons people use proxies they are surprisingly useful servers and have all sorts of cool uses.

The main difficulty with free working proxies is because generally the administrators of these servers don't even know their server is being used as proxy server. Often these boxes are just misconfigured internet facing servers which have been left open by mistake. It doesn't take long for people to find them and they start getting added to the endless lists of free anonymous proxies on the internet.

It doesn't usually take long before they are completely overwhelmed with surfers bouncing off these proxies and browsing via them becomes a painfully slow process until they either fall over or an embarrassed systems admin realises his mistake. But never fear there will always be a new batch of proxies along very soon.

Whatever your use for using a proxy server, whether you want to bypass your work or schools proxy to access restricted sites or just you believe in privacy and freedom of speech. You should be extremely careful what you use these servers for - many, many free anonymous proxies are set up for the purposes of identity theft and stealing data. When you use a proxy all your web browsing goes through that single point first and as most html traffic is in clear text then obviously identity thieves, hackers and all sorts of spyware is usually found or installed on them.

Unless you know all about who runs a particular free proxy server, then never, ever use it to pass any sort of personal or private information. Personally I would never go near a free anonymous proxy partly because I know exactly the sort of people who target these servers to steal information.

If your goal of protecting your identity and privacy on the internet then a free anonymous proxy is about the worst thing you could use. Sure it will likely block your IP address from the web server you are visiting (if it's configured correctly) but all your data is in the clear before that point and your ISP has a complete list of every server you are visiting anyway (unless you use end-to-end encryption). That's before you include the distinct possibility of Mr Identity Thief sitting on that proxy server with a sniffer capturing every single piece of data both ways!

Free anonymous proxies are extremely costly to run and less face it you never get anything for free. If you want real privacy, real anonymity and to surf at super fast speeds you are either going to have to seduce a systems admin at your local University or use a paid service.

The good news is that it doesn't cost too much if you pick a professional product.

If you want to read about some of my thoughts on using anonymous proxies and how you can surf without being spied on, try the link below. You can also download an exclusive demo version of the most secure way of surfing the internet currently available.

Secure Proxy Surfing