by Bob | Feb 17, 2016 | Views
Here at Compliance3 we major on Contact Centres, and compliance. Our founders set up some of Britain’s first contact centres, or ‘call centres’ as they were called back in the day. We now work closely with major contact centres to help them improve and manage their compliance to regulations such as PCI DSS and the new EU General Data Protection Regulation (GDPR) that will replace Britain’s Data Protection Act. We are also, as you may have noticed, passionate about data security and we were recently warned about a disturbing new means of electronic pick-pocketing that exploits contactless or NFC (Near Field Communication) technology. I love technology – call me ‘Inspector Gadget’ – and I confess there’s something slightly cool and ‘James Bond’ about paying one’s bar bill with a swipe of an Apple Watch or iPhone – that is assuming your bar bill is under thirty quid. But a policeman friend recently sent me this photo of an electronic pick-pocket, purportedly taken on a London bus. The theft is simple, the thief simply has to register a ‘purchase’ on the NFC reader with a value of less than thirty pounds, then swipe the NFC reader past a trouser pocket that looks to have a wallet, and if there’s a contactless card in that wallet – kerching! Portable NFC readers (and copiers) are available on a well known auction site for under fifty pounds. Given that sometimes it’s impossible to avoid standing close to people, particularly on public transport, men might want to consider putting their payment cards in an inside jacket pocket, or investing in a wallet that offers NFC or RFID...
by Bob | Feb 14, 2016 | Views
We’ve written here, over the past twelve months, about some pretty significant data breaches. Some, like last October’s Talk Talk data breach, triggered an almost instant wave of spam and social engineering telephone calls. Elsewhere, the ‘dark web’ has long been the place for criminals to trade stolen data. The Daily Mail – last November – reported that a fraudster who called himself ‘The Martian’ was selling data stolen from Talk Talk for as little as £1.62 a time. Now, worryingly, stolen data has gone ‘mainstream’. The Times reported, on Saturday February 13th, that card data is now available for purchase on an openly available, if still illegal, website. The Times reports claims that details of 100,000 Brits were available on the site priced from just £1.67 per record, and that the site has been updated regularly with over 400,000 new records made available in the six weeks since the start of the year. The MP Keith Vaz, chairman of the home affairs select committee, described it as “deeply disturbing“, suggesting that the site could be funding terrorism and organised crime. He added that “The National Crime Agency must get this site closed.” and “I will be writing to the NCA to bring this to their attention.” One might hope that somebody at the NCA takes The Times. That said, the time of writing this, the site in question was still freely accessible, but even if it is taken down, the stolen data will doubtless be made available elsewhere. Update – a full week later the site was still publicly accessible. Stephen Orphei – the General Manager of the PCI...
by Bob | Jan 20, 2016 | Views
Brits targeted by 96,000 Scams last year The City of London Police, launching a new ‘Get Safe Online’ campaign (here) announced this week that number of reported phishing scams have risen by over 20% (to 95,556) in the last 12 months. That’s reported scams, so excludes potentially hundreds of thousands of Nigerian ‘inheritance’ scams or the seven ‘Scan results’ I received last week from my non-existent network scanner. Over three quarters (77%) of reported incidents were targeted emails, often using stolen data and using increasingly sophisticated ‘social engineering techniques, a further 12% were telephone scams that we reported on last year. Text Messages, Mobile Phone scams and postal scams provided the remaining ten per cent or so. Unsurprisingly, the peak day last year for scams was October 21st, the day the Carphone Warehouse data breach was announced. According to research from ‘Get Safe Online’, the most popular phishing scams include pretending to be from BT, iTunes/Apple ID, HRMC, a lottery organiser, PayPal, a bank or Amazon; with BT, iTunes and tax refunds topping the list. Tony Neate, CEO, Get Safe Online said “If you do have suspicions regarding an approach, it’s always better to be safe than sorry, so trust your instincts and double-check the person is who they say they are before handing over any information. This way, we can stay one step ahead and stop more people from falling prey to an online criminal.” Raj Samani, CTO for Intel Security, added “It’s extremely worrying that the number of phishing victims has risen by 21 per cent. Yet, sadly, it isn’t all too surprising. Cyber criminals are becoming increasingly...
by Bob | Jan 19, 2016 | Views
and British businesses can’t afford to ignore it As I wrote here at the beginning of last December, 2015 will surely be seen as the year of the big data breach, high profile data breaches at Ashley Madison, Carphone Warehouse, Talk Talk, Hilton Hotels and J D Wetherspoon made headlines. And rightly so as the personal details of some thirteen million people were compromised in those few breaches. And while some of those breaches were conducted by sophisticated ‘cyber pirates’, others were accomplished by disaffected teenagers. Other data breaches – such as that suffered at Morrisons, which compromised the personal details of some 100,000 Morrisons Staff – was a deliberate act by an employee ‘with a grudge’. While the board of Talk Talk concede that the cost of remediating their attack at ‘no more than £35 million’ the, relatively small, Morrisons breach cost around £2 million to resolve. Anthony Hilton, writing in the London Evening Standard (here) described Cyber crime as a “threat that British businesses can’t afford to ignore”. Hilton cites a study by the Centre for Economic and Business Research that suggested that 60% of surveyed businesses were ‘confident that their security would keep an attacker at bay’, brave words when you consider a survey by PwC suggesting that ‘90% of large companies and 74% of small companies had experienced some kind of breach in the previous 12 months, and most had experienced more than one – the average was four’. The CEBR survey also suggests that 14% of companies have never had a board briefing on cyber security, and 32% have never prepared a formal risk assessment....
by Bob | Dec 7, 2015 | Views
If they do hack you, make sure it’s not worth their while 2015 will doubtless be viewed by many as the year of the big data breach; through the year we’ve learned of massive data breaches that have compromised the data of hundreds of thousands of individuals. Most recently we’ve seen announcements of data breaches from the British pub chain ‘J D Wetherspoon’ and the hi-tech toy manufacturer ‘VTech’. The Wetherspoon hack, according to the email sent out by the company’s CEO – John Hutson – took place between 15th and 17th June against the company’s website – which has subsequently been replaced. While personal data of some 650,000 customers may have been compromised – names, addresses and dates of birth and so on, only around 100 customers card details were compromised – those that had bought vouchers online. And Wetherspoon’s report that they only stored the final 4 digits of payment card data, so full card data could not have been compromised. Phew! So, no payment card data compromised, but potentially rich pickings for identity thieves. And I suspect that J D Wetherspoon will be getting a visit from the Information Commissioner’s Office. Similarly the data breach at VTech’s ‘Learning Lodge’ app store compromised the personal details of five million customers, that’s names, addresses, passwords, children’s birthdays and so on. As we’ve said here repeatedly through the year, if your company stores data, then it’s at risk of being stolen. Recent data breaches have been accomplished by teenagers, often using relatively unsophisticated hack techniques. The important thing – other than doing your best to keep the hackers out...
by Bob | Nov 25, 2015 | Views
Point of Sale terminals may have compromised customers’ card details. Computer Weekly has today reported that Hilton International has identified malware on its Point of Sale (PoS) terminals that may have compromised customers’ card details. This isn’t unique to Hilton Hotels, similar data compromises have recently been identified at the Mandarin Oriental Group, the Las Vegas Hard Rock Hotel & Casino, the LAs Vegas Sands Casino and Trump Hotels. As a precautionary measure, the Hilton hotel group advised customers to review and monitor their payment card statements if they used a payment card at a Hilton Worldwide hotel between 18th November and 5th December 2014, and between 21st April and 27th July 2015. We at Compliance3 don’t often speak about Point of Sale (or ’Customer Present’) fraud, according to the UK Cards Association “Card Fraud losses in in 2012 were down 75 per cent since the peak losses of £218.8 million in 2004, prior to the roll out of Chip & PIN in the UK.” But payment streams are inextricably linked – the criminals won’t be going away any time soon – and as ‘Chip & Pin’ gets rolled out across the United States it is expected that ‘Customer Present’ fraud will follow the UK experience and fall significantly. However as ‘Customer Present’ fraud falls, it is anticipated that ‘Customer Not Present’ fraud will increase – to an estimated $6.4bn in 2018 across the United States. And contact centres – payments by telephone – continue to be seen as a target for criminals. According to Detective Chief Inspector Derek Robertson of Strathclyde Police ”We know of organised crime groups...
by Bob | Nov 12, 2015 | Uncategorised
London – 11th November 2015 Yesterday evening Compliance3 hosted their first seminar ‘The Future of Customer Data Security & Compliance’, kindly hosted by Shepherd & Webberburn in their prestigious offices overlooking St Paul’s Cathedral in London. Around eighty FinTech and Data Security professionals attended and enjoyed beer and pizza. Those present heard a fascinating mix of views and predictions from Ian Dowson from Willam Garrity Associates, Dr Nasir Hussain of Strategy Foresight Partners, David Nordell of New Global Markets, Iain Cameron – formerly of the Department of Trade and Industry, and John Greenwood, one of the founders of Compliance3. While the recent high profile data breach at Talk Talk was a hot topic of conversation, the presenters spoke at length about global data security challenges, and the real threat of cyber warfare. The event was filmed, and the videos can be viewed here....
by Bob | Nov 11, 2015 | Views
Now we know the size, scope and costs of the October data breach Now that the dust has settled over October’s Data Breach at Talk Talk we now have ‘the facts’. Contrary to initial reports, it now transpires that the breach was not, as first reported, instigated by cyber-terrorists, but by a bunch of disaffected teenagers. I’m not sure which prospect is more disconcerting. The facts as now reported are that the ‘significant and sustained‘ breach compromised the details of nearly 157,000 customers and 15,600 bank sort codes and account numbers. 28,000 credit card numbers were leaked, but these had been obscured and thus could not be used for payment transactions; they could, however, be used by spammers to add credibility when making calls to Talk Talk customers. Given that personal data was compromised, and that it’s not the first time that Talk Talk have been hacked, it’s likely that they will be penalised by the Information Commissioners Office. It’s now likely that 2015 will be seen as the year of the data breach; Theresa May, the Home Secretary, recently told Parliament that “90% of large organisations suffering an information security breach last year“. We help businesses to reduce their exposure by ensuring that payment card data never enters their data environment and, in simple terms, even if your company suffers a data breach, then your customers’ payment card data can’t and won’t be compromised. Give us a call, let’s see how we can help...
by Bob | Oct 23, 2015 | Uncategorised
Once again, a major data breach has hit the headlines, this time it’s Talk Talk. The company claims that ‘there is a chance that… Credit card details and/or bank details’ of up to 4 million customers may be compromised in a ‘significant and sustained cyber-attack’. I wrote here back in July that cyber terrorists were an emerging threat, and the Cyber security consultant and former Scotland Yard detective Adrian Culley told BBC Radio 4’s Today programme that a Russian Islamist group had posted online to claim responsibility for the attacks. He said that hackers claiming to be a cyber-jihadi group had posted data that appeared to be private information from TalkTalk customers’ private information – although he stressed their claim was yet to be verified or investigated. As Daniel Dresner a Lecturer in Information and cyber security and governance at Manchester University’s School of Computer Science observed on BBC ‘Breakfast’ on October 23rd – “There’s four million customers, if they (the hackers) do four million one pound transactions, that’s not a bad haul.” Stephen Orfei the General Manager of the PCI Security Standards Council observed at the PCI Congress in Berlin in 2014 that payment card fraud was like a water filled balloon, you squeeze one place and it appears someplace else. And we all know that Chip & Pin has, since its introduction in 2004, greatly reduced ‘Customer Present’ fraud in the UK. As Stephen Orfei observed the crime isn’t going away, and why steal a single credit card when you can potentially harvest four million? What does this mean to your business? While we acknowledge that the...
by Bob | Oct 22, 2015 | Uncategorised
Experts Compliance3 highlight the technologies and processes continuously overlooked by contact centres which ensure card payment security By SLS Marketing – 22 Oct 15 London, 15th January 2015: Compliance3, a company that helps contact centres achieve and maintain PCI DSS compliance, has highlighted the technologies and processes contact centres should implement in 2015 to reduce the increasing risk of breaches, reputational damage and revenue loss. Ensuring card data is not ‘captured’: allowing card data to enter the business environment when exchanging data with trusting customers for payments, renders the merchant liable to extensive, expensive PCI DSS compliance obligations. Ideally, card data needn’t enter the business environment. Legacy recordings: using pause/ resume technologies to pause call recordings at the point of payment will allow card details to be provided to the advisor by the customer but they should prevent their storage, however many of these technologies are dependent on the advisor and are notoriously unreliable, meaning that many merchants may be storing card data unnecessarily. Implementing payment technologies such as DTMF or IVR: DTMF(Dual Tone Multi Frequency) uses the frequencies from handset keypad tones to determine which numbers have been entered, and IVR (Interactive Voice Response) is a voice-response technology that achieves the same purpose. Both solutions eradicate the risk of allowing the agent to capture card details. Applying the full PCI DSS programme: version 3.0 became mandatory from January 2015 and enables a business to be fully compliant with all card scheme requirements. Contact centres from small, niche operations to those representing major high street brands, despite a steep increase in “card not present” fraud, still need to embrace the...
