CollectionTechnology.net

JJ Hornblass

Security Imperative: What More Can Done to Improve Industry Security?

Today's news that 11 people were charged with allegedly stealing more than 40 million credit and debit card numbers from retailers puts the spotlight back on security. At our Collection Technology Summit last January, we talked much about preventive security and the operational protocols available. What more can be done? What are the new protocols available to the industry? What new authentication tools are out there? Let's share some ideas. We certainly don't need a TJ Maxx incident in our industry.

Tags: authentication, cards, credit, security

Reply to This

Replies to This Discussion

Eric Foulk Permalink Reply by Eric Foulk on August 6, 2008 at 4:55pm
i took a brief 2 year break from first data from 2004 - 2006 where i worked for a company called solutionary based out of omaha. They are true MSSP and I firmly believe that one of the key things from technology stand point is to keep up on patches/updates when looking at customers vulnerability assesments. That was the biggest gap and i know it could be one of toughest things to do. I suggest regular external vulnerability tests done quarterly to a PCI standard will help most find their problems. It will give them insight to where their wholes are so they can be addressed properly. By doing this also it will help agencies keep in compliance with their customers requirements.

Reply to This

David Justus Permalink Reply by David Justus on August 15, 2008 at 10:16am
I find that the biggest problem to face with data security is the rules that regulate the people. No matter how fancy a firewall you may have, what encryption schemes you use on your db's backend everything still can fall with the slip up of one employee. The real threat is social engineering.

Reply to This

Mary Wisniewski Permalink Reply by Mary Wisniewski on September 2, 2008 at 2:31pm
History keeps on repeating itself, but it doesn’t seem like we’re learning, at least not when it comes to data breaches.

The Bank of New York Mellon Corporation’s recent news reveals its security breach could be much more expansive than originally thought. Reuters reported it could affect about 12.5 million people, up from the original estimation of 4.5 million.

Reply to This

David Justus Permalink Reply by David Justus on September 3, 2008 at 11:31am
we are learning, but so are the would be attackers and technology. Not to be crazy scary guy, but as an example, the encryption that the world uses for web traffic (https, which is used by Banks, Merchants, Insurance Angencys, ect ect) is developed off of computational complexity. Which means to break the encryption by brute force methods, it takes a lot of time and math. But the problem is, as computers get faster the time to break those encryption schemes drops. Its just a big cat and mouse game, but the payback for the mouse is a heck of a lot higher then some cheese.

Reply to This

Neal Cropper Permalink Reply by Neal Cropper on September 3, 2008 at 4:38pm
I agree David. Security is really asking what is an acceptable level of risk. If I park my car and lock the doors I have an acceptable level of risk, others want an alarm and a steering wheel lock of some sort. For them thats an acceptable level of risk.

The online banking standards say the SSL 128 bit encryption is secure enough for their acceptable level of risk. You have to ask yourself, what is my acceptable level of risk?

Because no system with humans involved is ever going to be perfect nor remove risk.

As an industry what is the acceptable level of risk?

Reply to This

David Justus Permalink Reply by David Justus on September 4, 2008 at 9:43am
I agree. As roughly quoted by some person who's name i forget "The only computer i would deem safe is one that is locked in a bunker 100 feet below the earth with no internet connection, even then i am not too sure about it"

My underlying point is people just need to be on top of there game. Something that might have been safe 2 months ago isn't safe anymore (i am reminded of the SSH key fiasco a month or two back where the PRNG that generates the key turned out to be predictable).

Thats a good question tho, as industry what is a good level of acceptable risk? thankfully standards like PCI and what not exist.

Reply to This

JJ Hornblass Permalink Reply by JJ Hornblass on September 4, 2008 at 9:50am
In third-party collections, that standard needs to be set by the agency's client base -- and I know standards have been tightening for the last few years. The larger agencies have adopted a significant amount of security initiatives, particularly in regards to internal controls. Privacy standards in the debt-buying world, however, still need to be shored up. Although there is less debt buying today because of where the general economy and capital markets are ...

Reply to This

Mary Wisniewski Permalink Reply by Mary Wisniewski on September 10, 2008 at 11:11am
More interesting news today that addresses what one company is doing in the aftermath of a data breach.

The Los Angeles Times reports: "Countrywide Financial Corp. is offering two years of free credit monitoring to customers whose sensitive personal information, including Social Security numbers, allegedly was stolen from the home lender's computer files."

Will this appease consumers? I'm not sure. I can only say it wouldn't make me feel much better.

For the full story, click here.

Reply to This

David Justus Permalink Reply by David Justus on September 10, 2008 at 12:15pm
if my social was stolen id only be satisfied if i had someones head. Just saying...

Reply to This

John Elwood Permalink Reply by John Elwood on September 12, 2008 at 1:14am
You're never really 100% protected, but all depends on the the level on ingenuity/skills of the people have who are trying to steal your information. If its an ex-NSA employee then good luck. However in general people can employ some basic standards that will give them protection from most security risks.
-If deploying across the web use SSL.
-If on a WAN or LAN the encrypt your data in transit and at rest.
- Employ good password rules in your database -- force numerics, minimum lengths, force regular password changes say every 30 days and also log failed access attempts. If you detect failed attempts lock out that account.
- Remove/block/disable staff accounts the second after they leave the company.
- Encrypt (like AES-128) your passwords

However this can be useless, as David Justus pointed out, if you human interface is slack. No good protecting all that data if I can call up and fool a collector into giving me information that is not mine.

Reply to This

Mary Wisniewski Permalink Reply by Mary Wisniewski on September 17, 2008 at 2:00pm
ACA International is enhancing its Professional Practices Management System (PPMS) program by adding an 18th element focusing on physical and data security. The goal of the upgrade is "to enhance PPMS in such a way that it would serve as a cost-effective method of preparation for the SAS 70 audits."

Click here for the release.

These changes will affect all agencies currently working toward certification as well as all certified and subscribed agencies.

Reply to This

Graham Permalink Reply by Graham on September 24, 2008 at 3:09pm
Actually this is a very important subject... In some countries the bank supervisory bodies have already regulated this subject for all financial institutions and their outsourcing providers (eg collections agencies)... For example in colombia all banks and their outsourcers have to implement security controls based on the ISO27001 standard... The standrds exist, the question is most people dont implement them until the regulators oblige them too..

Reply to This

RSS





Events

© 2010   Created by JJ Hornblass

Badges  |  Report an Issue  |  Privacy  |  Terms of Service