Two-Factor To Multi-Factor- Why This PCI DSS 3.2 Naming Change Is A Big Deal

The Payment Card Industry Data Security Standard (PCI DSS) is the security standard to concern yourself with, if you’re running a business dealing with credit cards.

Like most other security standards, the PCI DSS is an evolving one, advocating new safeguards or moving away from newly discovered vulnerabilities (such as SSL/ early TLS).

But as I was reading a blog post from the PCI Council’s official blog, titled ‘Preparing for PCI DSS 3.2: Summary of Changes’, they listed the naming convention change from ‘two-factor authentication’ to ‘multi-factor authentication’ as being, and I quote: “one of the biggest changes coming in PCI 3.2”.

Why is that?

 

The Difference Between Two-Factor Authentication and Multi-Factor Authentication

To understand why this is a big deal, we have to understand what two-factor authentication (2FA) and multi-factor authentication (MFA) are, and how they differ.

2FA is the addition of a second safeguard to your authentication process. For example, logging into your Gmail account typically only requires you to enter your password: one round of authentication, 1FA. This is generally considered unsafe, because anyone who manages to get ahold of your password has full access to your account.

If you set up 2FA, logging into your Gmail account will require you to not only provide your password, but also an additional form of authentication. Typically, keying in a special code sent to your cell phone. In short, if you have 2FA activated on your account, not only will hackers need to have your password, but also access to your cell phone.

MFA differs from 2FA in the sense that multi implies more than two, meaning that you are using two or more levels in your authentication process.

 

Why Is This Name Change A Big Deal?

At first glance, it doesn’t look like a big change for many — since MFA requires the use two or more levels of authentication, many companies will still be opting to use the same bare minimum of two levels they have been using in past versions of the PCI DSS.   

Even the official blog post, which lists the change as being “one of the biggest in PCI DSS 3.2,” doesn’t really go into details as to why this is a big deal- if anything, this paragraph extract seemingly implies the opposite:

“Previously in the PCI DSS, we required any untrusted, remote access into cardholder data environment to use “two-factor authentication” which is the equivalent of multi-factor authentication.  Changing the naming convention simply provides consistency that it must be at least two credentials at a minimum.”

Surely, by looking at the equivalence being drawn between 2FA and MFA, you would think the name change is no big deal. However, the reason this change actually means something is said in the use of the word ‘minimum’.

Using the term 2FA implies that companies should stop at having two-factors of authentication, when in reality they should be shooting for more.

 

Minimal? In Data Security?

The thing about security standards is that they focus on providing a benchmark for security, which is usually right on the line of the minimum you need to avoid, or mitigate, the risk of getting hacked. Because proposing the maximum level of security would be asking us all to work out of cardboard boxes in secure underground bunkers, using abacuses to count and paper cups connected by string to communicate.

The PCI DSS, and other security standards, make it easy for organizations to understand what they need to do to lay a solid foundation for data security. So if they say you should be authenticating two credentials at minimum, what they actually mean is: two is great, but getting more would be most excellent.

It’s a good bit of clarification for anyone aiming for more than just a certification of compliance, which should really be everyone.

Data Breach of Verizon a Grim Reminder To Us All: No One’s Bulletproof

To your everyday man on the street, Verizon Communications is an American broadband and telecommunications company. But to those of us in the IT security line, Verizon is also one of the frontliners in the fight against cybercrime, responsible for helping many Fortune 500 companies respond to massive data breaches.

But in a tragic turn of events, Brian Krebs reported last week that Verizon has suffered a data breach, resulting in the theft of 1.5 million records of their customers’ information. Read more

Auditing the Auditors: Why Is The FTC Going After QSAs?

When it comes to PCI assessments there are three main parties involved: the business, the QSAs, and the PCI Council. The audited, the auditors, and the standard setters.

And while there has been a lot of focus on companies failing to protect sensitive data, and also media attention focused on the PCI standard and its effectiveness, the FTC is now going after the third member of the data security trinity, ordering nine QSAs to provide details on their PCI DSS auditing processes.

In their press release, the FTC stated that they are “seeking details about the assessment process employed by the companies, including the ways assessors and companies they assess interact; copies of a limited set of example PCI DSS assessments, and information on additional services provided by the companies, including forensic audits.”

It’s not surprising to see the FTC taking action on this front, given the importance of privacy and data security today. It’s no exaggeration to say that our right to privacy is one of the critical pillars of society.

 

Paying by card

Imagine a world where consumers would feel afraid to swipe their credit cards, or enter their passwords online. If businesses can’t protect our private data, all trust will be lost.

 

Who’s to Blame For a Breach?

As mentioned above, for a long time the spotlight has been on businesses and the PCI standard. Organisations are expected to look after our data — after all, they are the ones storing it. When a data breach goes down, all the blame is assigned to the company. Some companies have attempted to sue their QSAs in the past, but none have succeeded.

The PCI Council has also been questioned numerous times, with people asking what good the PCI standard is if companies are still getting hacked and losing data.

What they fail to understand is that the PCI DSS is just that — a standard. It’s something you are meant to aspire to attain, and sustain. There is a big difference between aiming to be compliant and aiming to be secure, and sadly the distinction is lost on a lot of companies.

Which brings us back to the issue on QSAs, and their role in helping companies comply with the PCI DSS. It is their duty to uphold the standard, and to ensure that the companies they audit are meeting the standard effectively. They are essentially the driving instructors ensuring that poor drivers do not get the license to drive our roads and compromise our safety.

In the interest of fairness, it is also key that they do not use the audit process as a reason to sell their own PCI software tools, or even withhold on signing off on a business that does not purchase their wares. Returning to the car analogy, it would be akin to a driving instructor refusing to pass a student that doesn’t buy the teacher’s brand of windscreen wipers.

Which isn’t to say that they aren’t allowed to sell their PCI software solutions to their clients- just that they aren’t allowed to make it a prerequisite to passing their compliance test. Also, the PCI DSS dictates that when making recommendations for PCI tools, the client has to be presented with a choice of at least three different software to perform the required task.

 

Good For Consumers

Overall, this move by the FTC is an encouraging one, because it tells us that the FTC is truly interested in protecting the private information of consumers. To be clear, it does not mean that the QSAs are guilty of any form of misdemeanor — just that if there is, the FTC wants to know.

Ransomware Attacks On The Rise: What Are You Doing To Protect Your Business?

“We do not negotiate with terrorists”. Except, most of us have, or would.

A relatively new breed of malware, dubbed “Ransomware”, is holding computer systems hostage and demanding payment for their safe release.  

What’s surprising is that these underhanded tactics often see a payout for cybercriminals — according to one study, about 50% of ransomware victims paid their extortionists, and another 40% of people said that they would pay the ransom too if it happened to them.

It’s estimated that at least $5 million is extorted from ransomware victims each year.

Cybersecurity experts are encouraging ransomware victims not to pay the extortionists for two reasons: firstly, there’s no guarantee you’ll get your data back, and secondly, because it only further encourages cybercriminals to continue running ransomware attacks.

This, of course, includes re-runs on your environment they know is not only easy to get into, but one that is likely to cave to their demands.

It’s a non-issue as long as no ransomware makes its way onto your systems, but the odds of that actually happening are ever increasing.

As far as we know, there are currently more than 4 million samples of ransomware in existence, where there were only 1.5 million samples in 2013. Hackers can’t get enough of the stuff.

Hackers are also finding new ways to bring ransomware to a system near you. It has been reported that a disproportionately large number of websites that run on the WordPress CMS are being hacked to deliver ransomware to end users.

All you need to do to catch the bug is visit one of these booby-trapped websites with an out-of-date version of Adobe Flash Player, Adobe, Reader, Microsoft Silverlight, or Internet Explorer, and you may be looking at a ransom amount of $500 (or a few bitcoins) in exchange for your computer back.

 

ransomware 2

 

Beating Ransomware

There are basically two different types of defense strategies against ransomware attacks — making sure you don’t get infected in the first place, and staying safe post infection.

User and staff education is a key data security practice. Making sure that you and your staff are well aware of possible online hazards like phishing emails or insecure websites goes a long way into making sure ransomware never reaches your systems.

Patching your systems and making sure that all your applications are up-to-date is also textbook good practice. Ransomware can find its way into your systems through vulnerabilities, so make sure that your network has no holes for cyberattacks to slip through.

Additionally, running anti-spam software that can detect malicious links in emails will definitely go a long way to helping you ensure that no one in your business will be opening any “uh-oh” links.

 

Hit me. Whatever. I’m over it.

Perhaps you won’t be nearly that stoic, but the best way to beat ransomware is to take away their leverage. This means making sure that there is no data on your systems that would be of value to hackers.

This works for two reasons — one, hackers are a lot less likely to hold your network at a high ransom price if they search your systems and find little or nothing of value. Secondly, should they still try and hold your network hostage, starting over will be a significantly cheaper endeavor than paying the ransom amount (which doesn’t guarantee you will get anything back).

There are two basic ways to go around this. The first method is simple — backup your data. Using removable storage is a cheap and simple solution for small businesses, and a surefire way to make sure that all your eggs are not in the same basket.

The second way is simply removing sensitive data from your systems. Many companies store large amounts of sensitive data, like credit card numbers, healthcare information and personal information, without any real business justified reason to do so. Often, they are not even savvy to the fact that they are storing all that data that hackers are after.

Keeping your systems clean is a form of risk mitigation. It ensures that even if you do get hit by ransomware, you will be in a good position to recover from the attack as quickly and painlessly as possible.

Removing sensitive data from your systems is easier than you think, using Ground Labs’ line of data discovery software. Regardless of the number of systems on your network, Ground Labs has a solution tailored to help you find and lock down your sensitive data. Visit our website to find out more, and sign up for a free trial today!