More credit card details stolen – Rosen Hotels have admitted that they’ve had active malware stealing credit cards inside their systems for 18 months. You’d think after all the other point-of-sale compromises in the last couple of years, retailers would have tried a bit harder to check if they were infected. Have you checked?
Blackmail up, zombies down – although I said that building botnets was the main driver for malware infections, it turns out that the explosive growth of ransomware like Cryptolocker means that extortion is now vying for the top slot. The main reason is that people are paying the ransoms – presumably because a) they don’t have good enough backups and b) it looks cheaper than losing a load of work. In general, though, policy in the real world has always been not to yield to extortion, for fear of encouraging it. Here’s what I wrote on ways to protect yourself against Cryptolocker.
The Dutch have ruled that you can’t use wearable tech to snoop on your staff; something that began with US companies handing out Fitbits in return for health cover. It’s all to do with consent – a topic that you know concerns me – and the impossibility of true consent in asymmetric relationships. As a precedent – and it’s the kind of ruling that ends up spreading into EU law – it suggests that other kinds of monitoring (like the earlier ECHR ruling that you can snoop on your staff) and the more general issues of consent under the GDPR will become really hot topics over the next couple of years.
In my standard talk on PCI-DSS (payment card security), one of the key points I make to my audience is “don’t lie”. PCI is self-certified; if you want to, you can certify in about 15 minutes by answering “yes” to all of the appropriate questions in the on-line form, whether you’ve done the underlying work or not. However, the penalties for fibbing are quite painful if you’re audited and found to have misrepresented your level of security. This goes beyond PCI – US payment platform Dwolla was recently fined $100k for being economical with the truth about its security; doubtless this penalty will be swiftly followed by civil suits with rather larger numbers attached. This is also a governance issue – how do you assure yourself that the people you employ – or contract with – are telling the truth when asked if they’ve done everything they could to secure your network?