Crowdsourcing Payment Security

In my inaugural post to this blog, I wrote about many of the religious wars that break out today regarding payment security and specifically PCI. In the post I mentioned the OWASP PCI project, which is a solid step in the right direction, but to be clear, payment security encompasses a lot more than just PCI. PCI does a decent job at setting an audit bar for merchants and service providers, but now I’d like to focus on the broader topic of card not present security.

Recently, I was lucky enough to participate and contribute to a new O’Reilly book, Beautiful Security. While I’d love to tell you my chapter out-shined them all, in reality Mark Curphey’s contribution on Tomorrow’s Security Cogs and Levers was brilliant. Since the publishing, I have been speaking to a lot of people on the topic of payment card security and what I felt were some of its fundamental flaws that needed to be addressed. In my view, the root cause of many of the security pains around online payments is the reliance on a shared secret that is ultimately shared with hundreds or even thousands of parties within the life of a card. If there is a security crack in the armor within even a single organization of these thousands of handlers, the card account may become breached. Within my chapter, I laid out seven fundamental requirements for a new payment security model. They are:

1. The consumer must be authenticated
2. The merchant must be authenticated
3. The transaction must be authorized
4. Authentication data should not be shared outside of authenticator and authenticatee
5. The process must not rely solely on shared secrets
6. Authentication should be portable
7. The confidentiality and integrity of data and transactions must be maintained

OK, so none of these are a revelation, you knew this already. Well that’s why I am posting this here. I have since converted my Beautiful Security contribution into a wiki found here. My original writing is a high level design and we now want to take this to the next step. I am certainly not foolish enough to believe there are no flaws within it, nor is it detailed enough yet to implement. This is where the security and payments folks come in. This a call to action to read through the wiki, update it, and begin to flash out the details that could turn this into an actionable payment security system that could be implemented. There’s a quick summary of the goals on the wiki home page to address where we are heading. But hey, this is a wiki, so those can change too! If you have some expertise in online payments or information security (I know you do, that’s why you’re here), please take the time to help out and contribute.

Note: This post originally published on CSO Online.

New Blog Up!

Apologies for the cross-post, but here’s a quick link to my inaugural blog post on CSO Online, discussing issues around payment security and how you can help! You can subscribe to the new blog via RSS here. This won’t completely replace this blog but rather supplement it. 🙂

Beautiful Writing

UPDATE: A decent round of commentary going on about this on the PCI Answers blog. I’ve added my two cents within the comments. You can read through the discussion here.

I have been lurking in a lot of the usual places lately listening and reading to all the commentary about payment security thanks to the Heartland Payment Systems incident. I’m not going to comment on the incident here, there’s already plenty of people offering up their opinions.

What do I want to mention about all this chatter? You are having the wrong debate! So many people in security are talking about what this means for PCI. Is PCI effective? Was their an issue with the assessment? To this I say “it doesn’t matter”. None of this is the root cause.

Jeremiah Grossman has a really good post on aligning incentives here. This is getting much closer to the real issues in payment security. Want to know more? Well this is where my shameless and disgusting self promotion comes in. 🙂

I have had the privilege of participating in writing a new book for O’Reilly, Beautiful Security. For those of you not familiar with the series, this is a follow-up to Beautiful Code and Beautiful Architecture. It’s a compilation where each author contributes a single chapter on a security topic, mine being securing ecommerce transactions. Below is the product description as found on Amazon:

“Product Description
In this thought-provoking anthology, today’s security experts describe bold and extraordinary methods used to secure computer systems in the face of ever-increasing threats. Beautiful Security features a collection of essays and insightful analyses by leaders such as Ben Edelman, Grant Geyer, John McManus, and a dozen others who have found unusual solutions for writing secure code, designing secure applications, addressing modern challenges such as wireless security and Internet vulnerabilities, and much more.

Among the book’s wide-ranging topics, you’ll learn how new and more aggressive security measures work — and where they will lead us. Topics include:

• Rewiring the expectations and assumptions of organizations regarding security
• Security as a design requirement
• Evolution and new projects in Web of Trust
• Legal sanctions to enforce security precautions
• An encryption/hash system for protecting user data
• The criminal economy for stolen information
• Detecting attacks through context

Go beyond the headlines, hype, and hearsay. With Beautiful Security, you’ll delve into the techniques, technology, ethics, and laws at the center of the biggest revolution in the history of network security. It’s a useful and far-reaching discussion you can’t afford to miss.”

Special thanks to Mark Curphey and John Viega for involving me in this project. Lots of other authors much smarter than I such as Anton Chuvakin, Mudge, and others. All author proceeds are being donated to charity (IETF), another fantastic reason to pickup a copy!

Let’s stop arguing about how to build a better band-aid. It’s time to start talking more about addressing the root cause issues, and spend less time on the religious churn and debate around specific compliance requirements.

The Security Evangelism Tour Continues

Fresh off the heels of speaking at the Security Trends event in Milwaukee, I will be participating in a keynote panel at the Technology Executives Club Risk Management event in Chicago.  

It was a pleasure meeting everyone in Milwaukee and wanted to thank my fellow speakers and moderator for putting on a good event. As I said before, these events tend to bring a wide array of backgrounds and I am always impressed by the “wisdom of the crowd”.  

The Risk Management event in Chicago will take place on November 15th. You can get more information on the event here and register here. If you find yourself in Chicago during this time, I’d love to meet you there and looking forward to some lively discussions and note comparison of the issues we’re facing.

UPDATE: The tour went through a bit of a shuffle this week. Due to some last minute commitments I was not able to make it to the Risk Management event this week, however; I have agreed to serve on a panel at the IT Security Best Practices event on January  24th. Hope to see you there. 

 

Recent Readings (and listenings)

I recently finished two books (OK one of them was audio), The Long Tail: Why the Future of Business is Selling More by Chris Anderson and Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks by Michael Zalewski. While they are both very different, they were both good reads and very appropriate topics for this blog. I would recommend both to regular readers here.

Ever since I finished the long tail a couple of weeks ago, I had been meaning to post on it and what it means to information security. Well while I was busy with other things a couple of people went it did just that. Over the weekend Mark Curphey wrote a 2 part post which sums up the book and how it relates to our field at a high level. Part 1 is here and Part 2 is here. I encourage you to read his posts if you have an interest in the economics of information security.

Another area that came to mind while reading this book (sorry, listening to this book) was the ever present topic these days of compliance. Organizations today have a number of regulations and laws that they must comply with in a given industry or geographic region. Some of these requirements make economic sense for the business, others are their to control the negative externalities of security. After reading (argh! LISTENING) to The Long Tail, I spent some time wondering how could a set of tools, processes, etc. make compliance economically sound and a choice organizations would make regardless of outside requirements (laws, regulations, etc).

I would like to challenge readers of this post to come up with some new ideas that would make these requirements that traditionally go against the rules of risk management and make them more sound for YOUR organization. The key here is every organization is different. What may make economic sense within mine, makes little to no sense in yours. That’s what makes the “one size fits all” approach of several regulations difficult on most companies today.

Have an idea? Post it here in a comment or send me an email!