IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Nope
Give this a look (random googled checklist):
http://www.bbb.org/d...liant/checklists/

While many examples in the news are bricks and morter, which cracked
point-of-sale systems their current issue, almost all of them
also have web stores as well. So let's use any online store as an example
for this thought exercise.

#1: If they do not charge your credit card before shipping, then they
MUST store it on disk. MUST! And if they partial ship, then they
must be allowed to do multiple transactions as well.

This means an automated system has to be able to read the database
entry that contains the card, decrypt it, and issue transactions.

So, anyone who managed to break into the system that either stores
the CCs, manages the process, or sniffs the wire can copy every CC
in the system. Also, since in-flight data does not need to be encrypted
(at least behind the corporate firewall), then EVERY system on
the network is a potential threat. Every zero day exploit could be
harvesting those CC numbers to forward along.

The checklist format allows a variety of "levels" of adherance, including
"working on it, please check on next review", which means CIOs can
cover their ass by assigning the task to an underling, and then
ignoring it for 6 months. There are people who are named on PCI docs
as the responsible individuals, but they have NO CLUE what the actual
responsibility is. But even when they do, they can point to an external
vendor and say: This is on the list of approved vendors and we have
it running here (but they didn't actually implement the functionality
that they needed) which lets them skate as well.

I've just scratched the bare surface. PCI is nothing more than a
method of allowing CC vendors to claim they care, and companies
to claim they are making an effort. It does NOTHING for actual
security, it just provides a method of passing the buck when the shit
hits the fan.
New Thanks.
Sorry for the delay. Our internet at home was down yesterday (apparently due to a not-tight-enough connection). I just fixed it...

Thanks for the reality-check.

As bad as it is, it seems worse if you believe the side comment on that page:

Only 10% of US small businesses have a formal Internet security policy.
Source: 2012 National Small Business Study, National Cyber Security Alliance, Symantec, & JZ Analytics.


:-/

It sounds like "chip and pin" cards aren't going to solve the issues you pointed out, either.

<sigh>

Cheers,
Scott.
New There is NO security out there
It is merely a game of CYA.

So, here's what you need to do.

Have separate linked bank accounts.

You need a primary and a secondary checking, and another for savings. Each checking account has its own visa/debit card. Put your paycheck in the primary and/or savings. Use the secondary for bill paying. The primary card can be used to access all accounts, the secondary can be used ONLY to access the secondary account.

Place money into the secondary account as needed to cover your bills and spending money. Use it for whatever. NEVER use the primary card except to control the money transfers at a mac machine in your bank. If you are foolish enough to use online banking, and use a windows box for that, all bets are off.

When your secondary account is nailed, get a new card for that, invalidating the previous card with minimal hassle. If you insist on setting up recurring payments, get an additional secondary account for those as well, but try to minimize the number of vendors you give it to since you will have to call them all and change it if that account gets nailed.
New I throw paypals bill me later service
in front of all of that as well. Anyplace that takes paypal gets paid thru bill me later, I see what is going on and paypall only gets close to my low balance payall account
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 58 years. meep
     One for Greg: CW - Does PCI Compliance mean anything? - (Another Scott) - (7)
         Does PCI Compliance mean anything? - (boxley) - (1)
             Thanks. -NT - (Another Scott)
         Sure. It means you can accept credit cards. -NT - (drook)
         Nope - (crazy) - (3)
             Thanks. - (Another Scott) - (2)
                 There is NO security out there - (crazy) - (1)
                     I throw paypals bill me later service - (boxley)

I think it is I who would be expected to provide the goats as my dowry.
71 ms