Unfairness in Minnesota's Credit Card Security Legislation

Retailer Liability to Banks for Credit Card Data Breach


Minnesota's pioneering PCI legislation, HF 1758 (Plastic Card Security Act) requires payment card merchants to reimburse the costs of financial institutions when they replace compromised cards.  A colleague of mine at the SANS Institute,  Joshua Wright (wireless security instructor), sent me a question.  Here's Joshua's question, and my reply: 

[begin quote from Joshua]
[Concerning an essay published by SANS]: in the section "Altering the Ecosystem", you stated:

"H.F. 1758 bluntly states that a merchant may not retain certain card data, such as a card,s security code and the full data from the card's magnetic stripe. It further provides that if a merchant does retain such credit card data, and that leads to a breach of a card's security, then the merchant must reimburse the financial institution that issued the card for the reasonable costs incurred to avoid damage."

My question is surrounding the wording "... and that leads to a breach of a card's security". Is it stated in H.F. 1758 that the storage of the data has to be a contributing factor that leads to the breach of the security of the system? I read this as stating that vulnerabilities in the organization's security are directly caused by the storage of this data, and that furthermore, it implies that the motive of the attacker compromising the resource was to retrieve this stored information.

IANAL, but I think this would give a defense attorney an easy-out for their customer, simply by showing that the attack was opportunistic, or that the attacker could not have known that the protected data was stored in the organization's network.

Consider the case of the Lowe's attack with Timmins and Botbyl.  They used a weak wireless configuration to access the Lowe's network, and eventually planted packet sniffers to collect CC information. This could be argued as being an opportunistic attack, and that Lowe's is not responsible for any bank charges since the storage of the credit card information did not directly lead to the breach in security.

I may be bending words here, but I'm hoping you can clarify your perspective. Note that I am not asking for legal advice, just your interpretation of the bill so I can communicate this to my students.
[end quote from Joshua]

[Ben's reply:]
Joshua:

Thanks for your good question. HF 1758 is poorly written, and my summary of it does not precisely reflect the ill-chosen words of the legislation.

Subdivision 2 of HF 1758 basically says a merchant is forbidden from retaining a credit card security code or credit card mag stripe data. Next, subdivision 3 says that if a merchant does retain the forbidden data, then, in essence, the merchant is in the class of what I'll call dis-favored merchants under the legislation. Further, subdivision 3 says that if a merchant in the dis-favored class suffers a breach of security that compromises personal info, then that merchant must reimburse the costs incurred by a bank to protect the information of its cardholders.

Notice that the legislation does not say the breach of security has to compromise the forbidden data (card security code or mag stripe data) in order to trigger the special obligation to reimburse banks. One might reasonably interpret the legislation as requiring the breach to affect the forbidden data, but the legislation does not explicitly so require.

Hence, the direct answer to your question is no, the storage of the forbidden data does not have to be a contributing factor to the breach in order for the bank to achieve extra-ordinary rights of reimbursement.

Here is why I think HF 1758 is poorly written. Suppose Wal-Mart has a single malfunctioning point of sale device in a store in Mexico that mistakenly stores the forbidden data from a single card. The implication is that, due to this single faux pas, Wal-Mart as an entire entity is a dis-favored merchant under HF 1758. Then, suppose Wal-Mart suffers a breach of security in a regional data center servicing the upper Mid-West (including Minnesota). The breach of security affects personal information of credit card holders. The result is that Wal-Mart (a member of the class of dis-favored merchants) must reimburse the costs of banks that cancel cards as a result of the breach -- even though reimbursement is not required under the contracts and standards negotiated among players in the credit card industry. And Wal-Mart's special requirement to reimburse arises because of a single, insignificant blunder in Mexico that has nothing to do with the breach of security in the Mid-West data center. Thus the punishment to Wal-Mart seems to be disconnected from and out of proportion to the mistake (storing forbidden data from a single card in Mexico).

--Benjamin Wright

Mr. Wright is an advisor to Messaging Architects, a step beyond the shopworn thinking about electronic data records.

Update: HF 1758 was an over-reaction to the TJX break-in. See more of my analysis of that over-reaction.
0 comments

Subterfuge as a Data Security Tactic

Cyber-Espionage


I published an article under the SANS Institute examining the role that deception can play in information security. In the article I discuss the application of deception and trickery by IT security professionals. But just as human professonals can employ deception, so can robot or automated security systems.

The use of subterguge as a security tactic raises ethical issues. I suspect that if properly controlled, the tactic is ethical in many circumstances.

Updates: 1. DarkMarket, a famous shopping mecca for identity thieves and cybercriminals, is now said to have been a sting operation run by the FBI.

2. As corporate computer networks become a larger target for cyber-industrial espionage, crafty businesses can gain an upper hand by feeding the crooks false trade secrets and product plans. Imagine the impact of bogus "intelligence" in the hands of a gullible competitor. The time and effort the competitor wastes could be devastating.

--Benjamin Wright

Mr. Wright is an advisor to Messaging Architects.
0 comments

Dispel Criminal Intent with Open Communication

White Hat Hacking


Responsible security professionals, pursuing legitimate goals, sometimes worry their actions will violate computer crime laws. Take for instance the Computer Fraud and Abuse Act. It is worded so broadly it could roughly be interpreted to punish unauthorized access to a computer which causes the computer owner a problem.

A recent study explores the potential that white hat security professionals could be prosecuted for probing a web resource without permission of the owner – such as running a vulnerability scanner like Nikto or otherwise testing a Web 2.0 application for security weaknesses. See the Inaugural Report of the CSI Working Group on Web Security Research Law, June 11, 2007.

Good Reason to Probe?

Sometimes reputable professionals have good reason to conduct these kinds of probes. They might be surveilling a phishing site that is stealing passwords from their client’s customers. Or they might be performing a public service to Internet users – in keeping with the time-honored practice by security researchers of testing popular desktop software for weaknesses.

Above-board security professionals can take a number of steps to minimize the risk of breaking the law. In order to commit a crime, a person must have intent to do something wrong. A powerful way to dispel “wrongful intent” is to openly communicate what you are doing and what the justification for it is.

One example: If you are aggressively probing a phishing site, then send or leave a message identifying yourself, saying you have reasons to believe the site is phishing and explaining you are running vulnerability tests, and so on.

Announce Yourself in Advance?

Another example: If you are researching a popular Web 2.0 application for the purpose of informing and protecting the public, then do it in the open. Send a message to the site owner identifying yourself, describing the scope and limits of your research, and explaining that you act in the public interest, consistent with the established practice of independent testing of software applications. Give the site owner time to respond. And then blog about what you do and let the public see.

These suggestions stem from the general notion that transparency and open communication are the best means to prevent a good person from being mistaken for a crook.

I grant you, these suggestions are not without controversy. There is more to this topic than I have space for here. And you should not take anything I say in a blog as legal advice or a substitute for counsel from an attorney. We discuss these and related issues in the series of SANS courses I teach on IT security law.


--Benjamin Wright

Mr. Wright teaches the law of cyber investigations at the SANS Institute.
4 comments

Paying for loss of payment card data

This video describes the emerging conflict between merchants and banks over who should pay the cost of replacing credit cards after card data are stolen.

0 comments

Recorded Behavior as Data Authentication

Taming Credit/Payment Card Fraud and Identity Theft

or

Why Not Text Me to Confirm Each of My Credit Card Transactions?


Back in the 90s, when e-commerce was in its infancy, one vision held that commerce would come to depend on everyone acquiring certificates and private keys under public key infrastructure (PKI). Under this vision, each actor in commerce would be identified by her unique private key. But she would have to protect her private key as though her life depended on it. If a criminal were to shanghai her private key, he could impersonate her (steal her identity).

The PKI school eventually fell out of favor. One reason is that it assumed ordinary people and corporations could prevent crooks from stealing the private keys.

Today we see that the stealing of data like private keys is not so uncommon.

Peter Huber offers an alternative vision in “Secure I.D.s and the Net,” Forbes, August 13, 2007, p. 64. Recognizing that criminals routinely swipe credit card and social security numbers, he argues that efforts to keep such data elements secret do little to authenticate legitimate users. Instead, what really confirms a person's identity is her recorded pattern of behavior over time.

As multiple, independent databases record the details of our day-to-day march through life, they create a unique profile for each of us. They record that you went through a toll booth here (at 7:15pm), you purchased a hamburger there (at 7:39pm), you scanned a thumbprint some other place and on and on. When it comes time to confirm you are you, a gatekeeper will pull details from these disparate databases and compare them against the person claiming to be you. For instance, when your credit card company wants to confirm it is really speaking to you on the phone (or responding to a cell-phone text message seeking confirmation of a transaction), it will ask you to reveal that you know where you purchased the hamburger the night before.

Here is an article I posted on the law of card data security.

--Benjamin Wright

Mr. Wright is an advisor to Messaging Architects, thought leader in data records management.
4 comments

Leveraging Law Enforcement Expertise

Information technology empowers law enforcement to investigate and interpret crime more efficiently. Take the example of Graffiti Tracker, which I highlighted at the Federation of Tax Administrator’s recent tech conference. Street artists commit a crime when they deface public or private property with graffiti. But it is a crime that is hard to fight because to bust an artist police normally have to catch him in the act.

Enter Tim Kephart. He studied street graffiti and became an expert on it. He recognized that each artist has a unique style and often a signature or handle.

It would be too expensive for a municipality to have Kephart circulate physically around the city investigating graffiti crime. So he invented a way to perform his expert analysis of graffiti sites, without visiting each one individually. His Graffiti Tracker service equips municipal employees (such as police officers and sanitation workers) with digital cameras sporting GPS recorders. When a city worker spots fresh graffiti, she sends a snapshot of it to a database maintained by Kephart. Each photo is tagged with date and GPS coordinates.

Kephart then analyzes the photos according to their style, location, date and so on. He profiles the most prolific offenders, and the area of their probable residence, by virtue of their recorded behavior. This intelligence tips the police on whom to be looking for, when and where.

[Update: When I originally wrote this post in 2007 Graffiti Tracker used GPS-enabled digital cameras. Now, 2011, the Los Angeles police are using a similar method to fight graffiti. But rather than cameras, they rely on smart phones, which make more economic sense. Smart phones can perform many services that cameras cannot perform. So the cost of equipping city workers with smart phones can be justified by many purposes beyond just fighting graffiti.]

Graffiti Tracker is a specific instance of a larger idea. If law enforcement can gather good digital clues into a database, it can economically hire an expert investigator to shift and interpret them.

I dreamed up an example of this idea for the tax conference, although I stressed this was just an abstract example and not a suggestion for implementation. A state tax authority could use the Web to gather information about meetings, conventions and events, large and small, to be held within its borders. The Web is bursting with this information, and the detail swells larger every day. When these meetings attract out-of-state workers, the state could require the workers to pay income tax on the wages and salary they earned while in the state.

In order to make intelligent use of the “clues” available on the Web, the state could hire and train “experts” from a low-wage locale such as India or Bangladesh. These experts (analogs to Tim Kephart) could economically divine which out-of-state workers and employers should receive tax notices and audits.

Please don’t misunderstand. I’m not recommending a state do this! All I am doing is illustrating how technology can allow the talents of a law enforcement expert to be employed more economically.

P.S. If a business doesn't want tax authorities to gather intelligence from its web site, it might post terms of service that forbid such snooping. The terms would be like a form of end user license agreement (EULA) or no trespassing sign that advance the legal rights of the web site owner. This idea is not legal advice, but it is something to think about.
0 comments

White Hats and Computer Crime Law

An issue of growing importance to the IT security community is that computer crime laws are written so broadly they arguably prohibit legitimate security activities. A law like the federal Computer Fraud and Abuse Act can roughly be interpreted to punish unauthorized access to a computer which causes the computer owner a problem. But sometimes responsible security professionals have good reason to do just that on the Internet.

Example: Security professionals researching applications for weaknesses produce valuable results for the computing community. They find vulnerabilities that application developers have overlooked. But historically these good researchers have performed their testing with examples of the applications loaded on their own computers. Now, under Web 2.0 applications reside on servers available on the Internet. So if an independent researcher tests the security of a Web 2.0 application via the Internet, some have argued she is accessing a computer (i.e., the server) without authority and therefore committing a crime.

I, however, believe criminal law is enlightened enough to distinguish between white hat hacking and black hat hacking. Criminal law has long recognized that someone suspected of a crime can raise defenses such as necessity and self-defense. And in practice the legal system generally declines to prosecute people who arguably cross a boundary, but with valid reason. See the CSI Working Group on Web Security Research Law, Inaugural Report, June 11, 2007. It suggests a Web 2.0 researcher can avoid prosecution if, among other things, she does not cover her tracks (such as with anit-forensics tools) or attempt to blackmail the developer of the application she researches.

--

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Update: See what Facebook says on the subject of security research.
2 comments

Electronic Business Records as Legal Evidence

What Happens in Litigation after e-Discovery

E-mail Record Admissibility


American courts have long accepted computer records as evidence, but under some conditions. Typical computer records are “hearsay,” which are not admissible as evidence into the courtroom. However, an exception to the hearsay rule is that business computer records, shown to be reliable, are admissible. In theory, that sounds good for institutions that keep database records of customers typing things or clicking on this or that.

But practice is another story. Showing that computer records are “reliable” grows ever more difficult as the years pass between the beginning of an electronic transaction and the date of trial. It is no easy task for an IT department to maintain thorough documentation about the configuration and reliability of its infrastructure or documentation on the exact appearance of web pages as of any given date. What is even more difficult is for the IT department to produce a credible witness to attest to all of this in a trial.

American Express learned this lesson recently. American Express was a creditor in a bankruptcy. To document a $40,000+ credit card debt, the company produced computer records, together with a witness to testify about the computer system from which the records came. But the court was dissatisfied with the witness and concluded the company had failed to establish the reliability of its computer records. Hence a big institution, which has a reputation for being well-managed, could not collect a debt. American Express Travel Related Services Co. v. Vee Vinhnee, 336 B.R. 437 (9th Cir. Dec. 16, 2005).

The practical upshot of this case is not that business computer records are inadequate legal evidence. Rather, it is that when a company relies on computer records, the IT staff really has to be on the ball and capable of producing persuasive testimony when it is needed. Training in computer forensics could help.

As institutions initiate e-commerce contracts that will endure for years -- or as they rely on e-records to enable audit or investigation for misdeeds like misallocation of funds -- they must evaluate how they will preserve and vouch for their key records. An institution and its stakeholders (investors, regulators, auditors, partners, customers) cannot assume that the IT staff it has today will be around tomorrow to testify persuasively about the institution's records of a mouse-click or button-push that becomes the subject of a lawsuit.

P.S. Here's a technique to help a professional preserve electronic evidence of particular information, such as e-mail or text messages (or IM). The professional can authenticate a snapshot of the information with a voice signature.
1 comments

PCI Law: Should retailers pay when they lose card data?

Is PCI-DSS (Payment Card Industry Data Security Standard) a Sufficient Standard of Care to Support Retailer Liability to Banks?

Credit Card Number Security Incident Response



The mechanics and theory of credit cards are so jerry-built that it is legally unfair to make merchants pay damages to anyone when credit card data leaks to criminals. The credit card system was not designed with the idea that merchants would need Fort Knox-style security to protect electronic information. It was only after the system became wildly popular that financial institutions (acting through the PCI) articulated heavy data security burdens for merchants.

It remains an open question whether the johnny-come-lately PCI rules are effective at protecting the credit card system. Even after a merchant spends lots of money becoming "PCI compliant," hackers can still break into the merchant and steal the little units of data (name, account number, expiration date, security code) upon which the system so heavily relies. That's not because the merchant is negligent or guilty of privacy crime. It is because commercial information systems are inherently vulnerable to modern hackers in search of discrete units of data like names and numbers that are used over and over and over again.

The credit card industry needs to invent new ways to authenticate people and transactions, and to place less emphasis on maintaining the confidentiality of data elements like name plus account number plus security code.

I have published more analysis on the topic of merchant liability for a credit card data breach.

--

Mr. Wright teach the Law of Data Security and Investigations at the SANS Institute 
2 comments
Subscribe to: Posts (Atom)