Friday, February 27, 2009

The Daily Sandbox!: Dan Kaplan & SC Magazine Confirm Yet Another Bank Security Breach

The Daily Sandbox!: Dan Kaplan & SC Magazine Confirm Yet Another Bank Security Breach

Join the Contest! “What To Do With Bernie Madoff”

 by Kevin M Nixon, MSA, CISSP®, CISM®, CGEIT®

It Friday.  We’re all worried about the economic situation, the war, the budget, health care etc.  So to simply provide some much needed stress relief we are holding a Contest on what to do with Bernie Madoff. 

It is a way of taking our anger about everything we all are experiencing and “placing it on Bernie”.  Think of it as “Virtual Voodoo” or a punching bag or the arcade game “Whack-a-Mole”.

Contest participation is open to anyone.  Suggestions are to be submitted in the form of a Comment to my article http://www.dailykos.com/storyonly/2009/2/27/1334/03940/277/702472  Click on VIEW COMMENTS to open the current submissions. 

All suggestions must take into consideration that Madoff’s Crime is not death sentence qualified.  Bernie has to pay for his crimes in a survivable manner.  NOTE:  I said survive not “pain free” or “without slow and lingering suffering”.  Creativity in the imposition of your recommended sentence is important.  Pictures or illustrations can also be submitted.

Our discussion group will assist you with anger "re-management" & “re-direction.  We want true, long lasting satisfaction, seasoned with anticipation and creatively embellished with perhaps some S&M techniques.  We are enhancing our skills at "Displacing Anger"!  This is not a Miss America practice group on "How To Answer Questions Session" that is another Diary Page.

In this session we strive for perfect satisfaction by trading useful information such as:  "How Much Vaseline To Apply Before Entering A Flag Pole Sitting Contest"

Reading materials which may assist you prior to submitting your entry include:  

"Whips, Chains, and Alligator Clips for the Novice"

"Better Health Through Water-boarding"

"Margaret Cho's - Discovering Your Inner Ass-Master"

"Creative Humiliation Techniques - Yes Sir!"

"Spiritual Growth Via Electric Shock Treatments"

"Colonic Irrigation Via Fire-hose: Safe & Effective!"

I’ll keep this running on Bernie until some other form of “pond scum” emerges. 

This is only a way to take your mind off the situation of things around you and relieve some stress.  Go for it!

If you have suggestions for future contests send me an email.

Thanks,
Kevin

 

Talking about Laid-off Workers as Data Thieves?

by Kevin M Nixon, MSA, CISSP®, CISM®, CGEIT®

Bill Brenner is my favorite writer and Senior Editor for CSO Online.  Perhaps that we both share the same opinions about IT Security, Governance, Risk, Compliance and Data Privacy.  I highly recommend any of his articles especially for their complete research, cross-checked facts, and willingness to state an honest opinion.  Bill doesn't "blow with the wind" like so many others.  You may not always agree with a person's comments, however, but keeping an open mind and listening without "tuning out" is the way problems get solved.

I have 3 favorite quotes which everyone in the Data Protection field should print out, put on their office wall by their computer, and read each day.  Here they are:

  1. "Common Sense Ain't Common"
      
    - Will Rogers
  2. "When your talkin' You Ain't Learnin'"
     
    - Lyndon B. Johnson
  3. "Pain makes man think.  Thought makes man wise.  Wisdom make Life endurable."
       - Marlon Brando "The Teahouse of the August Moon"
         1953 Tony Award
    Best Play

The quotes emphasize what I consider the 3 Phases of a Security Issue.  First, make no assumption that every system is operated using common sense and good judgment.  Second, continued education is the foundational corner-stone to any good security practice.  Third, when a security problem eventually does hit (and it will), learn from it!

Thanks for reading. 

Kevin M Nixon, MSA, CISSP, CISM, CGEIT

Waves Turn Rocks To Sand. - Windows Live

Thursday, February 26, 2009

Dan Kaplan & SC Magazine Confirm Yet Another Bank Security Breach

Background
by: Kevin M Nixon, MSA, CISSP, CISM, CGEIT

It has been the mumble in the industry for at least the last 2 weeks, and our hat is off to Dan and SC Magazine for  breaking the news.  This latest breach should make everyone sit up and take notice.  At this point, so many significant payment card industry systems have been compromised, all consumers should consider several things for protection.  Consumers should consider contacting your credit card and bank card issuers and request a new card and transfer activity to the new card and close the previous one.  Another suggestion is to consider placing a “Fraud Alert” in their profiles with each Credit Reporting Agency.

Visa confirms another payment processor breach - SC Magazine
http://www.scmagazineus.com/Visa-confirms-another-payment-processor-breach/article/127725/

Another payment processor has fallen victim to hackers, Visa confirmed on Monday.  Visa and MasterCard are notifying banks about accounts impacted by a "major compromise," unrelated to the massive Heartland Payment Systems incident announced last month, according to a number of credit unions and banking associations.


The hackers apparently breached the processor in the same way they infiltrated Heartland -- by placing malicious software on the network, according to an alert from the Pennsylvania Credit Union Association.  Visa hosted a conference call on Feb. 12 to notify member banks about the breach, which affected transactions made from February to August 2008, the association said. The incident involves account numbers and expiration dates, but no track data was compromised; therefore the attackers would be unable to make counterfeit cards.  The size of the breach appears significant but fewer cards were affected than in the Heartland case, the Community Bankers Association of Illinois said in its own announcement. That breach potentially exposed as many as 100 million accounts.


The victim in this case appears to be a provider that processes online transactions, said David Shettler, vice president and CTO of Open Security Foundation, a nonprofit that researches data breaches.  He told SCMagazineUS.com on Monday that the group has been receiving tips about the breach since Feb. 12, but few details have been confirmed.


"What concerns me is that Visa and MasterCard, they clearly know who it is," Shettler said. "That just won't say anything because the processor hasn't come clean. The sort of feel it gives people is that Visa and MasterCard are covering for some unnamed organization."


Visa and MasterCard began notifying card issuers about affected accounts on Feb. 9 and 13, respectively.  It is unclear whether this processor was compliant with payment industry guidelines, the association said. Heartland was deemed Payment Card Industry Data Security Standard-certified (PCI DSS) when it announced its breach.  This marks the third data-loss incident to impact payment processors in the past three months. In December, RBS WorldPay disclosed a breach that affected some 1.5 million card users. Shettler said cybercriminals are zoning in on these entities because they deal with the most amount of information.


"You can crack into merchants, but that's a limited scope," he said. "If I were the payment card industry, namely Visa and MasterCard, I'd be concerned."


Visa said it was working with business and financial institutions to improve security measures.  “Visa Inc. is aware that a processor has experienced a compromise of payment card account information from its systems," the company said in a statement on Monday. "It's essential that every business that handles payment card information adhere to the highest data protection standards to protect the security and privacy of their customers' financial information."


A representative from MasterCard could not be reached for comment.

Visa confirms another payment processor breach - SC Magazine US

Tuesday, February 24, 2009

The Daily Sandbox!: Stimulus Bill COBRA Amendments Require Immediate Action

The Daily Sandbox!: Stimulus Bill COBRA Amendments Require Immediate Action

Posted using ShareThis

Stimulus Bill COBRA Amendments Require Immediate Action

by Cynthia M. Stamer 

About the writer: 

cindy stamer

Cynthia Marcotte Stamer, is nationally and internationally recognized for her work assisting businesses, governments, and other entities to develop creative strategies for dealing with employee benefit and related human resources, insurance, health care and finance concerns. Ms. Stamer helps businesses design, administer and defend cost-effective employee benefit other human resources programs, policies and procedures to meet their budgetary and other business objectives.

Email Cynthia

Line
The American Recovery and Reinvestment Act of 2009 (the "Stimulus Bill") immediately expanded the group health plan coverage continuation obligations applicable to group health plans covered by the Consolidated Omnibus Budget Reconciliation Act (COBRA) a series of complicated temporary COBRA mandates that became immediately effective when President Obama signed the Stimulus Bill into law on February 17, 2009.

The COBRA amendments in the Stimulus Bill are the latest list in a series of new laws and regulations requiring changes in health plan eligibility rules, notices, administrative forms and practices. Employers, group health plan administrators and insurers must act quickly to review and update their COBRA and other health plan eligibility practices in response to these developments.

The COBRA Amendments enacted under the Stimulus Bill require that employers sponsoring group health plans and group health plan administrators take immediate steps to comply with a series of special temporary mandates applicable to certain individuals experiencing a loss of group health plan coverage due to the involuntary termination of an employee between September 1, 2008 and December 31, 2009 ("assistance-eligible individuals").

Highlights of the new COBRA mandates affecting group health plans enacted as part of the Stimulus Bill include the following:

  • Group health plans must notify assistance eligible individuals of the special COBRA rights granted under the Stimulus Bill. Although regulators are required to publish a model notice for this purpose by April 15, 2009, many group health plan sponsors and administrators will not want to delay providing required notifications until that time, as delay in notification extends the period that assistance-eligible individuals have to elect COBRA coverage.
  • The COBRA premium that a group health plans can charge an assistance-eligible individual for COBRA coverage is limited to 35 percent of the otherwise applicable COBRA premium for a period of up to 9 months.
  • Group health plans must offer assistance eligible individuals who previously did not elect COBRA coverage before February 17, 2009 a second chance to enroll in COBRA coverage within the 60-day period beginning on the date the group health plan provides the required notice of the Stimulus Bill COBRA rights. COBRA coverage for assistance eligible individuals making these second chance elections must begin with the first period of coverage beginning after February 16, 2009 (March 1, 2009 for most plans) and ends when COBRA coverage.
  • Group health plans offering participants different coverage options are required to allow assistance eligible individuals the opportunity to change their coverage elections under certain circumstances.
  • Employers may seek to recoup COBRA premiums paid by the employer to maintain COBRA coverage for assistance-eligible individuals in excess of reduced COBRA premium amounts paid by assistance-eligible individuals filing the necessary claims and reports to qualify to claim a payroll

    tax credit equal to those additional amounts. This payroll tax credit is the mechanism through which Congress sought under the Stimulus Bill to subsidize temporarily 65% of the COBRA premiums of assistance-eligible individuals.

In addition to these special COBRA Rules for assistance eligible individuals, the Stimulus Bill also amends extends COBRA benefits for certain employees and dependents whose qualifying event is a reduction in hours or termination of employment  where either:

  • The employee is eligible for certain Trade Adjustment Assistance; or
  • The covered employee had a non-forfeitable right to a benefit under a defined benefit plan which will be paid by the Pension Benefit Guaranty Corporation (PBGC) forfeitable right to a benefit.

For assistance in evaluating and responding to these and other employee benefit or human resources developments under the Stimulus Bill, contact Cynthia Marcotte Stamer at cstamer@solutionslawyer.net.

FTC – The Federal Trade Commission Obtains Court Order Halting Internet Payday Lenders Who Failed to Disclose Key Loan Terms and Used Abusive and Deceptive Collection Tactics

by Kevin M Nixon, MSA, CISSP®, CISM®, CGEIT® 

SUMMARY

The FTC and the State of Nevada are investigating 7 US-based companies and 1 international individual  operating Internet Payday Lending sites.  The FTC charges the companies with violating the FTC Act by using unfair and deceptive collection tactics, including falsely threatening consumers with arrest or imprisonment, falsely claiming that consumers are legally obligated to pay the debts, threatening to take legal action they cannot take, repeatedly calling consumers at work and using abusive and profane language, and disclosing consumers’ purported debts to co-workers, employers, and other third parties.  Read more …

News Item:  From The Federal Trade Commission (02/23/2009)

In a case filed by the Federal Trade Commission and the State of Nevada, a federal court has ordered a halt to certain practices by seven U.S.-based companies and an individual operating as part of an international Internet payday lending operation. They were charged with failing to disclose key loan terms and using abusive and deceptive collection tactics in violation of federal and state laws. The U.S.-based companies and their principal agreed to the court order, which will remain in effect pending trial. The FTC and Nevada seek to permanently bar the defendants from future violations and make them give up the money they obtained using the allegedly illegal collection tactics.

According to the FTC’s complaint, the companies offered loans of $500 or less within 24 hours without requiring a credit check, proof of income, or documentation. Consumers were told that they qualified for a loan that had to be repaid by their next payday with a fee ranging from $35 to $80, and that if the loan was not repaid by then, it would be extended automatically for an extra fee that would be debited from the consumer’s bank account “until the loan is repaid.”

The FTC charges the companies with violating the FTC Act by using unfair and deceptive collection tactics, including falsely threatening consumers with arrest or imprisonment, falsely claiming that consumers are legally obligated to pay the debts, threatening to take legal action they cannot take, repeatedly calling consumers at work and using abusive and profane language, and disclosing consumers’ purported debts to co-workers, employers, and other third parties. They also allegedly violated the Truth in Lending Act and Regulation Z by failing to make required written disclosures, clearly and conspicuously, before consummating a consumer credit transaction, including the amount financed, itemization of the amount financed, the finance charge, the annual percentage rate, the payment schedule, the total number of payments, and any late payment fees.

Pending trial, the court order bars the U.S.-based companies and their principal from deceptive debt collection practices such as misrepresenting that consumers can be arrested or imprisoned for failing to pay debts, that consumers are legally obligated to pay the full amount of a debt claimed as owed, and that for nonpayment consumers may or will be subject to legal action, such as a lawsuit, seizure of property, or garnishment of wages. The preliminary injunction also prohibits unfair collection practices such as continuously and repeatedly calling consumers and third parties at consumers’ work places, using obscene or threatening language toward consumers and third parties, and disclosing the existence of consumers’ purported debts to third parties.

The U.S.-based companies and their principal also are barred from violating the Truth in Lending Act and Regulation Z, in the extension of closed-end credit, by failing to make the required TILA disclosures as provided by law, and by failing in any other manner to comply with TILA and Regulation Z. They also are prohibited from violating the laws of the State of Nevada by making loans from Nevada or identifying Nevada as the source of a loan or as their principal place of business, unless properly licensed; and by failing to provide notice and disclosure of all material facts as required by state law, including failing to disclose the location, physical address, and non-toll-free telephone number of all of their locations. In addition, the U.S.-based companies and their principal are prohibited from violating any state or federal law regarding the sale or lease of goods or services, including using coercion, duress, or intimidation in any kind of transaction.

The injunction also bars the U.S.-based companies and their principal from disclosing or benefitting from customers’ personally identifiable or financial information, and it contains record-keeping provisions to allow the FTC to monitor compliance with the order.

The defendants named in the court order are Leads Global, Inc., Waterfront Investments, Inc., ACH Cash, Inc., HBS Services, Inc., Lotus Leads, Inc., First4Leads, Inc., and Rovinge International, Inc., and Jim Harris. Also charged in the complaint but not named in the order are four United Kingdom-based companies operating in the U.S. as Cash Today, Route 66 Funding, Global Financial Services International, Ltd., and Interim Cash, Ltd., and their principals, Aaron Gershfield and Ivor Gershfield.

NOTE: The Commission issues a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. These complaints are not a finding or ruling that the respondents have actually violated the law.

© Copyright 2009 – Kevin M. Nixon – All Rights Reserved – See: Information Security Resources
(This article may be reprinted in whole or in part only with proper attribution to the author.)

Powered By Blogger