<html>
<body>
<font size=3><br>
I think what we're seeing is the affected companies being told by their
law-vultures to release as little as possible to minimize exposure. This
in its essence, limits as well, the ability of independent verification
and investigation to assist others in prevention and bring guilty parties
to justice.<br>
This is a trend that should be stopped ASAP. I believe they as well as we
understand the time to "walk the walk" is upon us, and some
serious lawsuits are in the offing in lieu of actually securing our data.
The only model they will accept is one like HIPPA where the Fox guards
the hen house.<br><br>
One more notable side effect I'm seeing is the taking on blind faith that
a missing data set has been recovered and has not been tampered with.
<br>
Says WHO? The FBI? They're ankle deep in these cases, and in case you
don't remember recent history, they have been less than honest in
evidentiary cases in the past. A company like MC or Visa certainly has
the political and monetary clout to buy the results they're seeking.<br>
Don't make me laugh. Hasn't been accessed? Copied to another hard drive
for eventual compromise, maybe yes, but not tampered with? The
professional thieves have access to the same tools we do. Compromising
even an encrypted set of data is not an IF proposition, but merely a WHEN
one. Anyone who understands distributed computing knows the power of a
supercomputer is well within the budget of almost anyone who puts their
mind to it.<br>
Does the old cops-and-robbers line "lets lay low till the heat goes
down" ring a bell?<br>
When data's gone, its GOT to be presumed compromised, period. Extend the
meager protections, mail the letters, and by all means, DO NOT allow a
weak data protection statute at the Federal level preempt stronger State
statutes.<br>
The bottom line is all about minimizing exposure, and the clients who
were compromised be dammed.<br>
We need some serious introspection of what we believe, and who we trust
after the fact IMHO.<br>
Marc<br><br>
At 16:43 10/19/2006, you wrote:<br>
</font><blockquote type=cite class=cite cite="">
<font face="Arial, Helvetica" size=2>The way I read the notification, it
didn't sound like the processor was affiliated with 1st Bank:<br>
</font><font size=3> <br>
</font><font face="Arial, Helvetica" size=2>"We would also like to
reassure you that the compromise of information occurred at a merchant
card processor's location, not FirstBank and therefore your account
information at FirstBank has not been obtained by these unauthorized
indivuduals(SIC)." <br>
</font><font size=3> <br>
</font><font face="Arial, Helvetica" size=2>Perhaps they are just
notifying customers affected by another company's gaff? Must be a bad day
if they didn't even spell-check the notification before it went
out..<br>
</font><font size=3> <br>
</font><font face="Arial, Helvetica" size=2>-Dennis<br>
</font><font size=3> <br><br>
<hr>
</font><font face="Tahoma" size=2><b>From:</b> B.K. DeLong<br>
<b>Sent:</b> Thu 10/19/2006 1:21 PM<br>
<b>To:</b> Chris Walsh<br>
<b>Cc:</b> dataloss@attrition.org<br>
<b>Subject:</b> Re: [Dataloss] VISA / 1ST BANK<br>
</font><font size=3><br>
Is it that hard to find out who did the card processing for 1st
Bank?<br><br>
On 10/19/06, <b>Chris Walsh</b>
<<a href="mailto:cwalsh@cwalsh.org">cwalsh@cwalsh.org</a></font> >
wrote: <br>
<dl>
<dd>On Thu, Oct 19, 2006 at 10:41:37AM -0400, B.K. DeLong wrote:<br>
<dd>> Well, whomever it was will probably get wacked with a HUGE fine
for <br>
<dd>> violating PCI Security standards. I'm guessing it won't take
long to<br>
<dd>> determine who falls under approved card processors for
Visa.<br><br>
<br>
<dd>They might get fined, but not buy Visa. Too much butter on that
bread <br>
<dd>to throw it in the bin.<br><br>
<dd>The FTC, OTOH, may do some enforcement:<br>
<dd>
<a href="http://www.emergentchaos.com/archives/2006/06/prediction.html">
http://www.emergentchaos.com/archives/2006/06/prediction.html</a><br><br>
<dd>Visa has been zealously guarding the "privacy" of these
processors since<br>
<dd>at least December of 2005, when the Sam's Club stuff started to hit
the<br>
<dd>fan. Even Gartner called MC and Visa out on it:<br>
<dd>
<a href="http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html">
http://www.emergentchaos.com/archives/2005/12/gartner_to_visa.html</a><br>
<br>
<dd>Chris<br><br>
</dl><br><br>
<br>
-- <br>
B.K. DeLong (K3GRN)<br>
<a href="mailto:bkdelong@pobox.com">bkdelong@pobox.com</a> <br>
+1.617.797.8471<br><br>
<a href="http://www.wkdelong.org/%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0%A0Son" eudora="autourl">
http://www.wkdelong.org/
Son</a>.<br>
<a href="http://www.ianetsec.com/">http://www.ianetsec.com/</a>
Work.<br>
<a href="http://www.bostonredcross.org/">
http://www.bostonredcross.org/</a>
Volunteer.<br>
<a href="http://www.carolingia.eastkingdom.org/">
http://www.carolingia.eastkingdom.org/</a> Service.<br>
<a href="http://bkdelong.livejournal.com/">
http://bkdelong.livejournal.com/</a>
Play.<br><br>
<br>
PGP Fingerprint:<br>
38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE<br><br>
FOAF:<br>
<a href="http://foaf.brain-stream.org/">http://foaf.brain-stream.org/</a>
<br>
_______________________________________________<br>
Dataloss Mailing List (dataloss@attrition.org)<br>
<a href="http://attrition.org/dataloss" eudora="autourl">
http://attrition.org/dataloss</a><br>
Tracking more than 137 million compromised records in 430 incidents over
6 years.</blockquote></body>
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</html>