cases. This likely ties into the increasing underground marketplace for “malware-as-a-service.”This continues to be a trend of interest to our investigative team as the use of anti-forensics plays a signicant role in daily activities. We will continue to monitor and report on the evolution of anti-forensics.You Down With CPP?CPP is a method that banks employ to limit their nancial losses due to fraudulent transactions. Let’s say 200 cardholders all experienced fraudulent purchases on their credit cards. CPP analysis would look at the purchasing history of these cardholders and try to nd a common point of sale (e.g., stores) which they all shared. This is essentially crunching data in such a way that the algorithm determines that all cards in question were used at StoreX in a given period of time. Timeframing, history, geographic location, and many other data points are then used to determine if a particular common point of purchase could be considered to have a high probability of incident. CPP has the advantage of seeing through the fog within an organization by highlighting the glaringly obvious issues from without. A scary thought about CPP is that this detection method is so successful because there is a mechanism (fraud) for correlating the data together. Other types of valuable data such as personal information, health records, e-mail addresses, and authentication credentials can often be harvested from many places, but they do not have the same protective mechanisms as payment cards to detect the data breach. Thus, we believe the numbers around non-payment card breaches are far worse than reported since there is no CPP like mechanism to detect their loss.The fact of the matter is that for the entire period that we have been studying breaches, we have seen consistent signs of anti-forensics. Based on the most recent evidence, anti-forensics was used in approximately one-third of 2010 breaches worked by Verizon. That represents neither a signicant increase nor decrease over the prior year.
62PCI DSS ComplianceThe Payment Card Industry Data Security Standard (PCI DSS) is a set of control requirements created to help protect cardholder information. Every year Verizon’s caseload contains a number of organizations that are required to adhere to the PCI DSS. Because these are conrmed data breach victims, obvious questions arise with respect to the compliance status of these organizations. This section examines this important topic from several perspectives. In Verizon’s Payment Card Industry Compliance Report (PCIR)from 2010, we made the distinction between “validation” and “compliance.” In that report, we said that, “Compliance is a continuous process of adhering to the regulatory standard,” and “Validation . . . is a point-in-time event . . . that attempts to measure and describe the level of adherence to the standard.”
You've reached the end of your free preview.
Want to read all 72 pages?
- Fall '14
- Secret Service, United States Secret Service, USSS