What if Your Payment Processor Shuts Down?

What would happen to your business if your credit card processor shut down?  If you do online bill pay, what would happen if it shut down?

Millions of people and businesses got to figure that one out this month when Paypal’s TIO Networks unit suddenly shut down.  TIO does payment processing, both for merchants and for consumers who use it to pay bills at kiosks in malls, at grocery stores and other locations.

Paypal paid over $230 million for the company earlier this year.

Whether they were aware of the breach at the time that Paypal bought it or not is not clear.

In fact, all that is clear is that over a million and a half users had their information compromised.

Paypal’s decision was, on November 10th, to shut the unit down until they could fix the problems.

The impact of this shutdown varied from group to group.

If you are using the bill pay service at the grocery store, you are likely to go to another location.  Unfortunately, for TIO Networks, many of those customers won’t come back.  While this may be annoying for customers, the annoyance was likely manageable.

For merchants who uses the vendor as a merchant payment processing service and magically, with no notice, the service is shut down, that could be a big problem.

This is especially a problem for organizations that depend on credit cards such as retail or healthcare or many other consumer services.

We often talk about business continuity and disaster recovery plans, but if you operate a business and credit cards are important to you, then your plan needs to deal with how you would handle an outage of your credit card processing service.

In the case of TIO, after about a week they started bringing the service back online for a few people who were most dependent on it.

Things get a bit complicated here.  Most of the time merchant payment processors require businesses to sign a contract for some number of years.  Since the contract was written by lawyers who work for the credit card processor, it likely says that they aren’t responsible if they shut down for a week or two without notice.  It probably even says that they aren’t liable for your losses and you are still required to pay on your contract.

If you switch to a new processor, you may have two contracts,  Now what do you do?

To make things more complicated, if your payment processor is integrated with other office systems or point of sale systems, switching to a new provider is even more difficult.

I don’t have a magic answer for you – unfortunately – but the problem is solvable.  It just requires some work.  Don’t wait until you have an outage – figure it out NOW!

This is why you need to have a written and tested business continuity and disaster recovery program.

Information for this post came from USAToday.

A New Form of Ransomware

The British shipping company Clarksons was hacked and decided not to pay the ransom.  So far, nothing new.  No ransom, no data.

Well, maybe, they had backups that they could restore – and thumb their nose at the hackers.

I think this is becoming a bigger problem for hackers.  As a result, hackers are changing tactics.

There are still plenty of vanilla ransomware attacks that want your money in exchange for the encryption key.

But now there are many that say that if you don’t pay up we are going to publish what we hacked.

There is a very important distinction between these two types of attacks.  In the traditional attack, it is presumed (but not known) that the hackers did not steal your data – that they did not make a copy of it and upload it somewhere.  In this attack, in order for it to work, the hacker had to steal the data.  ONE THING THIS MEANS IS THAT, UNLESS YOU CAN PROVE THE HACKERS ARE LIEING, YOU LIKELY HAD A REPORTABLE BREACH IF YOU ARE IN AN INDUSTRY OR STATE THAT REQUIRES YOU TO REPORT BREACHES.  I don’t even play a lawyer on the Internet, but I think you are going to be hard pressed to convince regulators that your data was not compromised.

This concept is not far fetched;  in fact, hackers have done this (recently) before.  For this type of attack, whether you have backups or not doesn’t really matter.  What matters is what are the consequences of this data being made public.

In this case, Clarksons has said that they are not paying the ransom and expect the data to be made public.

Of course we have no way of know IF the attackers will really expose the data (I guess we could call that a revenge-release) and Clarksons has been very tight lipped about what was taken and how much was taken.

What they have said is be prepared for stuff to be released.

So, I guess, we wait.  And see.  Stay tuned.

For the rest of us, we have a new cyber security worry.  Making backups and having a disaster recovery plan won’t help with this one.  The only way to protect yourself from this one is the keep the bad guys out.

One other thought.  Data that doesn’t exist can’t be hacked so it is useful to consider the trade-off between keeping data that might, some day, be useful to someone, maybe and data that can be hacked.  This is not always an easy decision, but one that needs to be made.

A corollary to this is that we may need this data for legal or archival reasons, but does it need to be available, online, to all employees.  An example of this might be a mortgage company.  They may need to keep the loan package for all closed and declined loans for seven years, but what if those loans are stored on a disk?  In a bank vault?  It could be difficult to hack.  Just saying.

Information for this post came from The Register.

Senators Propose Bill Providing up to Five Years in Prison For Failing to Report Breaches

Senator Bill Nelson of Florida has introduced a bill as a result of the Uber disclosure that they forgot to tell 57 million people that their data was breached – for a year – that allows for penalties of up to five years in prison for anyone, such as company executives, who willfully conceals a breach for more than thirty days.

That is a serious incentive to disclose breaches quickly.

Now before anyone cheers or panics, Nelson is a Democrat, so the Republicans will likely kill the bill.

And, even if they don’t, there is a VERRRRY long path between a bill being introduced and the President signing it.

Still, in the light of Uber, it is POSSIBLE that Congress could get off it’s rear end and actually pass some sort of Federal data breach law.  The challenge has always been getting something that enough people can agree on.

Over the last several years there have been a couple of attempts to do that, but lobbyists have always gotten bills like this watered down to effectively mean nothing.  And the goal of those same lobbyists has always been to preempt strong state laws like California and Massachusetts with much weaker laws.  From the states’ point of view, this is a states rights issue and Federal preemption of states rights in this Congress is tricky.

The bill also directs the FTC to develop mandatory security standards for businesses and provide incentives for adopting new security technologies.  Color me confused, but five years in prison is a pretty strong motivator for most people.

Still, I presume that the odds of this getting passed are pretty low – but we can be hopeful.

Anyone who thinks that the Uber situation is unusual is being a bit naive,  The fact that a breach OF THAT SIZE was concealed for a year is unusual (or at least we think it is), but that a breach was concealed for a year or forever is likely way more common than we would like to believe.  Yahoo did not disclose its breach of 3 billion accounts for several years.  Equifax did not disclose its breach for 7 months.  On the other side of the coin, over 2,200 breaches were disclosed this year.

For publicly traded companies like Yahoo and Uber, the SEC can fine companies for failing to disclose a breach, but I cannot recall any times that they have done that.  They may do that in the case of Uber since they have a bad boy reputation and some folks may feel that they need to be taught a lesson – stay tuned on that one.

There is one thing working in favor of a Federal breach law and that is the European Union.  You may remember that the U.S. had a law called Safe Harbor which allowed U.S. companies to implement a few controls and say that they were compliant with European privacy laws.  The CJEU, the EU’s highest court, struck down that law several years ago saying that it did not effectively protect E.U. resident’s rights.  The law was replaced a year ago with something called Privacy Shield.  Some say that Privacy Shield is like putting lipstick on a pig, meaning that it is a slightly worked over Safe Harbor, but it just passed an annual review and the E.U. narrowly approved saying that the law was effective at protecting E.U. residents.

But come next May, a new E.U. law, the General Data Protection Regulation comes into force and that places very strict rules on companies – like a requirement to notify people within 72 hours of discovering a breach.

In addition, some folks have taken the Privacy Shield law to court, so it is possible that this new law could get thrown out (technically, the E.U. can’t throw out a U.S. law but they can say that companies that comply with it do not qualify for protecting E.U. residents’ data, which is effectively the same thing).

It is possible that all of the privacy and legal activities in the E.U. could force the U.S. to enact stricter privacy laws.  The last thing that U.S. businesses want is to have their ability to move data between the U.S. and the E.U. blocked.  If it comes down to that, U.S. businesses may, reluctantly, lobby for a stricter security bill rather than lose their ability to move data between the U.S. and E.U. .  We should find out in 2018.

Information for this post came from the Washington Times.


Cheapest Way to Mine Cryptocurrency – Use YOUR Computer

The basis of all cryptocurrency is a really hard math problem.  The idea is that because the math is so hard, it takes a lot of CPU cycles to create the next cryptocurrency coin.  It used to be that people, who are called miners, could use their computers to mine the next coin and they would get a fee for it, earning them a profit.

One of the design goals of most if not all cryptocurrencies is that the more coins that are mined, the harder it is to create the next coin.  This is actually on purpose.

People have gotten very creative trying to earn money.  They buy faster computers.  Then the software was modified to use super fast graphics processors called GPUs.  After that, it was custom hardware called ASICs.  And the race goes on.

One of the most important factors in whether mining cryptocurrency is profitable is the cost of electricity.  If it costs you more to make it than you earn for doing it, that’s not such a good thing.

Now some unscrupulous miners have come up with the best way to mine coins yet.  They run a script in the background in your browser when you visit an infected webpage.  While one user running the script in the background won’t be very effective, if a million users do it, then they will probably earn some money.

But there was a problem – the mining operation stops when you close the browser.

So some even more nefarious miners came up with a better idea.  What if they created a new browser window when you visited the infected web site.  Then when you close the window for the site that you went to visit, the mining will continue in this other window.

But the user will see that window when they close the window that they asked for and question what the heck this other “pop-under” window is.

They have a solution for that too.  Let’s make the window TINY.  Let’s hide it under the task bar.  In fact under the clock in the task bar.

In fairness, there are some telltale signs of this scam, but lots of people won’t see them.  The Ars Technica link below has a video to show how the process works.

Its actually pretty creative.  Use a bunch of other people’s computers, it doesn’t cost you anything after you write the software and you get the fee for creating new coins.

It turns out that most of the anti-virus products won’t detect this;  it is pretty easy to morph the process for each computer to make it virtually undetectable.

One researcher recently detected 2,500 web sites using your computer to mine cryptocurrency.

Of course, some folks had to ruin a good thing and tell people about it.  Now many more people will detect it and totally ruin the scam.

But until that happens, some folks will be slowing your computer down to make them some money.

Information for this post came from Ars Technica.