For many companies looking for PCI compliance, or even just to improve their security footprint as a whole, multi-factor authentication has often become that unattainable unicorn. Security professionals alike have a challenge when it comes to meeting this requirement. Things like, what exactly is it, and what options are out there to fulfill that security requirement are questions that are often asked. In this article, I will go into what the security authentication factors are, and some basic example to help you understand the requirement. Hopefully it will better help in not only understanding what multifactor is, but also why it’s required.
The principle around Multifactor authentication is that you are authentication yourself to some system via different factors. The factors available 
are as follows:
- Something you know
- Something you are
- Something you have
Most people are aware of the “Something you know”. This is typically something that the true user would know. Like a user and password to their account. Seems secure, and would only be known by the “true” user, right? Well, not exactly. How many people out there have given their password to someone else for some sort of use, or for that matter, have it saved somewhere for future reference? You may have a password stored somewhere on your computer, which would seem secure. But, if that gets compromised, then that “true” identity is no longer guaranteed to be you. I bet most people have, and that is what compliance certifications like PCI and such are looking to correct. By incorporating an additional security authentication factor, they can better guarantee you are who you say you are. Of course, it gets very hard to guarantee 100%, but as you add factors, it gets pretty darn close.
Read the full post »
Our third speaker at the ITX Data Security Summit was Gerry Elman from Elman Technology Law, who asked the question: “Are You Legally Prepared for the Coming Cyber War?” He also chose a sub-topic even more relevant to the audience: “Preparing Your Legal Playbook In Anticipation of Data Security Breaches.”
Here’s a clip from the beginning of Gerry Elman’s presentation:
Read the full post »
Compliance is a hot topic in the IT industry, and for good reason. By following the rules and guidelines set forth by these compliance standards, not only do you avoid potential fines and penalties but you also are providing your users and clients the peace of mind in knowing that their data is secured. Where PCI compliance is relatively straight forward (12 controls which are easily measureable and testable) HIPAA compliance is a bit less friendly and much more vague.
Read the full post »
On May 3rd 2011 The INetU IT Expert Series presented the PCI DSS Self Defense webinar: How Hackers Hack and How To Protect Yourself. Our speakers Dr. Anton Chuvakin and Nicholas Percoco held a live question and answer session. But not everyone one’s questions were answered! Dr. Chuvakin answered the remaining questions. Take a look at some of the questions below!
Q: Another crystal ball question. Do you think the day will come when merchants are not permitted to store credit card information in order to be PCI compliant?
- A: Well, merchants are not permitted to store CVV data today, merchants are not permitted to store PAN in cleartext and they are strongly discouraged to store PANs at all today (example) – all as per PCI DSS. I do not foresee a complete ban on PAN storage, but these rules might well become stronger
Q: How can a criminal use stolen card data for themselves?
- A: Charge cards themselves, resell them in bulk, manufacture cards for resale and use (if Track2 data is available), buy and resell goods, buy software and then pirate it, etc, etc, etc. Think what you’d do if you are given a “free credit card”
Q: How about some websites/books for learning web security
For the remaining question and answers please visit Dr. Chuvakin’s blog post.
Thank you so much for your participation in the PCI DSS Self Defense webinar!
