Chaordic Mind

Cory Doctorow signing books, originally uploaded by SFview.

Cory Doctorow – acclaimed sci-fi author, BoingBoing blogger, former EFF staffer, and watch aficionado – did a reading from his book For The Win in San Francisco. It was an event to raise money for the EFF, an organization that defends your legal rights online and in digital media.

I’ve followed his life and admire his never ending work ethic to achieve his goals. His self-styled life includes a wide collection of obscure watches, a wedding wing with custom crypto key, and his constant quest against DRM and those platforms that support them.

I met a nice guy, Al, from openbuddha.org who recorded the session. Check out his writeup and audio recording.

Cory Doctorow signing books, originally uploaded by SFview.

Scouts, originally uploaded by SFview.

Furries, originally uploaded by SFview.

Bay 2 Breakers is a “race” across the 7 miles (11.3 km) that is San Francisco. There are some serious racers up front by the majority of participants show their true San Francisco pride by breaking out the costumes and dressed up for a long, and mostly drunken, trot across the city.

Many of the “racers” group up into theme teams and make a day of it. Here are some photos I took of various team enjoying the sun as part of their run.

See more photos of the event here.

As many of you know EMV, or more commonly referred to as Chip and PIN (Chip/PIN), have been a long time structure in areas such as Europe and most of the Asia-Pacific region.  Europe made the transition between 2001 to 2006.  Canada has a mandate of October 2010 for implementation and the intra-region liability shift.  The US it seems is now entering the came with a few very small but significant moves.

• Wal-Mart has asked for Chip-and-PIN saying that now is the time to roll it out.
• In May 2010, the United Nations Federal Credit Union (UNFCU) became the first financial institution to begin issuing Chip/PIN cards.
• It should be noted that although AmEx is not technically a “financial institution” in the US, it did issue its “Blue” card with a chip for such transactions in Europe.

So will this bring us all the safety and security we want?  What will this change mean for cardholders and retailers?  Those are more complicated answers and the answer really varies from one region/country/bank to the next.  Here’s a few things that Chip/PIN changes do mean.

Liability Shift

If you read the Visa OpRegs you’ll see three different listings for liability shift.  Merchants that accept Chip/PIN transactions are not always liable for fraudulent transactions since the understanding is that they are asking for both a card and the PIN (something allegedly only the cardholder knows.)

These shifts in liability can be either domestic, intra-region or bilateral shifts (according to Visa).  MasterCard says of domestic liability shifts, “A shift in liability to the non-EMV compliant party, fraud liability is born by non-EMV complaint party for all regional transactions.  Bilateral shifts existed previously between the various Visa Regions, “Visa EU and CEMEA signed a bi-lateral agreement in order for the liability shift rule to apply for international transactions between both regions as soon as the CEMEA rule went into effect on January 2006.”

This shift takes the liability off the merchant, but who does it go to?  Well according to the Financial Ombudsman Service (FOS) in the UK that handles consumer complaint disputes, it is the bank that is responsible for the fraud unless customers acted “without reasonable care”. This could include writing down a PIN or allowing someone else to use a card.  What does this really mean?  Well, banks around the world are struggling as consumers claim fraud and the banks claim “without reasonable care.”

Risky Business

In a ComputerWorld article, analyst Avivah Litan, says that “companies such as Visa and MasterCard should consider easing some of their security requirements for U.S. merchants willing to make their payment systems EMV-ready. Visa has reduced the scope of its security audits in cases where organizations have implemented EMV technologies, and the same could be done in the U.S”

Pardon? (Fallacy alert!)

Let’s remember that Chip/PIN only helps reduce fraud at a singular merchant, it does not reduce the instance of payment card data theft.  In fact Chip/PIN transactions can be just as risky as magnetic stripe transactions from a data theft and skimming perspective.  Chip/PIN cards used as a payment terminal may leave “track equivalent data” which cannot be used to recreate the Chip but could be used to re-encode the magnetic strip on the back of traditional cards.  I mentioned this in 2008 and Gartner is still saying the same thing.

Conclusion

The US moving to Chip/PIN is a good thing and something that will drive down card-present fraud.  It may not directly impact payment card data theft and thus will not detract from PCI DSS compliance. I remember teaching a PCI DSS class of QSAs (back then CISP assessors) in the UK back in 2006.  They struggled with the problem that merchants in the UK thought they didn’t need PCI DSS compliance because they already had adopted Chip/PIN, something they already equated with “credit card security”.  I blogged about this from 2006 – 2007 to explain the differences between Chip/PIN and PCI DSS compliance and risks.

Companies that adopt Chip/PIN will still need to comply with the PCI DSS.  That being said, there are some benefits:

• Reduced interchange (in some instances)
• Reduced fraud (as measured in the UK by APACS)
• Liability shift for Chip/PIN transactions

Links

• Visa International OpRegs on Chip/PIN global mandates (2007)
• Visa Regional OpRegs for Canada (2008)
• Visa Smart Debit/Credit Certification Authority Service Description (2008)
• RBSWorldPay talks about liability shifts

After swing dancing and playing mahjong (poorly) one of my favorite non-computer pastimes is hanging out with photographers. I fell in with the Friday Night Drinking and Shooting group and have met a number of great photographers.

It’s like traveling with my own paparazzi entourage!

Here’s a few of my favorite:

• Chipmonkey
• angryf
• Generik11
• bats1234
• JMSF415
• KayVee
• Nick.Fischer
• underthewaves

Although you may know me more for my musings on traffic theory and becoming immortal, this post focuses on the increasing ease of exchanging money within our daily lives.

In the Beginning

You see, in the beginning was the bank and the bank stored all the gold.  Accessing the gold required going to the bank and withdrawing it for use in the market place.  As new modes of communication evolved the methods of exchanging money became easier and easier.  You now have ATMs replacing banks for dispensing cash, e-commerce replacing brick-and-morter, and PayPal replacing Western Union.  (Ok, so perhaps replaced is a strong term, instead these services supplemented the older forms of exchanging funds.)

Throughout time one thing that held true was the relationship between the merchant and the consumer.  The merchant was typically a company and the consumer an individual.  Common area market places such as eBay helped break down the walls and enabled individuals to sell items to other individuals, but still these required a virtual store front.

New Merchant Class

The term merchant is slowly being democratized in the open market place as individuals accept and exchange digital funds through fluid, simple, and inexpensive methods.  There are a number of factors that influence this new merchant class, so let’s go into a few.

1. Increasing number of Payment Service Providers: The affect of Web 2.0 and social media applications have catalyzed the marketplace for new methods of exchanging money in both a virtual environment (Facebook, Second Life, Zynga) and via emerging payment methods (Spreedly, PayPal PayFlowPro, iPhone applications).  The lines between the individual and the merchant are blurring to the point that exchanging funds can be done more fluidly than ever before.
2. Increasing number of payment integrators: With this increase in the number of payment service providers comes a wave of new businesses that aim to support the new merchant population.  With new merchants come new point of sale third parties who wish to sell them services and support.  More and more service providers are appearing with an ever greater list of services they are offering to the new merchant class.  Each of these new services providers may act as a vector or path through which an attacker can access payment data.
3. Becoming a merchant is easier than ever: In addition to the new methods of accepting payments, merchants can go mobile faster than ever.  Instead of accepting cash only at the local farmers market, the new merchant class will gladly accept major payment cards via their Square or VeriFone PAYware enabled iPhone.  This level of service, once reserved for more established merchants, is now being disseminated into the hands of the masses.
4. Chip and PIN increasing: Chip and PIN or EMV has seen great successes in reducing card present fraud in Europe and Asia.  This technology recently jumped-the-pond and was adopted for implementation in Canada.  It’s only a matter of time before merchants in the US begin to see Chip and PIN technology rolled out to their personal cards and then to their retail locations.
5. Cost cutting is key: Previous approaches to compliance were via the mass adoption of security technology.  These days merchants are more cost conscious and agile in their approach towards compliance and security.  The new merchant class calls for reduced costs through new technology such as point-to-point encryption and “tokenization”.  They are happy to exchange the flexible use of payment data for the security and cost savings of scope reduction.  They are looking for overlapping regulatory controls to kill multiple birds with one stone.  They don’t want point solutions but instead comprehensive approaches towards security.  They want strategy, flexibility, and mobility instead of “solutions”.
6. Training and education needed: In order to achieve these goals: adopt new technology, reduce scope, and leverage internal employees there is a great demand for education and how they can achieve all this.  The need is stronger than ever for an educated merchant class who understand the tradeoffs and can make strategic decisions that balance not just compliance but also business directions.

Future of Electronic Money

Today we see the break down from traditional models and democratization of technology that equips and enables mobile merchants.  Taking this to its natural evolution we will next see the seamless move towards person-to-person transactions where exchanging money is as simple as taping your mobile phone against that of another.

• Want to split the dinner bill five ways? Put all your cell phones back to back and shake them in unison and the bill plus tip is split five ways and paid!
  
• Do you owe your friend $10? Pay them via email!

The barriers of exchanging proverbial gold are dissolving and those that enable this new future will be the ones who survive and rise to the top.

I manage and mentor a number of people and always want them to get the most out of their career.  I’m a realist and know they will not be at their job forever.  Either they will find greener pastures elsewhere or their employer will replace or downsize them due to one reason or another.  In that period that they are in their job, however long it is, I want them to maximize both their and the company’s value.

When I talk with people about their jobs, many times I hear the same complaints:

“There is no career development.”

“I’m bored. I do the same thing over and over.”

“I’m too good to be promoted.”

“My boss doesn’t value my skills.”

Most of these statements reflect a common mistake when approaching your job.  The mistake is thinking that your job is there to make you happy.  You are dead wrong.  Your job exists to benefit the company and in doing so may benefit the employees with employment.  If your position is not seen as a benefit to the company you are in for a long disappointment.

3 Tools to Jumpstart Your Job

So how can we turn what we like to do and are good at into something that is seen as a benefit to the company.  I recommend that people approach their boss with the following three pillars:

1. Inform them about what you are working on. You may assume your boss knows what you spend your time on but in many instances you would be wrong.  You boss may know the core events but they may not know that you are working on a side project that will benefit the entire team.  You need to be your own cheerleader and in doing so you will get feedback on if you should continue these projects or realign them to something that better matches the direction of your team or company.
2. Suggestion new ideas for how you can improve the company. Suggest a new service, a new approach, a way to cut costs, a way to remove bottlenecks.  Suggesting new ideas both shows initiative and puts you on the radar of your boss as an active member of the team.  When new opportunities arise or questions need answering your boss is more likely to go to you if they feel you share their desire to act beyond your role as an individual contributor.
3. Ask how you can help. I have a million projects I am working on or being pulled into and would love for someone to volunteer to help me out.  In doing so I begin to see them doing my job so when it’s time for me to move on it’s easier for me to recommend them for my position.  Most people who are promoted are already doing the roles and responsibilities of their new position, so why not get started on your next promotion by asking for that work now.

Communication

Do not execute any of these items via email.  If TV killed the radio star then email killed the telephone.  Most people think email creates efficiency but the only thing it begets is more email.  If I receive an email over one page I usually won’t read it.  If an email takes more than a short paragraph to reply to I usually won’t reply via email.  I pick up the phone and connect with that person verbally.  Invariably it saves me valuable time and I often time solve other problems in the process.

Your boss is busy and does not want to carry on an email conversation with you to help advance your career.  Call them to get immediate feedback on your ideas.  If they don’t offer feedback then ask for it.

“Do you feel I’m moving in the right direction?”

“Will this project have a broad impact on the organization?”

“What can I do to help you advance?”

Be Decisive

One last bit of advice, be decisive.  It’s OK to tell your boss that you want their job.  In fact it may very well make it happen faster.  Be up front and honest with others while maintaining a professional tone.

So that’s it.  Inform others.  Suggest new ideas.  Ask to help.  In doing so make sure you communicate clearly and decisively.  Welcome to your new old job.  Make the most of it while you’re there!

Another device, another application ported to it for processing payments.  This is the natural evolution of any technology and like any new deployment there are advocates on either side yelling ‘tastes great’ or ‘less filling’.  So I decided to weigh in on the conversation, let you know who feels what and what the real risks are.  I actually wrote about this back in January 2009 which you can read here (and check out other posts while you’re at it.)

One on side we have Forrester researchers yelling, “Stop the Madness! Payment Apps Are On The iPad Too Soon”.

On the other hand you have the payment processors who are rolling out payment apps for the iPhone/iPad as fast as their customers demand them.  Although there are a plethora of payment apps for your iPhone/iPad there are only two, that I know of, that accept swiped credit cards magnetic stripe or track data.

• VeriFone’s PAYware Mobile (PA-DSS validated)
• Square’s Square

I’m happy to see VeriFone having their application undergo PA-DSS validation and I’m sure Square will do the same, if not for security then for marketing power.  It is these situations that I feel the naysayers are most concerned – applications that accept sensitive authentication data (ala. track data, CVV2, or PIN block data).  The reasoning is that theft or compromise of this data is what leads to the highest instance of credit card fraud in the industry.  The reason for this is that it is hard to perpetrate high-dollar credit card fraud with only the PAN and expiration data.  This is directly reflected in the resale value of PAN information which is sometimes 10-100 times less than that of the lucrative sensitive authentication data.

But let’s get real here.  The vast majority of payment applications for the iPhone/iPad only accept PAN and expiration date.  What is the real risk here?  I’m not as much worried about one of these applications being compromised as I am about the potential for iSkimming.  That’s right, did I just coin a term?

iSkimming: The sale of an altered or fradulent mobile phone payment application that sends credit card details to an attacker before routing them to an authorized payment vendor.  The attacker is able to collect or harvest the payment card details, and potentially collect a fee for the payment application itself.

Much like the physical credit card skimming in the physical world, we could see iSkimming in the virtual world.  The best way to protect against this is to NOT download an off-brand payment application.  I mean, would you use your credit card at a white-label ATM? I try not to.

If I wanted to accept mobile payments and reduce the risk of fraud, I would research the available market space and only use payment applications from vendors with a current good stranding in the industry.

Let’s not slow innovation, just be smart about it.