Cards produced under CodeSure technology have similar look and feel as an ordinary credit/debit card albeit few difference like: an embedded e-ink display and  12 digit keypad on the back-side of card.  

While chip and pin (EMV) cards have provided reasonable assurance of security for face-to-face transactions, yet they are somewhat equally vulnerable as a mag-strip card during a CnP transactions. CodeSure promises to provide similar to EMV level of security for online or CnP transactions.

While contemporary cards depend upon CVV (three digit number written on the back of card which is not stored in track data) or static passwords (used by  3D Secure), CodeSure requires cardholder to punch in their PIN number , using 12 digit keypad, and obtain one-time key to be used for online or CnP transactions.  Transaction validation process is carried out as per following order:

1. During online shopping cardholder activates the authentication process by pressing the “Verified by Visa” option button on the card’s keypad
2. Upon prompted the cardholder enters PIN into the keypad embedded in the card
3. A unique one-time-passcode appears on the card’s display, which is then used by the cardholder to authenticate a normal Verified by Visa transaction.

According to VISA Europe (http://www.visaeurope.com/en/newsroom/news/articles/2010/visa_codesure_gets_green_light.aspx) CodeSure has been approved for use in the following services:

• PIN generated one-time-passcode for Verified by Visa payments at participating merchants globally – without changes to merchant software or cardholders having to register and remember passwords
• PIN-generated one-time passcode for online banking access
• PIN-generated one-time passcode for telephone banking services
• Transaction signing for online banking services, using specific elements such as Account Reference Number or amount of transaction
• Access to third party services such as corporate virtual private networks (VPN) for commercial card users, or frequent flyer programmes and other online services

CodeSure also enables mutual authentication of both parties i.e. bank and cardholder.  Such mutual authentication will allow cardholders stay safe from phishing and related identity theft attacks.  CodeSure is capable of providing such mutual authentication for transactions conducted via phone as well.

While CoduSure is a promising technology and a step in right direction but it apparently seems that such technologies will take some time to be adopted as institutions will be weiging the benefits vis-à-vis the cost.  Issuing new cards might not be that complicated but migrating existing customers might be a daunting task.  Nevertheless, CodeSure is definitely a futuristic step and hopefully comes here to stay.

Two recent posts, one regarding a ghost root CA in Firfox ( http://blogs.zdnet.com/security/?p=6016 ) , and second about the presence of commercially available SSL subverting appliance ( http://www.wired.com/threatlevel/2010/03/packet-forensics/) viewed by me as a final straw on the back of trust, such CAs offer.

 To me, when read combined, above mentioned posts coupled with a little bit imagination paint a rather scary and privacy-hostile picture. Where powerful bodies—state or non-state–can (or already are) able to exploit the inherent weaknesses in such trust model for eavesdropping and monitoring our moves. Traditionally, this CA model is considered to provide reasonable protection against man-in-the-middle (MITM) attack. The business model is straightforward, you pay those self-declared CAs sum of money to tell your e-visitors that they are indeed visiting your website and not some rogue website. On the other hand such assurance itself begs, somewhat, blind trust on the operation and motives of such CAs.

A worthy competitor of this centralized CA model is ‘Perspectives’ presented by the folks from Carnegie Mellon university. Detail about Perspectives can be seen at http://www.cs.cmu.edu/~perspectives/index.html. Perspectives uses an interesting but simple vantage point like technique to detect MITM attack. After installing its extension, currently available for Firefox, upon visiting a webpage who presents a self-signed certificate it will establish contact with geographically distributed servers called ‘network notary servers’ to verify if the private key obtained by you from the visited site is similar to the key seen by those notary servers. In this simple way it can detect and notify you about the presence of MITM while eliminating the need for investing money and trust in so called CAs.

Currently, only Carnegie Mellon is operating such notary servers, but I expect other bodies and universities to provide such services soon and keep the Internet an open platform as per its intended spirit.

In a nutshell, though no single solution is fool-proof yet ‘Perspectives’ gives hope for users who want to use self-signed certificates.  However, when used in addition to CA model ‘Pespectives’ can definately provide better protection and peace of my mind—at least to me.

There are few controls (out of around 242 controls of PCI DSS ver. 1.2.1) where there could be no compensating control. Quick example could be: not using vendors supplied defaults, as required by section 2. On the other hand, there are many controls in ver. 1.2.1 where a well thought out compensating control (CC) demonstrating valid business needs may be acceptable to QSA, providing basis for a business to claim its compliance.

Apparently, idea of compensating controls looks much more promising then actually it is.  CCs make more sense for legacy applications and other scenarios where businesses found themselves constrained, by valid needs, from adopting the prescribed original control. CCs help them become comply provided they achieve spirit of original controls via custom-made controls.  Appendix B of PCI DSS has spelled out the following criteria for the compensating control to be acceptable:

1. It should meet the intent and rigor of the PCI DSS
2. It should provide similar level of defense as the PCI DSS
3. It should be “above and beyond” other PCI DSS requirements
4. It should balance the risk of not adhering to the PCI DSS

While business may be quick in identifying the areas and highlighting the business needs where compensating control might be needed, but defining such controls that meet the above criteria is not always an easy task.  It is duly considered as an Art-cum-Science, requiring clear understanding of the intent of PCI DSS and skills to transform it in an appropriate control; which is in line with not only specific business needs but can also secure certificate of approval from QSA as well.

Few days ago, I come across a query from a client asking “why PCI DSS requires Penetration Testing (section 11.3), while it also mandates quarterly internal and external vulnerability scanning” (section 11.2).  Enquirer went further by saying, “You do not hire a thief to prove to you by stealing your car by using some vulnerability found in locking mechanism, as indicated in an alert issued by your car manufacturer–obviously an exaggerated analogy.  If you own that model and receiving the timely alerts, you will take it to workshop and patch it.  You will not ask the thief to prove that patch is working, do you?”

While at first this exaggerated analogy might seem plausible to few but wait, let us analyze it.  Real world businesses are not that simple where a single person owns it, receives the alerts himself, analyzes its applicability, and decides to take appropriate actions. Over the time, modern businesses have evolved from one-man-show to an intricate mechanism of specialized functions having complex interdependence on each other. In modern world, while some service function may deem something as a high risk, requiring an urgent attention and resource, whereas a person sitting in top of hierarchy, more concerned by the business challenges like growth and competition, may deem it as an expense which can be avoided or at least delayed. In addition to that, we also need to understand what additional benefits ‘Penetration testing’ is offering which vulnerability scanning or other controls cannot.  Here is what PCI says about penetration testing:

“Network and application penetration tests are different from vulnerability scans in that penetration tests are more manual, attempt to actually exploit some of the vulnerabilities identified in scans, and include techniques used by malicious individuals to take advantage of weak security systems or processes.

Before applications, network devices, and systems are released into production, they should be hardened and secured using security best practices (per Requirement 2.2). Vulnerability scans and penetration tests will expose any remaining vulnerabilities that could later be found and exploited by an attacker.  “

The first paragraph differentiates between vulnerability scans and penetration test by stating: penetration test is ‘more manual’. It further adds that penetration testers “… attempt to actually exploit some of the vulnerabilities identified in scans”.  Therefore, a penetration test actually exploits the vulnerability to compromise the machine mimicking the so-called ‘bad guys’.  That is not all, let’s not forget the last line “… and include techniques used by malicious individuals to take advantage of weak security systems or processes.”

So penetration testing is not only an exercise of exploiting the systems using vulnerabilities popped up by vulnerability scanner, by hitting ‘exploit’ button available in mostly fancy commercial version of  exploit toolkits, and send such auto-generated report to client with an invoice having big dollar value, but also employing other techniques as well.  What could be the other techniques?  Well, do not forget the Kevin Mitnick and the 8^th layer.  Yes ‘Humans’.  What about testing the security awareness of staff by using techniques like social engineering to gain access to the systems?  And, what about the inability of the automated tools to correlate between multiple, apparently distinct looking, vulnerabilities in systems, procedures and/or implementation; which can be exploited once stacked and executed intuitively. In addition to that, usually the results of vulnerability scans are visible only within IT departments i.e. rarely got the attention of the top executives, who owns the budgets.  On the contrary, results of penetration tests gain much broader visibility and hence might help IT build the better case for adequate budgets and executive support, required to duly address the looming risks. In a nutshell, vulnerability scans are concerned about the smaller part of problem, while a significant part remain outside the scope of such scans.

Now come to another question, what could be the compensating control for a ‘penetration test’ if a business cannot get its systems penetrated as required by 11.3? Reasons for opting CC could be: performance issues, fear of unavailability of critical application or any other valid justification.  We have already seen what extra mile penetration tests go when compared against vulnerability scans.  So intent of PCI 11.3 (as appears to me is):

• Make business’ security posture and practices more visible to the top management and make them realize that threat is real one and IT security is not crying wolf
• Test the patch management practices of the business
• Test the whole IT fabric including people, procedures and implementation from a point of view of a duly knowledgeable and motivated attacker(s)
• Test the effectiveness of business’ Incident response plan—do you still think that Incident response team will not act as they “normally do” when their IDS, IPS or logs  are alerting them regarding suspicious activities
• Test the security awareness of personnel’s.

So here are some suggested compensating controls to achieve the above benefits of penetration test without actually going through it, as required by 11.3.

• Strengthen the patch management by ensuring patch are installed in 15 days time window, to lessen the exposure of vulnerable systems
• Test the incident response plan quarterly, and updating it frequently with the lessons learned
• Conducting employee’s security awareness program continually and validating their awareness periodically (every six months) by using means like: scenario based multiple-choice questionnaires–weaknesses identified through such questionnaires should be used to strengthen the awareness program.
• Designing and conducted appropriate war-games scenarios quarterly, based on the results of latest vulnerability scans.  Such scenarios would work like desktop penetration tests trying to exploit the vulnerabilities, firewall rules, procedures and configurations, obtained from live environment—surely, such desktop tests should be carried out by someone duly knowledgeable and experienced one.  Reports of such desktop penetration tests would be shared with executive management. Moreover, lesson learned will be used to further strengthen the security practices.

While implementing such compensating controls may cost more than the actual prescribed control, hence it will also highlight an important point that: Compensating Controls are not a shortcut to compliance.

I am thankful to many people who shared their thought on various forums regarding CC. I am especially thankful to Mr. Jeff Hall for his valuable comments, in his usual lucid and logical style.

I welcome all logical comments on this post.

Survey shows that, according to QSAs, more than half of the businesses (actually 51%) are not found proactively managing the data.  It further showed that 54% of companies consider the cost of compliance overwhelming, and around 44% of view that PCI DSS does not improve data security.

Though generally considered more expensive, and difficult to maintain yet Compensating controls have emerged as an important tool to become comply. Survey suggested that 41% of businesses would fail if compensating controls were not allowed.

While businesses may skip most of section 3 of PCI DSS, if they don’t store the Cardholder Data (CHD) especially the personal account number (PAN).  Survey touted chargebacks as number one reason (83% ) to store CHD. Customer service was the runner up with 68% QSAs on its side.

Besides above mentioned points, report also shed lights on QSAs view about other issues like  use of encryption, access controls and key management etc.   Complete report can be downloaded from Thales website after registration from  http://iss.thalesgroup.com/l/program/pcitrendsreport.aspx?sf_id=70120000000Yan1

It is also available here, without registration  PCI DSS Trends – QSA Insights Report.

Once decided, that BCP is needed regardless of which methodology is chosen (this discussion is out of scope of this article) businesses opt for implementing BCP.  While endeavoring to implement BC practices in their organization with the goal of reaping its intended benefits, some companies fall into common pitfalls.  Though there might be more common pitfall, yet this following are the most common ones I observed while auditing various organizations–ranging from medium to large ones.

1. Canned BCPs
2. Overlaid BCP
3. BCP never tested
4. Ignoring human resource element

Normally, when companies decide to have BCP—owing to internal realization or regulatory requirements– first thing they normally do is: to hire a consultant.  While it is a good idea to hire one, especially when one lacks the requisite knowledge and experience with BCP, yet unfortunately, here, a good number of companies become victim of canned BCP.  Canned BCP is a kind of pre-built one-size-fit-all type of template designed by these busy consulting companies—mostly in the name of standardization.  Such canned template, after updating few fields like: name, location, key personnel and participants of so-called groups and committees give birth to ‘Customized BCP’.  Ready to neutralize—for the time being–the objections raised by audit committee or some external auditor.  Though such canned BCP apparently look-like BCP, smell-like BCP  or might even taste like BCP—that is why, it is believed that looks are deceiving—yet, unfortunately it does not work like BCP.  The biggest problem with the canned BCP is its acceptance among the organization.  Although it apparently mandates BCP teams, suggests what is critical and also proposes how to recover from it, but owing to its generic nature it usually fails to cater the specific operational  uniqueness of organization and hence never earn the respect ,even from the very team, for whom it is written for.  Technical personnel, always deem it as just another piece of document to appease the wrath of auditors or board, while they devise parallel –mostly shaky–controls to respond to disaster.

It is not very difficult to spot such canned BCPs.  Besides familiar templates and language used, one can also identify it by finding undocumented parallel controls actually adopted by relevant departments—mostly the technical one.  Technical teams, mostly, do not trust that BCP and treat it as document meant for corporate bookshelf, not for practice.  Canned BCPs actually, miss the understanding of true corporate workings while treating organization’s critical functions at an abstract level and hence solve them at that level.  Such solution might work on paper but is clearly devoid of operational details, which are required to practice a real BCP.

——————————

Will be concluded in subsequent posts.

Online gambling/gaming or eGambling is a form of gambling played over Internet.  History of eGambling is older than Google itself — yes it’s true.  Early adopters of online gambling were established sports-betting companies, who were already in the business of sports-betting by employing means like betting-shops or telephone betting.   Regulated online gambling considered to be born with the advent of “The Free Trade and Processing Zone Act of 1994 issued by the government of Antigua & Barbuda[iii], an island nation located in Caribbean Sea.  That law opened the door of legal online gambling and paved the way for regulated online gambling industry.  After successful introduction of first online casino software from a company called Microgaming and later an online transaction processing system from Cryptologic (WagerLogic), InterCasino was the first online casino started its operations in 1996[iv].

Online gambling is divided in three basic categories: casino style games, event-betting, and player-to-player games. Casino-style games are replica of typical games found in land-based casinos, it includes games like roulette or blackjack etc.  Random Number Generators (RNG) are integral part of such games, which introduce the element of chance in those games.  Event-betting, is betting on various events like outcome of football matches, horse or dog races etc.  Poker falls into the category of skill based games, played between multiple players.  Often its tournaments are also organized by large eGambling companies electronically over the Internet.

The success story of Internet fueled the very idea of online casinos and betting shops and thus gave impetus to the mushrooming growth of online gambling industry.  Unfortunately, like the dotcom bubble, lots of technology minded people i.e. not the seasoned brick-and-mortar companies,  jumped the bandwagon and hence gave rise to number of horrible stories.  A major blow came from US, when President Bush signed the “”Internet Gambling Enforcement Act” in 2006, banning online gambling in United States.  On the contrary, number of countries especially in Europe decided to legalize online gambling by regulating it.  According to British Gambling Commission, it currently regulates over 3,000 operators[v], while Alderney Gambling commission claims regulating over 2000 websites[vi].  Some major online gambling regulators include:

• Alderney- Gambling Control Commission.
• Antigua & Barbuda -Directorate of Offshore gaming.
• British Gambling Commission.
• Malta- Lotteries and Gaming Authority.
• Kahnawake Gaming Commission.

regulatory Control Objectives

Far from the common misconception that ‘Regulators’ are the show-stoppers, in reality they are the actual ‘enablers’.  They enable the specific trade/practices by promulgating rules and regulation stemmed from the jurisdiction’s enabling act[vii].  In the similar fashion online gaming regulators authorize, define, dictate and monitor the gaming/gambling activities in the light of their respective ‘enabling act’ to make sure that licensees comply with the jurisdiction’s applicable rules and regulations.

Despite of the fact that different online gambling jurisdictions use different terminologies, yet in essence these are the common control objectives shared among the regulators:

• Crime Free gambling
• Fair gaming
• Protecting minors
• Protecting vulnerable people
• Social responsibility
• Protecting players rights

While except ‘Fair gaming’ all other control objectives are considered technically less challenging, yet their continued assurance often proved nightmare for the regulators.  Majority of regulators lack suitable technical means to ascertain the actual state of compliance of licensees regarding these control objectives, at a given point of time.  They often depend upon rather passive means e.g. statements made by licensee, report issued by external system reviewer or absence of any relevant complaint thereof.   It should be kept in mind that reports issued by external system reviewer are the statement of compliance or non-compliance of licensee at the point of time when review was conducted and hence by no mean represent the compliance to-date or equivalent to continued-assurance program.

In the pursuit of meeting the goal of crime free games further sub-controls are introduced, example of such controls are:

• Screening of key-officials, prior to approving license
• Introduction of Anti-money laundering and counter terrorist financing (AML/CFT) controls

Controls like pre-screening of prospective licensee’s key-official/directors etc are examples of “Ingress” controls.  While it might serves the purpose of screening the entry of person having questionable character or criminal record, but usually fails to guarantee one’s future involvement in such activities.  Intimidated by sheer volume of licensees and its key-official vis-à-vis time, effort and means required, regulators generally found lagging behind in verifying the overall effectiveness and compliance of such control.  Furthermore, regulators are mostly found concerned about directors, majority share holders or owners of licensee, while neglecting the CTO, CIO, DBA  or other technical staff.  Such staff, having practical access to the game control system is often better placed to introduce criminal influence in the games.  On the other hand, though there is insufficient data about the number of AML/CFT instances  where online gambling was used to launder the money, yet owing to its nature, online gambling is prone to AML and particularly CFT related threats.  Especially player-to-player games like poker can easily be used as a medium for terrorist financing activities by disbursing small amounts of money in the shape of apparently legitimate looking transactions, while defeating conventional rule-based AML controls generally suggested by regulators.

Protecting minors and vulnerable people are obviously desirable objectives.  It mostly requires controls like age verification for minors and provision of self-exclusion or self-limiting screen for vulnerable people.  Usually, above mentioned controls, once duly in place, are reasonably found effective.  However practical usefulness of such self-exclusion and self-limiting screens demand further study.  For social responsibility, direct advertisement and endorsement from socially prominent and influential people like celebrities etc are discouraged and banned by the regulators.

Fair gaming, is a very broad objective, or a kind of motherhood objective which give rise to whole set of child objectives. Owing to online nature of gambling i.e. it is played with the help of computers over the internet, majority of regulators did not went for reinvented the wheel and rather aptly adopted the custom versions of ISO 17799 accordingly.  ISO 17799 is a universally accepted set of best practice recommendations for initiating, implementing or maintaining an Information Security Management System (ISMS)[viii].

Game fairness is typically verified by reviewing the Internal Control System (ICS) or control system (CS) of the licensee.  Alderny gambling commission has defined ICS as “a system of controls and administrative and accounting procedures used by an eGambling licensee for the conduct of eGambling.”[ix] While ICS is the product of the product of administrative and technical controls, administrative controls include: suitable corporate structure ensuring appropriate checks and balances, and a formal accounting approach to tackle the gaming funds.  On the other hand, list of technical controls derived from ISO 17799 are further augmented with controls like, use of suitable Random Number Generators (RNG).

While other ISO 17799 based controls may be more familiar to the IS auditors, yet RNGs are relative less known control.  To introduce the element of chance in online casino based games e.g. roll of dice etc. RNGs are used.  Whereas various word of wisdom like “Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin”  by John von Neumann or comic  like Dilbert (Figure 1) have highlighted the practical issues with true random numbers, hence pseudo random number (PRNG) are the norms of the trade.   PRNGs are numbers that approximate the properties of random numbers.[x]

Figure 1

Uses of software based pseudo random number generators (PRNG) especially using proprietary algorithms having closed-source, pose another significant threat to the game fairness i.e. presence of potential backdoor allowing malicious wrongdoer to temper with the results.  Although statistical testing of output produced by such PRNG under normal conditions might fall near the definition of acceptable random numbers but in the absence of rigorous source code reviews their results cannot be trusted completely.

Other controls suggested by ISO 17799 especially control affecting the integrity and confidentiality of the ICS, players and game data are also adopted by regulators in their respective compliance verification programs.  Such generally accepted controls if implemented successfully definitely give credibility to the ICS and the games offered through such ICS.

This brief overview of control objectives of recently regulated online gaming industry, having expected growth rate of 10.3 percent per annum until 2012, achieving a total market volume of $ 24.4 billion[xi] surely demands further research.  Considering such growth prospects, now there is more need than ever, to not only evaluate, define and refine the existing controls objectives governing this industry, but also introduce further controls to address the challenges posed by the ever-changing and volatile world of online gambling.  This piece of writing is meant to start a whole new debate regarding this emerging area of “Regulatory Compliance” universe.

[ii] http://www.mariamilani.com/ancient_rome/ancient_roman_games_entertainment.htm

[iii] http://www.gamblingplanet.org/history_main.php

http://www.nobluff.com/online-gambling-history.html

[iv] http://www.onlinecasinoreports.com/school/industrytimeline/

[v] http://www.gamblingcommission.gov.uk/pdf/Licensing,%20compliance%20and%20enforcement%20-%20licensing%20-%20final%20regulatory%20impact%20assessment%20-%20Feb%202007.pdf

[vi] http://www.gamblingcontrol.org/about_us2.php

[vii] http://en.wikipedia.org/wiki/Gaming_Control_Board

[viii] http://en.wikipedia.org/wiki/ISO/IEC_27002

[ix] ALDERNEY GAMBLING CONTROL COMMISSION – Technical Standards and Guidelines for Internal Control Systems and Internet Gambling Systems

[x] http://en.wikipedia.org/wiki/Pseudorandom_number_generator

[xi] http://www.online-casinos.com/news/news7950.asp http://www.recentpoker.com/news/online-gambling-growth-1412.html