Only 27.9% of organizations able to maintain compliance with the PCI DSS

Global organizations continue to put their customers’ cardholder data at risk due to a lack of long term payment security strategy and execution, flags the Verizon report.

maintain compliance PCI DSS

With many companies struggling to retain qualified CISOs or security managers, the lack of long-term security thinking is severely impacting sustained compliance within the Payment Card Industry Data Security Standard (PCI DSS).

Cybercriminals still mostly targeting payment data

Payment data remains one of the most sought after and lucrative targets by cybercriminals with 9 out of 10 data breaches being financially motivated, as highlighted by the report. Within the retail sector alone, 99 percent of security incidents were focused on acquiring payment data for criminal use.

On average only 27.9 percent of global organizations maintained full compliance with the PCI DSS, which was developed to help businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data.

More concerning, this is the third successive year that a decline in compliance has occurred with a 27.5 percentage point drop since compliance peaked in 2016.

“Unfortunately we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable,” said Sampath Sowmyanarayan, President, Global Enterprise, Verizon Business.

“The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data and consumers trust businesses to safeguard their information.

“Payment security has to be seen as an on-going business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers and consumers.”

Few organizations successfully test security systems

Additional findings shine a spotlight on security testing where only 51.9 percent of organizations successfully test security systems and processes as well as unmonitored system access and where approximately two-thirds of all businesses track and monitor access to business critical systems adequately.

In addition, only 70.6 percent of financial institutions maintain essential perimeter security controls.

“This report is a welcome wake-up call to organizations that strong leadership is required to address failures to adequately manage payment security. The Verizon Business report aligns well with Omdia’s view that the alignment of security strategy with organizational strategy is essential for organizations to maintain compliance, in this case with PCI DSS 3.2.1 to provide appropriate levels of payment security.

“It makes clear that long-term data security and compliance combines the responsibilities of a number of roles, including the Chief Information Security Officer, the Chief Risk Officer, and Chief Compliance Officer, which Omdia concurs with,” comments Maxine Holt, senior research director at Omdia.

maintain compliance PCI DSS

Difficulty to maintain PCI DSS compliance impacts all businesses

SMBs were flagged as having their own unique struggles with securing payment data. While smaller businesses generally have less card data to process and store than larger businesses, they have fewer resources and smaller budgets for security, impacting the resources available to maintain compliance with PCI DSS.

Often the measures needed to protect sensitive payment card data are perceived as too time-consuming and costly by these smaller organizations, but as the likelihood of a data breach for SMBs remains high it is imperative that PCI DSS compliance is maintained.

The on-going CISO challenge: Security strategy and compliance

The report also explores the challenges CISOs face in designing, implementing and maintaining an effective and sustainable security strategy, and how these can ultimately contribute to the breakdown of compliance and data security management.

These problems were not found to be technological in nature, but as a result of organizational weaknesses which could be resolved by more mature management skills including creating formalized processes; building a business model for security as well as defining a sound security strategy with operating models and frameworks.

Money is still the root of most breaches

Verizon has released its annual Data Breach Investigations Report (DBIR), which offers an overview of the cyber security incidents and data breaches that happened in/were discovered in the past year.

Based on an analysis of incident and breach reports by 81 contributing organizations – companies, CERTs, law enforcement agencies and cybercrime units, etc. – from around the world, the DBIR offers insight into current cyber attack trends and the threats organizations in various industry verticals and parts of the world face.

2019 cyber attack trends: the “WHO”

The researchers analyzed 32,002 security incidents that resulted in the compromise of an information asset. Of those, 3,950 were data breaches, i.e., incidents that resulted in the confirmed disclosure of data to an unauthorized party.

The report is massive, so we’ll highlight some interesting tidbits and findings:

  • 70% of breaches perpetrated by external actors (except in the healthcare vertical, where it’s 51% external, 48% internal)
  • 86% of breaches were financially motivated
  • Organized criminal groups were behind 55% of breaches
  • 72% of breaches involved large business victims

2019 cyber attack trends

“This year’s DBIR has once again highlighted the principal motive for the vast majority of malicious data breaches: the pursuit of profit. This is surprising to some, given the extensive media coverage of national security-related breaches. However, it should not be. Most malicious cyber actors are not motivated by national security or geopolitical objectives, but rather by simple greed,” the data scientists who compiled the report noted.

“Financially motivated breaches are more common than Espionage by a wide margin, which itself is more common than all other motives (including Fun, Ideology and Grudge, the traditional ‘go to’ motives for movie hackers).”

2019 cyber attack trends: the “HOW”

The majority of data breaches (67% or more) are caused by credential theft, social attacks (phishing, business email compromise, pretexting) and errors (mostly misconfiguration and misdelivery of documents and email).

“These tactics prove effective for attackers, so they return to them time and again. For most organizations, these three tactics should be the focus of the bulk of security efforts,” they advised.

Another interesting finding is that attacks on web apps were a part of 43% of breaches, which is more than double the results from last year. The researchers put this down to more workflows moving to cloud services and attackers adjusting to the shift.

“The most common methods of attacking web apps are using stolen or brute-forced credentials (over 80%) or exploiting vulnerabilities (less than 20%) in the web application to gain access to sensitive information,” they shared.

Less than 5% of breaches involved exploitation of a vulnerability, and it seems that most organizations are doing a good job at patching – at least at patching the assets they know about.

“Most organizations we see have internet-facing assets spread across five or more networks. It’s the forgotten assets that never get patched that can create dangerous holes in your defenses,” the authors pointed out.

Most malware is still delivered by email and the rest via web services. Attackers have mostly given up on cryptocurrency mining malware, RAM scrapers and malware with vulnerability exploits, but love password dumpers, malware that captures app data, ransomware and downloaders.

Even though it is a small percentage of all incidents, financially motivated social engineering is on the rise – and attackers have largely stopped asking for W-2 data of employees and switched to asking for the cash directly.

Cloud assets were involved in about 22% of breaches this year, while the rest were on-premises assets.

“Cloud breaches involved an email or web application server 73% of the time. Additionally, 77% of those cloud breaches also involved breached credentials. This is not so much an indictment of cloud security as it is an illustration of the trend of cybercriminals finding the quickest and easiest route to their victims,” they noted.

Use the information to improve defenses

An interesting finding that can be used by defenders to their advantage is that attackers prefer short paths to a data breach. Throwing things in their way to increase the number of actions they have to take is likely to decrease their chance of making off with the data.

Knowing which actions happen at the beginning, middle and end of incidents and breaches can also help defenders react quickly and with purpose.

2019 cyber attack trends

“Malware is rarely the first action in a breach because it obviously has to come from somewhere. Conversely, Social actions almost never end an attack. In the middle, we can see Hacking and Malware providing the glue that holds the breach together. And so, [another] defensive opportunity is to guess what you haven’t seen based on what you have,” the authors noted.

“For example, if you see malware, you need to look back in time for what you may have missed, but if you see a social action, look for where the attacker is going, not where they are. All in all, paths can be hard to wrap your head around, but once you do, they offer a valuable opportunity not just for understanding the attackers, but for planning your own defenses.”

What should organizations do to bolster their cyber security posture?

DBIR report author and Information Security Data Scientist Gabe Bassett advises organizations to keep doing what they are doing: anti-virus at the host, network, and proxy level plus patching and filtering (e.g., with firewalls) will help push the attackers towards other attacks.

“Address the human element. The top actions (phishing, use of stolen credentials, misconfiguration, misdelivery, and misuse) all involve people. No-one is perfect so find ways to set people up for success and be prepared to handle their mistakes,” he noted, and added that all organizations should have some level of security operations.

“You can’t make the defenses high enough, wide enough, deep enough, or long enough to keep an attacker out if you don’t have someone watching the wall. For large organizations this means having a dedicated security operations center. For smaller ones it may mean taking advantage of economies of scale, either by acquiring managed security services directly, or by using services (payment systems, cloud services, and other managed services that have security operations incorporated).

Finally, to add extra steps to attackers’ path and to deter all but the most persistent ones, they should use two factor authentication whenever possible.

Orgs that sacrifice mobile security are twice as likely to suffer a compromise

The percentage of companies admitting to suffering a mobile-related compromise has grown (39%, when compared to last years’ 33%) despite a higher percentage of organizations deciding not to sacrifice the security of mobile and IoT devices to meet business targets, Verizon has revealed in its third annual Mobile Security Index report, which is based on a survey of 876 professionals responsible for the buying, managing and security of mobile and IoT devices, as well as input from security and management companies such as Lookout, VMWare and Wandera.

The report also shows that attackers hit businesses big and small, and operating in diverse industries, and that those that had sacrificed mobile security in the past year were 2x as likely to suffer a compromise.

66% of those that suffered a mobile-related compromise said that the impact was major, and 55 percent of those companies said that they suffered lasting repercussions.

mobile security compromise

“Among those in our survey that had experienced a compromise, downtime was even more common as a consequence than loss of data. Financial services companies were particularly concerned about this – 95% said that their customers expect a reliable service and that even a few minutes of unplanned downtime could have an adverse impact on the company’s reputation,” Verizon pointed out.

Mobile threats

Phishing continues to be the most common attack type leveraged against all users and it’s getting ever more sophisticated and targeted.

Mobile users are at a disadvantage because red flags are more difficult to spot in emails rendered on mobile devices, but also because phishers are taking advantage of other communication mediums – such as messaging, gaming, social media apps – for which many organizations don’t have filtering in place.

When attendees of a mobile security event were sent a phishing email that purported to be from the hotel they were staying in, offering a free drink at the bar, a whooping 70% opened it and clicked on the link, according to VMware. Similarly, in a test carried out by a Lookout customer, 54% of executives tapped on a malicious link included in an SMS that looked like it was from a hotel they were due to check into.

Hackers are coming up with new and effective pretextes to get targets to click on malicious links, and are coming up with new ways to disguise them:

mobile security compromise

They are also finding new ways to hide malicious links and text from spam and phishing filters used by email/SaaS providers (one of the most recent is using customized fonts and a simple substitution cipher).

Downloading and installing apps that ask for permission to access all kinds of (potentially sensitive) data represents a risk but malware posing legitimate apps presents a more immediate danger.

“Of organizations that were compromised, 21% said that a rogue or unapproved application had contributed to the incident,” Verizon noted.

Other risks come from insecurely coded apps by reputable companies, mobile cryptojacking apps and the general user inconsistency when it comes to regularly updating their many apps.

For example: six months after WhatsApp announced that users had been subject to a spate of attacks where hackers exploited a buffer overflow vulnerability to run malicious code on victims’ devices (without requiring user interaction), more than 1 in 15 users hadn’t updated and remained susceptible to attack.

Then there are the threats involving the devices: device loss and theft, SIM swapping, juice jacking, unsecured devices open to compromise by physically present attackers (e.g., office colleagues, abusive partners, etc.).

Finally, the network threats: insecure networks, MitM attacks (through rogue access points), etc. Some companies bad employees from using public Wi-Fi to perform work-related tasks but 55% of those who know that public Wi-Fi is prohibited use it anyway, Verizon found.

IoT threats

49% of organizations are now using IoT devices – to enhance productivity, physical security, products and services, and measure the wellness of people – and most adopters consider them critical or very important to the smooth running of their organization.

Almost half of those that Verizon surveyed that were using IoT had at least one full-scale deployment and 33% said they have over 1,000 IoT devices in use. Nearly a third (31%) of those with IoT deployments admitted to having suffered a compromise involving an IoT device.

While the biggest concern at the moment is IoT devices getting conscripted into a botnet, organizations should also be concerned about data tampering and IoT devices being used as a stepping stone to more sensitive data and wider business systems.

The good news regarding IoT is that new regulations are slowly coming into force to help protect businesses, consumers and citizens from IoT-related attacks, and they are expected to push manufacturers into implementing more security in their products, but also organizations into using these features.

“Even though IoT-specific regulations are yet to come into force in most jurisdictions, we’re already seeing a shift in the mindset of organizations. Seventy-four percent of IoT respondents said they have reassessed the risk associated with IoT devices in light of regulatory changes,” Verizon pointed out.

Verizon lays off more Yahoo/AOL employees after another drop in revenue

A Verizon logo displayed along with stock prices at the New York Stock Exchange.

Enlarge / A monitor seen on the floor of the New York Stock Exchange on Tuesday, Sept. 4, 2018.

Verizon this week is laying off another 150 staffers from the Verizon Media division that includes the Yahoo and AOL subsidiaries, according to a CNN report.

“Verizon Media employs around 10,500 people, so these cuts will amount to 1.4 percent of its work force. It’s unclear which brands will be affected,” CNN wrote.

A Verizon spokesperson confirmed the layoffs, according to the CNN article. We contacted Verizon today and will update this article if we get any more information.

The latest layoffs are less extensive than a major round of job cuts in January 2019. Verizon at that time laid off about 800 people, or about seven percent of the 11,385 workers then employed by Verizon Media.

Verizon purchased Yahoo for $4.48 billion in June 2017 and AOL for $4.4 billion in June 2015. But Verizon’s strategy of acquiring declining online media brands hasn’t been successful in challenging Google and Facebook in the advertising market.

In December 2018, Verizon said in a Securities and Exchange Commission filing that it had “experienced increased competitive and market pressures throughout 2018 that have resulted in lower-than-expected revenues and earnings,” and that “[t]hese pressures are expected to continue.” Verizon at the time recorded a non-cash goodwill impairment charge of about $4.6 billion, wiping out nearly all of the Yahoo/AOL division’s goodwill value.

In Q3 2019, the most recent quarter, Verizon reported media-division revenue of $1.8 billion, down two percent year over year. The two-percent decline represented an “improvement in revenue trends,” Verizon said. “Gains in native and mobile advertising continue to be offset by declines in desktop advertising, though the business is building momentum in key areas.”

“We are migrating customers to our recently integrated native and demand-side advertising platforms with double-digit growth year over year,” Verizon CFO Matt Ellis said in an earnings call on October 25. “For the first time, we are seeing mobile traffic increases outpace desktop traffic declines in our core owned and operated products, including sports, finance, news, entertainment, home and mail.”

Verizon Media CEO Guru Gowrappan said last month that the company is focused on growing the division’s advertising, subscriptions, and e-commerce businesses, according to the CNN report.

“Today we are investing in premium content, connections, and commerce experiences that connect people to their passions and continue to align our resources to opportunities where we feel we can differentiate ourselves and scale faster,” Verizon said in a statement about this week’s layoffs.

Verizon reportedly blocks archivists from Yahoo Groups days before deletion

Screenshot of the Yahoo Groups home page, showing a collection of people jumping in the air and a message that says,

Enlarge / The Yahoo Groups home page (for now).

An ad-hoc group scrambling to archive as much content as possible from Yahoo Groups ahead of the site’s final demise next week is running into trouble as more than a hundred volunteer archivists say Yahoo’s parent company, Verizon, has banned their accounts.

Yahoo Groups has been on the wane for years, but Verizon announced its official date of death two months ago. Users were blocked from uploading or posting new content to the site as of October 28, and all content currently on the site is slated to be deleted on December 14—less than one week from now.

Members of the Archive Team have been working rapidly to preserve content from as many groups as possible in that six-week time frame. The volunteers have been using “semi-automated” scripts to join groups rapidly and are using a third-party tool known as PGOffline to access messages, photos, and files not captured by Verizon/Yahoo’s data download or export tool. They estimate that as a result of this weekend’s blocks, they have now lost access to 80 percent of the material they were attempting to preserve.

One volunteer working on the effort shared a response she received from Verizon in a blog post yesterday. The Verizon representative said the 128 volunteers from Archiveteam.org, who joined groups with the intent of archiving them, were banned for violating the Verizon Media terms of service and would not be able to have their accounts reinstated.

“I understand your usage of groups is different from the majority of our users, and we understand your frustration,” the Verizon employee added. “However, the resources needed to maintain historical content from Yahoo Groups pages is cost-prohibitive, as they’re largely unused.”

This is not the first time Verizon and the Archive Team have butted heads. Almost exactly a year ago, members of the Archive Team working to preserve Tumblr content had their accounts banned. In that case, however, volunteers found their way around Verizon’s block and continued their work within a day.

The Organization for Transformative Works—the nonprofit best known for running the decade-old, Hugo-winning fanfiction site Archive of Our Own—has joined the chorus calling on Verizon to postpone the deletion date by six months, until May 14, 2020, in order to allow volunteers to archive more material.

Ars has asked Verizon for comment and will update this story if we hear back.

FCC tries to bury finding that Verizon and T-Mobile exaggerated 4G coverage

A photo of Ajit Pai.

Enlarge / Ajit Pai, chairman of the Federal Communications Commission, during an interview in New York, on Tuesday, Nov. 5, 2019. (credit: Getty Images | Bloomberg)

Verizon, T-Mobile, and US Cellular exaggerated their 4G coverage in official filings to the Federal Communications Commission, an FCC investigation found. But FCC officials confirmed that Chairman Ajit Pai does not plan to punish the three carriers in any way. Instead, the FCC intends to issue an enforcement advisory to the broader industry, reminding carriers “of the penalties associated with filings that violate federal law.”

“Overstating mobile broadband coverage misleads the public and can misallocate our limited universal service funds, and thus it must be met with meaningful consequences,” FCC staff said in an investigative report released today.

But there won’t be any meaningful consequences for Verizon, T-Mobile, and US Cellular. “Based upon the totality of the circumstances, the investigation did not find a sufficiently clear violation of the MF-II [Mobility Fund Phase II] data collection requirements that warranted enforcement action,” an FCC spokesperson told Ars via email.

Read 14 remaining paragraphs | Comments

5G won’t change everything, or at least probably not your things

Artist's impression of millimeter-wave 5G speeds.

Enlarge / Artist’s impression of millimeter-wave 5G speeds.
Aurich Lawson / Getty

The long-touted fifth generation of wireless communications is not magic. We’re sorry if unending hype over the world-changing possibilities of 5G has led you to expect otherwise. But the next generation in mobile broadband will still have to obey the current generation of the laws of physics that govern how far a signal can travel when sent in particular wavelengths of the radio spectrum and how much data it can carry.

For some of us, the results will yield the billions of bits per second in throughput that figure in many 5G sales pitches, going back to early specifications for this standard. For everybody else, 5G will more likely deliver a pleasant and appreciated upgrade rather than a bandwidth renaissance.

That doesn’t mean 5G won’t open up interesting possibilities in areas like home broadband and machine-to-machine connectivity. But in the form of wireless mobile device connectivity we know best, 5G marketing has been writing checks that actual 5G technology will have a lot of trouble cashing.

A feuding family of frequencies

The first thing to know about 5G is that it’s a family affair—and a sometimes-dysfunctional one.

Wireless carriers can deploy 5G over any of three different ranges of wireless frequencies, and one of them doesn’t work anything like today’s 4G frequencies. That’s also the one behind the most wild-eyed 5G forecasts.

Millimeter-wave 5G occupies bands much higher than any used for 4G LTE today—24 gigahertz and up, far above the 2.5 GHz frequency of Sprint, hitherto the highest-frequency band in use by the major US carriers.

At those frequencies, 5G can send data with fiber optic speeds and latency—1.2 Gbps of bandwidth and latency from 9 to 12 milliseconds, to cite figures from an early test by AT&T. But it can’t send them very far. That same 2018 demonstration involved a direct line of sight and only 900 feet of distance from the transmitter to the test site.

Those distance and line-of-sight hangups still persist, although the US carriers that have pioneered millimeter-wave 5G say they’re making progress in pushing them outward.

“Once you get enough density of cell sites, this is a very strong value proposition,” said Ashish Sharma, executive vice president for IoT and mobile solutions at the wireless-infrastructure firm Inseego. He pointed in particular to recent advances in solving longstanding issues with multipath reception, when signals bounce off buildings.

There are a lot of "5G" stock images available. Some of them are more optimistic than others. This is one of the more optimistic ones.

Enlarge / There are a lot of “5G” stock images available. Some of them are more optimistic than others. This is one of the more optimistic ones.
Photographer is my life / Getty

Reception inside those buildings, however, remains problematic. So does intervening foliage. That’s why fixed-wireless Internet providers using millimeter-wave technology like Starry have opted for externally placed antennas at customer sites. Verizon is also selling home broadband via 5G in a handful of cities.

Below millimeter-wave, wireless carriers can also serve up 5G on mid- and low-band frequencies that aren’t as fast or responsive but reach much farther. So far, 5G deployments outside the US have largely stuck to those slower, lower-frequency bands, although the industry expects millimeter-wave adoption overseas to accelerate in the next few years.

“5G is a little more spectrally efficient than 4G, but not dramatically so,” mailed Phil Kendall, director of the service provider group at Strategy Analytics. He added that these limits will be most profound on existing LTE spectrum turned over to 5G use: “You are not going to be able to suddenly give everyone 100Mbps by re-farming that spectrum to 5G.”

And even the American carriers preaching millimeter-wave 5G today also say they’ll rely on these lower bands to cover much of the States.

For example, T-Mobile and Verizon stated early this year that millimeter-wave won’t work outside of dense urban areas. And AT&T waited until it could launch low-band 5G in late November to start selling service to consumers at all; the low-resolution maps it posted then show that connectivity reaching into suburbs.

Sprint, meanwhile, elected to launch its 5G service on the same 2.5GHz frequencies as its LTE, with coverage that is far less diffuse than millimeter-wave 5G. Kendall suggested that this mid-band spectrum will offer a better compromise between speed and coverage: “Not the 1Gbps millimeter-wave experience but certainly something sustainable well in excess of 100Mbps.”

The Federal Communications Commission is working to make more mid-band spectrum available, but that won’t be lighting up any US smartphones for some time.

(Disclosure: I’ve done a lot of writing for Yahoo Finance, a news site Verizon owns.) 

Mobile industry has stifled eSIM—and the DOJ is demanding change

Illustration of a smartphone with the word

The US Department of Justice has given its tentative approval to a wireless-industry plan to revise eSIM standards, saying that new safeguards should prevent carriers from colluding against competitors in the standards-setting process. But the DOJ warned the industry that it must eliminate anti-competitive provisions from the current eSIM standard or face possible antitrust enforcement.

The DOJ last year began investigating AT&T, Verizon, and the GSMA, a trade group that represents mobile carriers worldwide. The antitrust enforcer found that incumbent carriers stacked the deck against competitors while developing an industry standard for eSIM, the embedded SIM technology that is used instead of removable SIM cards in new smartphones and other devices.

In theory, eSIM technology should make it easier to switch carriers or use multiple carriers because the technology doesn’t require swapping between physical SIM cards. But how it works in practice depends heavily on whether big carriers dominate the standard-setting process.

The DOJ investigation found that “the GSMA and its mobile network operator members used an unbalanced standard-setting process, with procedures that stacked the deck in their favor, to enact an RSP (Remote SIM Provisioning) Specification that included provisions designed to limit competition among networks,” the agency said last week.

That flawed process resulted in RSPv2, which makes it easy for a carrier to lock eSIM-equipped smartphones to its network, the DOJ said. The standard has so-called “profile policy rules” that require smartphones to “contain the capability for operator-controlled locking in order to be considered compliant with the RSP Specification,” the DOJ said. These provisions “may restrict the pro-competitive potential of eSIMs without being necessary to achieve remote provisioning or to solve an interoperability problem,” the DOJ said.

The current standard also has provisions that make it harder for phones to automatically switch between networks when the phone “detects stronger network coverage or a lower-cost network,” the DOJ said. The standard also “prevents an eSIM from actively using profiles from multiple carriers simultaneously.”

DOJ will watch and wait

Despite that, the DOJ said it won’t file an antitrust lawsuit. That’s because the GSMA agreed to a new standard-setting process that addressed DOJ concerns and will use that process to develop a new standard that will replace RSPv2. The DOJ said it is satisfied by the GSMA’s process changes but that it will monitor the implementation of the new standard and may take action if the GSMA doesn’t remove anti-competitive provisions in the next version of RSP.

The GSMA described its new process—called AA.35—in a letter to the DOJ in July, and DOJ antitrust chief Makan Delrahim provided an update on the agency’s “present enforcement intentions regarding GSMA’s proposal” in a letter to the GSMA last week. The DOJ said it “presently has no intention to challenge AA.35, if it goes into effect,” because the new process “includes sufficient protections to minimize the chances of anticompetitive self-dealing inside the GSMA if it is applied as contemplated.”

However, the DOJ said it “will closely observe how AA.35 is applied and whether it succeeds in promoting interoperability.” The DOJ also warned the GSMA that if carriers form separate agreements to limit competition, “such agreements are always subject to independent antitrust scrutiny.”

What the industry agreed to

Originally, the GSMA let non-carriers such as smartphone manufacturers participate in the standard-development process but made sure that all final decisions were controlled by mobile carriers. The DOJ said it was “concerned that the GSMA’s operator-dominated process was used with the purpose and effect of altering what would otherwise have been competitive negotiations between the operators and smartphone manufacturers (‘OEMs’) over the design and implementation of eSIMs.”

But after the DOJ began investigating, the GSMA came up with the alternative AA.35 process. As the DOJ noted, “AA.35 creates a two-stage process, with an Industry Specification Issuing Group (‘ISIG’) that creates the standards and an Industry Specification Approving Group (‘ISAG’) that approves the standards.”

ISIG membership is open “to all members, ensuring that there will not be operator-exclusive committees driving the process,” the DOJ continued. Non-carriers can become members of the ISAG, which “eliminates the complete control that operators previously had and instead gives all parts of the industry an opportunity to be represented,” the DOJ said.

Another safeguard prevents standards from being approved without the consent of smartphone makers. “At the ISAG level, [AA.35] requires approval of standards by separate majorities of the ISAG operator- and non-operator members,” the DOJ said. “Both bodies require an explanation of negative votes, another improvement that increases transparency and indicates meaningful attempts to reach consensus.”

Another new provision allows for appeals to be heard by an independent panel. Finally, operators can’t bypass or change this process “without the support of non-operator members” because the dual-majority voting structure requires consent of both groups, the DOJ said.

Getting rid of anti-competitive provisions

The current version of the eSIM standard, which was passed under the old, flawed process, has “several key features that have restricted the disruptive potential of eSIMs to date,” the DOJ said. That’s a reference to the phone-locking provision described earlier in this article and “provisions that restrict the number of active profiles on an eSIM or impede the user’s ability to consent to dynamic profile switching,” the DOJ said.

For example, RSPv2 requires consumers to give their approval each time an eSIM “toggles between profiles or networks,” preventing the scenario where a phone automatically switches between networks “if it detects stronger network coverage or a lower-cost network,” the DOJ said.

A RSPv2 prohibition on using profiles from multiple carriers simultaneously could prevent scenarios where users have their phone divided into work-related and personal profiles or multiple “profiles optimized for different coverage areas or for international travel,” the DOJ said. Incumbent carriers apparently wanted that restriction to undercut “a potential competitive threat [that] would allow a user to divide usage across operators,” the DOJ said.

When the GSMA uses its new AA.35 process to create a new standard, the DOJ said it expects the group to reconsider those anti-competitive rules.

“The Department will take a special interest in whether RSPv3 includes provisions that are motivated only by the incumbent operators’ interest in gaining a competitive advantage or stifling new sources of competition,” Delrahim warned the GSMA. The DOJ “reserves the right to bring an enforcement action in the future” if the GSMA’s implementation of AA.35 “proves to be anticompetitive in purpose or effect,” he wrote.

Sale of 4 Million Stolen Cards Tied to Breaches at 4 Restaurant Chains

On Nov. 23, one of the cybercrime underground’s largest bazaars for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards. KrebsOnSecurity has learned this latest batch of cards was siphoned from four different compromised restaurant chains that are most prevalent across the midwest and eastern United States.

An advertisement on the cybercrime store Joker’s Stash for a new batch of ~4 million credit/debit cards stolen from four different restaurant chains across the midwest and eastern United States.

Two financial industry sources who track payment card fraud and asked to remain anonymous for this story said the four million cards were taken in breaches recently disclosed by restaurant chains Krystal, Moe’s, McAlister’s Deli and Schlotzsky’s. Krystal announced a card breach last month. The other three restaurants are all part of the same parent company and disclosed breaches in August 2019.

KrebsOnSecurity heard the same conclusion from Gemini Advisory, a New York-based fraud intelligence company.

“Gemini found that the four breached restaurants, ranked from most to least affected, were Krystal, Moe’s, McAlister’s and Schlotzsky’s,”  Gemini wrote in an analysis of the New World Order batch shared with this author. “Of the 1,750+ locations belonging to these restaurants, nearly 50% were breached and had customer payment card data exposed. These breached locations were concentrated in the central and eastern United States, with the highest exposure in Florida, Georgia, South Carolina, North Carolina, and Alabama.”

McAlister’s (green), Schlotzsky’s (blue), Moe’s (gray), and Krystal (orange) locations across the United States. There is an additional Moe’s location in Hawaii that is not depicted. Image: Gemini Advisory.

Focus Brands (which owns Moe’s, McAlister’s, and Schlotzsky’s) was breached between April and July 2019, and publicly disclosed this on August 23. Krystal claims to have been breached between July and September 2019, and disclosed this in late October.

The stolen cards went up for sale at the infamous Joker’s Stash carding bazaar. The most recent big breach marketed on Joker’s Stash was dubbed “Solar Energy,” and included more than five million cards stolen from restaurants, fuel pumps and drive-through coffee shops operated by Hy-Vee, a supermarket chain based in Iowa.

According to Gemini, Joker’s Stash likely delayed the debut of the New World Order cards to keep from flooding the market with too much stolen card data all at once, which can have the effect of lowering prices for stolen cards across the board.

“Joker’s Stash first announced their breach on November 11, 2019 and published the data on November 22,” Gemini found. “This delay between breaches occurring as early as July and data being offered in the dark web in November appears to be an effort to avoid oversaturating the dark web market with an excess of stolen payment records.”

Most card breaches at restaurants and other brick-and-mortar stores occur when cybercriminals manage to remotely install malicious software on the retailer’s card-processing systems, often by compromising third-party firms that help manage these systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals, and that data can then be used to create counterfeit copies of the cards.

Companies that accept, store, process and transmit credit and debit card payments are required to implement so-called Payment Card Industry (PCI) security standards, but not all entities are required to prove that they have met them. While the PCI standards are widely considered a baseline for merchants that accept payment cards, many security experts advise companies to put in place protections that go well beyond these standards.

Even so, the 2019 Payment Security Report from Verizon indicates the number of companies that maintain full compliance with PCI standards decreased for the second year in a row to just 36.7 percent worldwide.

As noted in previous stories here, the organized cyberthieves involved in stealing card data from main street merchants have gradually moved down the food chain from big box retailers like Target and Home Depot to smaller but far more plentiful and probably less secure merchants (either by choice or because the larger stores became a harder target).

It’s really not worth worrying about where your card number may have been breached, since it’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.

Just remember that while consumers are not liable for fraudulent charges, it may still fall to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges.