Wyndham Settlement: No Fine, But More Power To the FTC

itwbennett writes: Earlier this month, Wyndham settled a lawsuit with the FTC over weak security practices that resulted in 3 major data breaches in 2008 and 2009 that compromised the credit card information of more than 619,000 customers and led to more than $10.6 million in fraudulent charges. But all the settlement requires Wyndham to do 'is what any company that handles credit card data is supposed to have been doing for more than a decade, under the Payment Card Industry Data Security Standard (PCI DSS),' writes Taylor Armerding. There was no fine and it seemed as though Wyndham had 'dodged a bullet', says Armerding, But things are not always as they seem. Because the PCI DSS is not a government standard and is not a law 'the case was not about fines for noncompliance, which the FTC doesn't even have the authority to impose,' says Armerding. 'It was instead about power – the authority of the FTC to charge Wyndham with 'unfair and deceptive' practices because of its security flaws.'

Nuisance Suit

[Anonymous Coward]

The FTC's case is simply a nuisance suite for Wyndham. While I'm annoyed at Wyndham for their lax practices, I'm also annoyed, perhaps more annoyed, by the recent efforts of government agencies to exceed their authority and essentially establish laws of their own where they have no such power.

Re:Nuisance Suit

[dgatwood]

What is your solution to almost daily security breaches of potentially life-ruining data?

More government regulation of credit bureaus and credit card companies so that no piece of data that can potentially be compromised qualifies as "potentially life-ruining". The problem is not that your SSN can be stolen. The problem is that it actually matters whether your SSN gets stolen, which is entirely an artificial problem caused by credit bureaus treating a non-secret number as though it were some sort of password, allowing people to take out credit using entirely different addresses and phone numbers than they've ever used before without doing due diligence to determine whether that person moved, and fraudulently and libelously report nonpayment of those bogus debts as though they were real.

The credit bureaus are the problem, period. There is no such thing as "identity theft". There is only widespread conspiracy to commit libel resulting from gross criminal negligence on the part of credit bureaus. The only way to fix the problem is to fix the lax regulation that has allowed these companies to libel creditors with near impunity for decades.

On the credit card side:

• Require that all credit card readers support NFC, provide short-range magnetic resonance power, and have a spot to place the card during the transaction so that the card is fully visible by the purchaser for the duration of the purchase process.
• Require that all credit cards have a screen that displays the name of the vendor and requires you to press a button on the card to authorize the transaction using proper PK crypto signatures.
• Require that all credit cards be able to generate a unique, single-use card number for Internet transactions.
• Ban all credit cards with fixed card numbers.

That's quite literally the only way that has even a prayer of eliminating the risk of compromised payment terminals being used maliciously. The device that authorizes the transaction must be an inexpensive and normally disconnected device, such as a thick credit card, as opposed to a cellular phone, because otherwise you're just moving the attack target around. And the button to authorize the transaction must be part of that device so that it cannot be easily compromised. Otherwise, a compromised reader could potentially show the transaction on the screen, authorize it, and then very quickly show and authorize a second transaction before the customer notices.

And if it isn't mandated by law, the card companies won't implement this, because it is relatively expensive, and they would rather just force merchants to eat the cost of fraud rather than take steps to actually prevent fraud.

On the credit card bureau side:

• Require that credit bureaus be able to support all allegations of nonpayment with reasonable evidence, and if they fail to produce that evidence, require them to remove the allegation.
• Require that credit bureaus provide all consumers with the option to require two-factor authentication (e.g. callback at a known phone number) for all new credit applications, at no cost to the consumer.
• Require that credit bureaus immediately transition to their own unique identifier for credit purposes that is A. separate and distinct from the SSN, and B. changeable upon request, again at no cost to the consumer.

And more generally:

• Make it illegal for non-government entities to use a social security number for any purposes whatsoever other than those explicitly required by law (e.g. reporting of wages).
• Assign everyone in America a new, randomly chosen, twelve-digit SSN. Require a five-year transition to the new identifiers, after which the old SSNs become irrelevant.

If government did these things, so-called "identity theft" would just about cease to exist. But they won't, because politicians can win votes by paying lip service to "identity theft" while not actually f

Re: Eat A Dick!

[IBME]

I would but I cant seem to find yours. Probably stuck up your ass no doubt.

Re:

[khallow]

I don't know about the original AC's ideas, but we have a court system for this.

Re:Nuisance Suit

[sinij]

I think government is very justified when looking into cases of negligence when it impacts a large number of people. There is very clear case of public interest.

Re: Nuisance Suit

[Anonymous Coward]

No. Ohhhhh no. Nonononono. This case was about piercing the corporate veil / common enterprise. It was about a firm seeking to transfer security responsibilities to another firm, thereby avoiding the costs and responsibilities of IT.

This case sets very interesting precident, add in the past courts have said you can only pierce the corporate veil as a result of fiscal maleficence. But this case raised IT / infosec to the same level. Corporate America should be crapping their pants.

Everyone violates PCI

[sunderland56]

PCI sets many standards; very, very few businesses obey them all, and there is essentially zero penalty for non-compliance. For instance: while Christmas shopping, did every store you visited require the use of a card with a chip? The cutoff date for requiring that at any retailer was back in October.

Re: Everyone violates PCI

[rickb928]

Many issuers will impose fines against merchants if the merchant suffered data breaches and was not PCI compliant. These are not always minimal. Some issuers put this into merchant contracts.

It is not always without costs to the merchant.