Tag Archives: spokeswoman

Lame PR Responses #34,223(b)

image

When independent blogger Mary Jo Foley, who knows more about Microsoft than Microsoft does, interviewed the company’s new Corporate VP of its Searching and Advertising Group recently, she was told that Microsoft had recently launched an ad-funded version of Microsoft Works, the application suite you think will be a cheap alternative to Office but turns out not to be.

She couldn’t find it online anywhere so, she asked Microsoft PR. Which is always a mistake:

I’ve asked Microsoft for more information on the new ad-funded Works suite. No word back yet. Update: Even though Microsoft’s own vice president discussed the product, no one will talk. The official comment, via a Microsoft spokeswoman: “We’re always looking at innovative ways to provide the best productivity tools to our customers, but have nothing to announce at this time.”

Agh. These kinds of mealy-mouthed, knee-jerk-and-yet-probably-took-all-day-to-form, smug, self-promoting-and-yet-information-free responses drive me nuts. How many people had input on that particular phrase?  Thirty? How many emails had to exchange hands in the crafting? Forty? And how, exactly, does this help the journalist? Or, for that matter, the reader?

And don’t get me started on how a VP statement (“Microsoft Works has already been released as an ad-funded product”) is then throttled into submission as a slab of slippery PR perch, flailing on the floor of the meaningless drivel wet-market. How dysfunctional is that?

Poor Ms. Foley. Spare a thought for someone who has dedicated themselves to trying to make some sense of Redmond’s utterances. I only have to sit through the occasional PowerPoint barrage of buzzwords, cliches and tautologies spewing from the mouths of identikit Microsoft promoters wearing Joe 90 glasses. She has to do it on a regular basis.

» Microsoft Works to become a free, ad-funded product | All about Microsoft | ZDNet.com

Technorati Tags: , ,

How Long Did The ‘Biggest Data Theft In History’ Go Unreported?

I continue to be intrigued, but somewhat perplexed, by the CardSystems security breach that happened nearly two months ago now. Who knew it first, and who told who, and when? And why did it take so long to tell the rest of us?

A U.S. company claimed it was its software that first spotted the breach last year, in a press release issued July 13:

ACI Worldwide (Nasdaq: TSAI), a leading international provider of enterprise payment solutions, today announced that its ACI Proactive Risk Manager™ software helped National Australia Bank (NAB) detect the recently revealed security breach at CardSystems Solution before any other bank or financial institution.

But did it? The press release from ACI quotes Australian Treasurer Peter Costello as having “recently told Parliament that National Australia Bank was actually the first bank in the world to uncover the fraud”:

“It was the NAB that uncovered this fraud out of all the domestic and international banks of the world and reported it to MasterCard and Visa in September 2004,” said Costello.

Wow. That’s eight months before anyone else, since CardSystems didn’t announce the fraud until May 22 2005. So what did the Australian media say about this?

AAP reported June 22 (sorry no links for these, they’re from Factiva) quoted Costello as saying:

“It was the NAB that uncovered this fraud out of all the domestic and international banks of the world, and reported it to Mastercard and Visa in Sept 2004,” he said. Mr Costello said the US Federal Bureau of Investigations began investigations soon after the fraud came to the attention of Visa and Mastercard.

He said the FBI declared the issue a crime scene only on June 1 this year. “During this investigation organisations were told by the FBI not to say anything publicly, and the FBI only allowed public comment on Thursday or Friday last week,” he said.

A Reuters report, covering the same press conference (or whatever it was; neither wire is clear on where Costello was speaking) quoted Costello as saying December, not September. An updated report from Reuters the same day adds comments from MasterCard and Visa that shed further light on this:

MasterCard spokeswoman Sharon Gamsin said, “We said from the beginning that it was reports of fraud from issuers that enabled us to do the analysis that led to CardSystems and led to the scope of this incident. One report of fraud would not necessarily have gotten us to that point.”

Visa spokeswoman Rosetta Jones said that when her company detects fraud, “banks are notified and accounts are closed. In this case, the National Australia Bank may have detected fraud late last year, but there was no clear indication that this fraud was part of a larger data compromise at that time.”

Finance Minister Nick Minchin said in an address to Australia’s parliament that Australia & New Zealand Bank Ltd. , Commonwealth Bank Ltd. and NAB had each been monitoring the fraud since December and had canceled and reissued cards where transaction were suspect.

An AAP story two days later adds further detail:

As long ago as December last year, round-the-clock fraud squads at the four big banks had picked up on a pattern of unauthorised transactions on their customers’ credit cards, originating out of the United States.

Treasurer Peter Costello told parliament this week that National Australia Bank was actually the first bank in the world to uncover the fraud, which has been traced to a security breach at a US company that processes transactions.

The Australian banks contacted about 2,000 affected customers and issued them with replacement cards months before MasterCard’s announcement this week.

This raises a host of issues that I’ve not seen addressed elsewhere. If the Australian banks saw this fraud so early, why did it take so long? The Australian Financial Review (subscription required) today pointed out these inconsistencies and the fact that California credit card holders have filed suit in San Francisco against CardSystems, Merrick Bank, Visa and MasterCard, claiming “the companies should take responsibility for the security data breach”:

CardSystems has claimed it did not discover the security breach until May 22, 2005. But it is now known MasterCard and Visa were alerted to fraud resulting from the data breach as early as January. The complaint also alleges Visa and MasterCard failed to take “prompt remedial action” or take steps to notify affected consumers.

“Defendants, by failing to timely disclose the security compromise or data theft to affected consumers and merchants, are attempting to shift the burden of discovering resultant fraud away from themselves, even though they are responsible and are in a better position to discover and prevent fraud to consumers and merchants.”

Visa and MasterCard have defended their handling of the incident, saying they had to be sure CardSystems was the source of the data spill before going public.

So, as far as we can deduce from this, NAB, via its fancy software, spotted some kind of fraud taking place. That information was passed on to Visa and MasterCard sometime between September 2004 and January 2005. The FBI passed this information onto CardSystems at some point, although why everyone decided to sit on the information is unclear. Their initial statements, which I illustrated in the original post, will probably require some finessing at some point as the suit passes through the legal system.

The Big Credit Card Theft

Trying to make sense of the massive theft of credit card numbers at CardSystems, ‘a leading provider of end-to-end payment processing solutions focused exclusively on meeting the needs of small to mid-sized merchants’, in which information on more than 40 million credit cards may have been stolen.

CardSystems itself has issued only a brief statement on its website (no permalink available) saying it had identified

a potential security incident on Sunday, May 22nd. On Monday, May 23rd, CardSystems contacted the Federal Bureau of Investigation. Subsequently, the VISA and MasterCard Card Associations were notified to alert them of a possible security incident. CardSystems immediately began a remediation process to ensure all systems were secure. Additionally, CardSystems immediately engaged an independent 3rd party to validate systems security.

Notice the careful language: It talks only of ensuring all ‘systems were secure’ — in the security industry this is like checking all the locks work while watching all the horses bolting off down the street. (And don’t the FBI work on Sundays? Why wait a day to let them know?)

Then there’s the question: Why wait almost a month to let us know? A separate story by AP quotes CardSystems as saying that

it was told by the FBI not to release any information to the public. The company says it’s surprised by MasterCard’s decision to go public.

Actually, not so, say the FBI: Another AP story quotes an FBI spokeswoman, Deb McCarley, as denying

that the agency told CardSystems not to disclose the existence of the intrusion. McCarley says the FBI told CardSystems to follow its corporate policies without disclosing details that might compromise the ongoing investigation.

In fact, a MasterCard statement suggests that it was they, not CardSystems, who first identified the breach:

MasterCard International’s team of security experts identified that the breach occurred at Tuscon-based CardSystems Solutions, Inc., a third-party processor of payment card data. Third party processors process transactions on behalf of financial institutions and merchants.

Through the use of MasterCard fraud-fighting tools that proactively monitor for fraud, MasterCard was able to identify the processor that was breached. Working with all parties, including issuing banks, acquiring banks, the processor and law enforcement, MasterCard immediately launched an investigation into the breach, and worked with CardSystems to remediate the security vulnerabilities in the processor’s systems.

In the meantime CardSystems was pretending it was business as usual, including an announcement on June 14 of a move into check processing, and posting job-ads for a ‘Software Quality Assurance Analyst’ to cover, among other things, ‘troubleshooting from operations, production, and outside vendors’ who can work ‘in a very fast-paced, high-visibility organization where priorities often change’. Indeed.

Anyway, the scale of the thing is pretty awesome: Softpedia quotes experts as saying

that this is the worst case of data theft in IT history. “In sheer numbers, this is probably one of the largest data security breaches,” said James Van Dyke, principal analyst at Javelin Strategy & Research in Pleasanton, Calif.

And just how did the theft happen? Details are sketchy, probably because no one yet knows (the MasterCard software which identified the fraud did so by monitoring transactions, not the actual breach. In other words, they observed the stolen goods being peddled, not the actual break-in). According to another AP story, MasterCard has identified CardSystems as being ‘hit  by a viruslike computer script that captured customer data for the purpose of fraud’, but hasn’t given any more details. CardSystems itself is not talking:

CardSystems’ chief financial officer, Michael A. Brady, refused to answer questions and referred calls to the company’s chief executive, John M. Perry, and its senior vice president of marketing, Bill N. Reeves. A message left for Perry and Reeves at the company’s Atlanta offices was not returned.

Both Perry and Brady have been with CardSystems a little over a year.

Phishers Force UK Banks To Delay Transfers

Another sign that phishing is taking its toll on the quality of service banks can offer online customers: The Times reports that UK banks are introducing delays in intra-bank payments to try to combat fraudulent transfers caused by phishing attacks:

This week Barclays introduced a one-day delay for transfers. A spokeswoman said: “This delay enables us to carry out checks that seek to prevent fraud.” Halifax also introduced delays in the processing of payments this week, as have Royal Bank of Scotland and NatWest, The Times reports today.

Interesting. Inevitable, perhaps, but this degradation in service can only force some customers back to the physical banks, or to less appealing and less cost-effective services like phone-banking. Running checks on every Internet transfer is going to be time-consuming and expensive for banks. What does this do to banks’ hopes that online banking would effectively replace the high street bricks-and-mortar model?

Update From The IM Wars Front

 Seems like the IM wars aren’t over yet. Further to my postings about Yahoo and Microsoft Messenger apparently blocking third party chat aggregators like Trillian, seems the latter’s patches don’t seem to be enough to keep folk connected. CNET reports that Yahoo has begun blocking Cerulean Studios’ Trillian software from communicating with its own instant messaging software as part of its plan to limit third parties from piggybacking on its service.
 
On Thursday, some Trillian users began reporting an inability to communicate with their Yahoo Messenger contacts. A Yahoo spokeswoman on Friday morning confirmed that Trillian users’ inability to access Yahoo Messenger was the result of recent policies put in place by the Web giant. A day after last week’s Yahoo announcement, Trillian released software patches that were aimed at allowing it to continue accessing Yahoo and MSN buddy lists. But as of this week, CNET says, those patches do not appear to be working.

News: Another Shot In The Foot For The RIAA

 The RIAA PR dept may not like this, but then again, they must have been pretty busy the past coupla months: The New York Post reports that The Recording Industry Association of America is suing a 12-year-old New York City girl.
 
Brianna LaHara was among 261 people sued for copying thousands of songs via popular Internet file-sharing software ? and thousands more suits could be on the way. They could face penalties of up to $150,000 per song, but the RIAA has already settled some cases for as little as $3,000. The Post quoted RIAA spokeswoman Amy Weiss as saying, when asked if the association knew Brianna was 12 when it decided to sue her: “We don’t have any personal information on any of the individuals.”