Avivah Litan

A member of the Gartner Blog Network

Entries Categorized as 'Uncategorized'


Open SSL Heartbleed vulnerability affects much more than just websites

by Avivah Litan  |  April 9, 2014  |  6 Comments

As we all know by now, this is mega-serious and affects all users of Open SSL 1.0.1 through 1.01.f – so those who kept their Open SSL code up to date were in effect penalized. For information on the vulnerability, see kb.cert.org I’m just trying to understand why all the news reports are focused on [...]

6 Comments »

Category: Uncategorized     Tags:

Class Action Suit against Target Assessor is a wake up call for PCI

by Avivah Litan  |  March 26, 2014  |  15 Comments

Two U.S. banks are suing Target’s Qualified Security Assessor, Trustwave, for damages incurred during the holiday season breach at Target, accusing the company of failing to identity security issues. The suit also claims that Trustwave’s round the clock monitoring services for Target failed to detect the intrusion into Target’s network for a full three weeks. [...]

15 Comments »

Category: Uncategorized     Tags:

Reflections on RSA and the need for Retailer Information Sharing

by Avivah Litan  |  March 4, 2014  |  3 Comments

Just got back from the 2014 RSA Security conference where I had lots of stimulating conversations with colleagues in the security industry. What stood out the most to me was the dearth of information sharing in the retail payment card industry. You’d think that the PCI Security Council would promote information sharing on threats and [...]

3 Comments »

Category: Uncategorized     Tags:

Target and the EMV aftermath

by Avivah Litan  |  February 11, 2014  |  4 Comments

Target boldly told Congress and the world that it was escalating its $100 million EMV upgrade program and would implement it before the October 2015 deadline. Target is absolutely correct when it says that payment system security is a responsibility that needs to be shared across all players in the payment ecosystem – i.e. issuing [...]

4 Comments »

Category: Uncategorized     Tags:

Chip and PIN is alive and well in Europe

by Avivah Litan  |  January 30, 2014  |  3 Comments

I’m just finishing a trip overseas, now in Holland where I’ve been meeting with banks and other Gartner clients. The verdict is in – Chip cards are in fact working to substantially reduce losses from counterfeit cards. Some of the banks I met also instituted geo-blocking to stop the cards’ magnetic stripe from being accepted [...]

3 Comments »

Category: Uncategorized     Tags:

How PCI failed Target and U.S. Consumers

by Avivah Litan  |  January 20, 2014  |  17 Comments

The PCI (Payment Card Industry) security standard has largely been a failure when you consider its initial purpose and history. Target and other breached entities before it, such as Heartland Payment Systems, were all PCI compliant at the time of their breach. These companies spent untold sums of money annually certifying compliance to the payment [...]

17 Comments »

Category: Uncategorized     Tags:

Target Saga continues – too much for Fraud Detection systems?

by Avivah Litan  |  December 23, 2013  |  1 Comment

Chase’s and Citi’s action of setting thresholds on cash withdrawals on debit cards as a result of the Target breach is unprecedented, as least as far as I remember. It’s a little frightening that the fraudsters can cause such havoc. How is the Target Breach affecting Card Issuers’ Fraud Detection operations? a) PIN Codes Stolen [...]

1 Comment »

Category: Uncategorized     Tags:

What can we learn from the Target Breach

by Avivah Litan  |  December 19, 2013  |  37 Comments

UPDATE: Shortly after this blog post was published, I received comments that questioned the veracity of one of the claims in it.  I have looked into the points raised and agree that what I heard from two secret service agents specifically concerning the 2009 security breach at Heartland Payment Systems is not independently verifiable.  In [...]

37 Comments »

Category: Uncategorized     Tags:

How secure is healthcare.gov?

by Avivah Litan  |  October 31, 2013  |  2 Comments

A posting by blogger Ben Simo, a highly-experienced software tester, brings up many important and valid security issues with healthcare.gov. Ben has done a good job documenting some of the most egregious issues with healthcare.gov that are definitive proof of the fact that security will continue to be a major issue for the Obamacare website. [...]

2 Comments »

Category: Uncategorized     Tags:

The Death of KBA; Secret life questions fluster Obamacare applicants

by Avivah Litan  |  October 23, 2013  |  2 Comments

Just as we predicted (actually it didn’t take a rocket scientist to predict this), KBA (knowledge based authentication or secret questions based on life history to validate an identity) has been a flop on the Obamacare exchange websites, adding insult to injury. The topic even made it’s way to the human interest story on the [...]

2 Comments »

Category: Uncategorized     Tags: