Future Speakers

(subject to change)

June 7, 2016 - Phoenix Software Products by Ed Jaffe of Phoenix Software

July 12, 2016 (Special Date) - TBD

August 2, 2016 - TBD

We need ideas and volunteers for future speakers. Presentations don’t have to be fancy, just informative and interesting. Even a 5 or 10 minute talk can start an interesting interaction. Contact Ron Pimblett by phone as noted below.

2015-2016 SPARTA

Board of Directors

Randy Springs - President

BB&T                  (919) 745-5241

3200 Beechleaf Court, Suite 300

Raleigh, NC 27604

Ron Pimblett - Vice President

MDI Data Systems 919-426-6518

866-634-3282

Raleigh, NC 27609

Mike Lockey -  Secretary

Guilford Co. Information Services  336-641-6235

201 N. Eugene St.

Greensboro, NC 27401

Tommy Thomas - Treasurer

LabCorp                  336-436-4178

3060 S. Church St.

Burlington, NC 27215

Ed Webb -  Communications Director

SAS Institute Inc.  919-531-4162

SAS Campus Drive

Cary, NC 27513

Meetings

Meetings are scheduled for the first Tuesday evening of each month (except no meeting in January), with optional dinner at 6:15 p.m. and the meeting beginning at 7:00 p.m.

These monthly meetings usually are held at LabCorp’s Center for Molecular Biology and Pathology (CMBP) near the Research Triangle Park (see last page). Take I-40 to Miami Boulevard and go north. Turn right onto T.W. Alexander Drive. Go about a mile or so. Then turn right into LabCorp complex and turn Left to the CMBP Building (1912 T.W. Alexander Drive). In the lobby, sign in as a visitor to see Tommy Thomas. Tommy will escort you to the conference room.

Call for Articles

If you have any ideas for speakers, presentations, newsletter articles, or are interested in taking part in a presentation, PLEASE contact one of the Board of Directors with your suggestions.

Newsletter e-Mailings

The SPARTA policy is to e-mail a monthly notice to our SPARTA-RTP Group. The newsletter is posted to the website about five (5) days before each meeting so you can prepare. The SPARTA-RTP Group is maintained by Chris Blackshire; if you have corrections or problems receiving your meeting notice, contact Chris at chrisbl@nc.rr.com.

October 2015 “CBT Tape” Shareware Online

The directory and files from the latest CBT tape V490 (dated October 26, 2015) are available from www.cbttape.org.

If you need help obtaining one or more files, contact Ed Webb at SAS (see Board of Director’s list for contact info).

Minutes of the May 3, 2016 Meeting

•Meeting was called to order at 7:00 PM by Chris Blackshire sitting in for Randy Springs, the SPARTA President.

•The meeting was held at a LabCorp conference room in RTP, N.C.

•Nine (9) people were present of which Seven (7) are 2016 members.

•The Presentation was given by Phil Smith of HPE Security on The Payments Ecosystem (see notes below).

•The Phil Smith webinar presentation ended at 8:40 PM and Phil was excused.

•Everyone in the room introduced themselves, told where they worked, and briefly described their job functions or their job hunting challenges.

•The minutes for the April meeting were approved as published in the May 2016 newsletter.

•The Treasurer's report was read by Tommy Thomas. The current balance of $572.42 as appeared in the May newsletter was approved as read.

OLD BUSINESS

•Articles are needed for this newsletter. If you want to write an article for this newsletter, please contact Ed Webb. Keep in mind that you don't really need to write the article, it can be an article that you read that you would like to share with the membership.

•The SPARTA Web site is available at http://www.spartanc.org. Please send any comments or suggestions about the Web page to Mike Lockey. Be sure to check the Web site every once in a while to see any new or changed information.

•Tommy reminded everyone to leave the LabCorp conference room clean.

•Future Speakers and Topics (subject to change based on internal politics, budget, the weather):

If you have suggestions about speakers and topics, contact Ron Pimblett (919-833-8426).

•The next SPARTA monthly meeting will be on Tuesday, June 7, 2016 at LabCorp in RTP.

•Food for the June 7 meeting will be Bojangles Chicken.

•The 2016 dues are due ($30) starting in March 2016. Please pay Tommy Thomas.

•Thanks to LabCorp and Tommy Thomas for hosting the meeting.

•There are currently 66 people on the SPARTA-RTP email list (no change from April).

•Send any e-mail address changes to Chris Blackshire so he can update the SPARTA-RTP Listserv. You will be added by the moderator (Chris = SPARTA-RTP-owner@yahoogroups.com) sending you an invitation to Join the list.

• We need to start planning for a new meeting place when Tommy retires in 2017.

NEW BUSINESS

•We need to think about getting more corporate sponsors for 2016.

•Motion was made and approved to postpone the election of 2016 officers until the June meeting.

•The business portion of the meeting ended about 8:04 p.m.

PRESENTATION

• The Payments Ecosystem: Security Challenges in the 21st Century by Phil Smith III of HPE Enterprise Security - Data Security.

• Agenda

- A Short History of Payments
- Modern Payments Systems
- Anatomy of a Card Swipe
- Card Fraud: How It Happens
- Protecting Yourself and Your Company
- Payments Evolution

• A Short History of Payments

- In the Beginning - Large Purchases, Small Purchases, Purchases on Yap (using stones)
- Evolution - Chek invented: Persia, 550–330 BC
- More Modern Uses
- - Cheques revived in 17th century England
- - Soon after: preprinted, numbered, etc.
- - Magnetic Ink Character Recognition added in 1960s

• Modern Payments Systems

- Many Alternatives to Checks
- - Not the only game in town any more…
- - Online payment services (PayPal, WorldPay…)
- - Electronic bill payments (Internet banking et sim.)
- - Wire transfer (local or international)
- - Direct credit, initiated by payer: ACH in U.S. giro in Europe
- - Direct debit, initiated by payee
- - Debit cards
- - Credit cards (We'll focus on these)
- - …and of course good ol’ cash!

- Charge Cards vs Credit Cards
- - Terms often interchanged, but quite different
- - - Charge cards must be paid off that month
- - - Credit cards offer “revolving credit”
- - Credit card actually “invented” back in 1888

- Charge cards came first
- - Most through stores, as loyalty/service improvements
- - Early 1900s: department stores, oil companies
- - 1936: Universal Air Travel Plan (air, rail, cruise travel)
- - 1946: First “bank card” (Charg-It, local to Brooklyn and a single bank)
- - 1950: Diner’s Club
- - 1958: American Express

- Closed and Open Loop Systems
- - Early cards were closed loop
- - - Only entities involved: buyer, seller, bank/issuer (AmEx)
- - Most/all modern cards are open loop
- - - One or more intermediaries involved in each transaction
- - - Topology varies wildly depending on merchant size, etc.
- - Even closed loop systems may touch open loop
- - - E.g., store-specific gift cards verify or are handled entirely via open loop

- Credit Cards
- - 1958: BankAmericard
- - First true credit card, originally California only
- - 1966: started licensing to other banks
- - 1976: Spun off as Visa
- - 1966: MasterCharge (now MasterCard) created
- - 1985: Discover; was closed loop (Sears!), now open
- - 1987: Even AmEx now offers revolving credit cards

- Debit vs. Credit vs. Gift Cards
- - Debit cards are tied directly to a bank account
- - - Many are usable for both signature and PIN debit
- - - Signature debit “feels” like but is not a true credit transaction
- - - Debit cards also let you get cash back when making purchases
- - “Gift cards” are essentially debit cards
- - - Many hourly employees are paid with prepaid debit cards
- - - Your Starbuck’s card is a refillable gift card
- - Credit card “rewards” try to lure folks away from debit
- - - Banks see credit users who don’t carry balances as “freeloaders”
- - - No-fee cards may be eliminated (we’ve heard that before…)

• Anatomy of a Card Swipe

- Anatomy of a Card Swipe
- - A man walks into a bar…
- - - …and eventually “swipes” a Visa card to pay the tab
- - Simple, right?
¬- - - Wrong…so wrong…

- Payments Jargon
- - Acquirers are the banks who the merchant deals with
- - - Eventually pay the merchant the money you charge
- - Processors do what it sounds like: process transactions
- - - Acquirer and processor distinction unimportant to the consumer
- - Brands are the cards: Visa, American Express, et al.
- - - The central clearing house for transactions
- - Issuers are the banks the consumer deals with
- - - Your credit card came from an issuer

- The Simple Case: Small Merchant
- - Card swipe (at the merchants)
- - Processor / acquirer (First Data, Chase, Heartland, WorldPay, Vantlv, TSYS
- - Card Brand (VISA)
- - Issuer (TBTF BANK, INC.)

- More Complex Case
- - Card swipe (various types of “swiping devices” at a typical large store)
- - POS Terminal
- - Controller (CPU of some sort)
- - Switch / Gateway
- - Processor / acquirer (First Data, Chase, Heartland, WorldPay, Vantlv, TSYS
- - Card Brand (VISA)
- - Issuer (TBTF BANK, INC.)

- Card Not Present
- - Call Center / Mobile Wallet (usually over the phone)
- - Virtual POS Terminal
- - Controller (CPU of some sort)
- - Switch / Gateway
- - Processor / acquirer (First Data, Chase, Heartland, WorldPay, Vantlv, TSYS
- - Card Brand (VISA)
- - Issuer (TBTF BANK, INC.)

- And Then There's the Web
- - Browser (on the internet store)
- - Payment Page
- - Controller (CPU of some sort)
- - Switch / Gateway
- - Processor / acquirer (First Data, Chase, Heartland, WorldPay, Vantlv, TSYS
- - Card Brand (VISA)
- - Issuer (TBTF BANK, INC.)

- Details: Authorization vs. Settlement
- - Card brand does authorization at purchase time
- - - Contacts issuing bank with card and charge details
- - - Checks status of account, allows or declines
- - Merchant does settlement at end-of-day (or thereabouts)
- - - At settlement, charges are processed, sent to issuing bank

- Anatomy of a PAN (Primary Account Number)
- - A Costco AmEx: 371513 12345100 8
- - A Chase Visa: 430587 123456789 7

- Major Industry Identifier (MII)
- MII indicates card type:
- - 1: Airlines
- - 2: Future use
- - 3: Travel & Entertainment (DC, AX)
- - 4: Visa
- - 5: MasterCard, banking
- - 6: Discover, merchandising, banking
- - 7: Gasoline cards
- - 8: Telecom
- - 9: For use by national standards bodies; digits 2–4 are ISO country code

- First six digits are the Issuer Identification Number (IIN, formerly BIN)
- Examples of Card Sub-Formats
- - 371514123451002
3 = AmEx Card
3rd position = type (Business or Personal
1 = Personal Card
5 = U.S. Dollars
14 = varies
12345 = actual account number (5 digits (=PAN: Primary Account Number))
1 = Replace card code (Card Version)
00 = Card number within account
2 = Luhn checksum (to catch data entry errors, not for security)

- What’s On the Magnetic Strip (or chip)?
- - Three tracks of data
- - - PAN (Primary Account Number), name, expiration, etc.
- - - Data often duplicated across tracks
- - - Many format variations, controlled by flag bits
- - Not a lot of data storage capacity
- - - Lowest common denominator: dialup POS terminals!

- Cui bono? Who Pays For All This?
- - Merchants are divided into four tiers based on processing volume
- - - 1 = largest/highest; higher tier=more security requirements, including annual audits
- - Merchants pay per transaction, typically either
- - - Transaction charge+percentage of transaction (e.g., $0.40+2.3%)
- - - Fixed percentage of total transactions
- - Credit cards higher; PIN debit often cheapest
- - The Big Money: interest and late fees
- - - But transaction fees add up: $billions each year!

- Credit Card Economics
- Customer Pays Full Amount (example $100.00)
- Merchant Fee Total ($2.20)
- - Interchange Fee ($1.70)
- - Acquirer Fee ($0.50)
- Merchant Paid ($97.80)

- Fees and More Fees: Debit Cards
- - Checks are rapidly dying (you knew that)
- - - PIN debit most popular payment method
- - - Cheapest for merchants, too
- - Ironic, considering banks’ fears about lost fees with debit
- - - No credit card overdraft/late payment fees! We’ll go broke!
- - - Brainstorm: Allow debit overdrafts!
- - - Second brainstorm: Process signature transactions largest to smallest
- - - Legislation, lawsuits, settlements have mostly straightened this out

• Card Fraud: How It Happens

- Types of Card Fraud
- - Lost/stolen cards, or new cards intercepted from mail
- - Unauthorized card-not-present use (thieves, clerks)
- - Counterfeit cards (stolen/skimmed card information)
- - Identity theft/identity creation
- - “Bust Out” and “Friendly Fraud”
- - Skimmer Camera
- - - Installing a Skimmer (video)

- Fraud and the Payments Industry
- - “The Payments industry doesn’t care about fraud”
- - - Total U.S. credit card charges: $1.5T
- - - Industry revenues: $150B
- - - Fraud: $1.5B (estimated)
- - -Losses due to default/bankruptcy: $20B (estimated)
- - What they care most about is consumer confidence, coupled with ease of use
- - - Fighting fraud worth their while, but for PR more than $$$
- - - U.S. card fraud has been dropping for the last decade (but wait…)

- Who Pays for Fraud?
- - Usually not you (at least, not directly)
- - - Issuers push as much as possible onto merchants, but issuers still often eat it
- - - Laws often provide consumer protection
- - - The consumer confidence/ease-of-use thing plays here, too
- - Merchants often have no recourse
- - - E.g., “Friendly Fraud”: claimed to be more than 2x “real” fraud
- - - You pay in higher prices, of course
- - Debit cards have fewer protections than credit cards
- - - Consumer usually pays for PIN debit fraud

• Protecting Yourself and Your Company

- Credit Card Threat and Risk View
- - Secure Payment Card Readers
- - - Pre-card read skimming
- - - Fake readers
- - Point of Sale (POS)
- - - POS & server malware
- - - Memory scrapers
- - - Insiders
- - - Outsourced operations
- - Retail store IT
- - Authorization gateway
- - - Server malware
- - - Insiders
- - Merchant acquirer
- - - Server malware
- - - Insiders
- - Issuing and merchant banks
- - - Server malware
- - - Insiders
- - Global credit card brands

- Industry Anti-Fraud Measures
- - Artificial intelligence/heuristics
- - - (Try to) detect buying patterns that look fraudulent
- - - Used by data thieves, too!
- - Restrictions on high-risk items
- - - E.g., electronics shipped to addresses other than cardholder’s
- - AVS (Address Verification Service),
- - - Validates parts of address with card brand
- - Manually entering “last four”
- - - Matches physical numbers to magstripe values
- - Physical card features to reduce card-present fraud
- - - CSC/CVD/CVV/CVVC/CVC/CCV/V-Code
- - - Cardholder’s photo on card
- - - Holograms
- - Encryption at point-of-sale—in POS and browser
- - - PCI DSS requires encryption at various levels for some tiers

- Visa Card Security Features
- - PAN: Primary Account Number
- - - The Signature Panel must appear on the back of the card
- - - Card Verification Value (CVV) is unique
- - - Card Verification Value 2 (CVV2) is a 3 digit code
- - - The Magnetic Stripe is encoded with the card identifying information
- - - The Mini-Dove Design Hologram may appear on the back
- - - Endorsed/Unembossed or Printed Account number
- - - Four-Digit Bank Identification number must be printed
- - - Expiration or Good Thru Date must appear
- - - VISA Brand Mark must appear in Blue and Gold
- - - Cardholder Name may be embossed or printed on the card
- - - The Mini-Dove Design Hologram must appear on the front
- - - The card must be signed (See Photo Id is not valid)

- More Industry Anti-Fraud Measures: EMV
- - EMV: cross-brand “smart” card standard (aka “Chip” cards)
- - - Computer on card stores keys, data
- - U.S. has been slow to adopt EMV
- - - Expensive (replace all cards, all terminals), “PINs are inconvenient”
- - U.S. “Liability shift” happened October 1 2015 (except gas pumps, one year later):
- - - If more than 75% of transactions use EMV-enabled terminals, issuer absorbs fraud
- - - Also means merchant can apply for relief from PCI audits
- - Note that EMV helps only for card-present
- - - Card-not-present unchanged; fraud moves to e-commerce
- - - One prediction: “U.S. CNP fraud will double by 2020”
- - AND most U.S. issuers are only doing Chip & sig, not Chip & PIN
- - - Prevents card cloning, but useless against lost/stolen card use (or CNP)

- What About RFID and NFC Cards?
- - RFID and NFC (Near-Field Communications) spreading
- - - Allow waving card, touching SmartPhone instead of swiping, for small transactions
- - - Visa payWave, MasterCard PayPass, American Express ExpressPay, SoftCard (formerly ISIS)
- - In theory, black hats can read these from afar
- - - Clone the card info, use it (perhaps only once)
- - In fact, no reported cases of this kind of fraud
- - - Can also wrap card in foil, or use sleeves sold/given as swag
- - - Bigger problem: accidental reading of wrong card in wallet
- - Some interesting security challenges/exploit opportunities
- - - E.g., setting SmartPhone payment terminal to foreign currency may allow huge transactions
- - - Or wave that phone across someone’s purse/wallet and transaction happens

- Protecting Yourself: Common Sense
- - You’ve heard the usual warnings…
- - - 1. Don’t give your card number out casually
- - - 2. Avoid writing down your card number
- - - 3. Consider virtual credit card numbers for web transactions
- - - 4. Consider Apple Pay, Google Wallet, et al.
- - - 5. Keep your card in sight as much as possible
- - - 6. Keep a list of the numbers in a secure place
- - - 7. Check your statements carefully
- - - 8. If suspicious activity, place fraud alert
- - - 9. Don’t send money to Nigerian courtiers

- Protecting Yourself: International Travel
- - Get chip & pin cards
- - Sign all cards
- - Enable PIN for cash advances, and memorize it
- - Print card contact numbers, including non-toll-free
- - Set up cell phone for international call/text use
- - Notify card company of overseas travel, authorize cards for international use
- - Have all card numbers documented (securely, not in a .TXT file on your laptop!)
- - Enable alerts for purchases—all amounts, or some reasonable threshold
- - Check account spend online frequently (from a secure device!)
- - Install card provider's mobile app for checking spend and receiving alerts
- - Avoid allowing card out of your sight—follow waiter if necessary/possible
- - If called about alleged fraud, hang up and call contact number you have for the card

- Risk to Your Business
- - Data theft = big business, big businesses = targets
- - 630 million++ computer records containing sensitive personal information breached in U.S. since 2005
- - James Clapper, Director of National Intelligence, told Congress “Cyber attack is now a greater threat than terrorism”
- - - Top 10 Countries Attacked 2013
- - - U.S. 39%
- - - U.K. 5%
- - - India 3%
- - - Turkey 2%
- - - Pakistan 2%
- - - Australia 2%
- - - Czech Republic 2%
- - - Japan 2%
- - - France 2%
- - - All Others 40%
http://hackmageddon.com/category/security/cyber-attacks-statistics/

- Significant Corporate Breach Impact
- - Direct costs are significant
- - - Fines/penalties, legal fees, reissuing costs
- - - Termination of ability to accept payment cards
- - - Higher subsequent compliance costs
- - The public is aware there’s a problem, is worried
- - - Hold companies liable for security breaches
- - - Lost confidence means business lost to competitors

- Protecting Your Company’s Systems
- - Encrypt/tokenize stored credit card numbers, per PCI DSS
- - - PCI DSS offers good guidance on how to reduce data breach risk
- - - Lots of options; I happen to think HPE SecureData is best ϑ
- - POS end-to-end encryption
- - - Merchant or processor: encrypt in the payment terminal
- - - Leading payments processors use HPE SecureData for this purpose
- - Web end-to-end encryption
- - - Encrypt in the browser, using FPE in JavaScript
- - - Even with TLS, waypoints may be insecure, are in PCI DSS scope
- - - Surprise, HPE Data Security has a solution for that too
- - Unified protection strategy must include SOC, SIEM, etc.
- - - Target ignored warnings—results were suboptimal

- Beyond System Security
- - Think beyond the mundane—don’t assume!
- - - Recent story: “Crypto weakness in smart LED lightbulbs exposes Wi-Fi passwords”
- - Talk to local police, RCMP, FBI, National Guard, Secret Service now
- - - Learn contacts, build trust
- - - Get legalities under control
- - Build response team now
- - - Do desktop exercises
- - - Expect it to happen!

- What About Target? (and Neiman, OPM, Sony …)
- - Target: 19-day breach, 40M++ cards exposed by POS malware
- - - Credit, debit (including CVV1)
- - - Red Cards closed loop, not credit—Target does ACH; PIN security not at risk (uses 3DES)
- - More: OPM, Neiman Marcus…
- - - Neiman: 8 months, 350K cards, 60K alerts ignored!
- - - eBay: Salted and hashed customer passwords stolen—no real risk!
- - - OPM: Big, bad, and possibly from China; enough content for a whole presentation!
- - Sony hacked by “Guardians of Peace” (#GOP), may be from North Korea (debatable)
- - - Email, employee data, etc. stolen over 12+ months—100TB, 33K files, almost 5K directories!
- - - “The big one” in terms of impact--embarrassed executives/movie stars ⎝important people!

- Fallout from Target et al.
- - As with every high-profile breach, public went nuts
- - - Man-on-the-street interviews with panicked consumers
- - - Vows to “never shop at Target again”, etc.
- - Note: Not everything is the victim’s fault
- - - Poor timing/wording of disclosure doesn’t help
- - - But sometimes not up to victim (eBay, for example)
- - - Business usually rebounds if managed appropriately
- - Good news: public started saying “We need chip cards”
- - - Not that EMV would have helped (HPE SecureData would!)

• Payments Evolution

- Payments is a Competitive Space
- - 154 Processors listed

- Physical Evolution: Beyond the POS
- - Various ways to take payments through smart phones
- - - There are phones with built-in cardswipe slots
- - Smartphone + hardware = easy mobile payments
- - - MasterCard experimenting with “selfie” authentication
- - - Square, SparkPay, GoPayment, PayPal Here, PayAnywhere…
- - - mPowa, iZettle also do Chip & PIN

- Physical Evolution: Beyond the Card
- - LevelUp, Boku
- - - Payments through your phone without a device, using QR code
- - DipJar
- - - Simplify tipping for credit card transactions (Starbucks!)
- - Dwolla, Venmo
- - - Person-to-person payments—“Debit card PayPal” (sorta)
- - Twitter
- - - AmEx Sync lets you buy things via Tweet!
- - Swyp, Plastc, Clinkle, Coin
- - - Replace all your cards and cash (?!) with device/smartphone app
- - MasterCard experimenting with “selfie” validation
- - - You have to blink to verify that it’s not a photo (is that enough??)

- Logical Evolution
- - Cash to checks to credit cards to…ecash!
- - - Big in 1999–2001 Internet “bubble”: DigiCash, eCash, Flooz, Beenz, InternetCash, Dexit (all defunct)
- - - Survivors and newcomers, mostly overseas: Chipknip, Geldkarte, Itex, Klickex, MintChip, Mon€o, Ukash, cashU
- - Digital gold currency providers also came and went
- - - Included e-gold, EvoCash, INTGold…(now all defunct)
- - - Most failed due to fraud by founders

- Bitcoin and Friends
- - Bitcoin, LiteCoin, Namecoin, Devcoin, IXCoin, PPCoin, Terracoin, Freicoin, Dogecoin, Primecoin, Ven, Ripple:
- - - Faith- (crypto-) backed currencies
- - - Offer apparent anonymity; not tied to any government
- - (Apparent) anonymity desirable to some folks
- - - Especially if what you’re into is illegal!
- - Volatility not so good
- - - How do you price?? (1923 Germany, 1992 Peru et al.)
- - JustCoin and other services exist
- - - Buy and sell Bitcoins (and the rest), using real money

- Virtual Currencies, Interesting Crimes
- - Silk Road (2011–2013)
- - - A Deep Web “eBay for illegal stuff”, accessed via TOR
- - - Owner arrested fall 2013 in San Francisco, convicted on seven counts (February 2015)
- - - Former Secret Service/DEA accused of stealing $800,000 in Bitcoins during investigation!
- - Sheep Marketplace (2013)
- - - Another online drug bazaar, competitor to Silk Road
- - - Closed, claimed Bitcoins stolen; Google “sheep market scam”
- - Evolution (2014–2015)
- - - Yet Another Silk Road clone
- - - “Exit scam” shutdown: $12M of escrowed Bitcoins stolen

- Virtual Currencies Themselves Not Theft-Proof!
- - Bitcoin not regulated, no FDIC equivalent! (BDIC?)
- - - “Gone is gone”
- - Mt. Gox was handling 70% of Bitcoin trades
- - - Closed abruptly after $450M of Bitcoins (allegedly) stolen
- - Flexcoin: $600K of Bitcoins stolen
- - - Shut down overnight!
- - MyBitcoin
- - - Bitcoin “wallet” service, $1M in Bitcoins vanished
- - Bitcoin Savings & Trust (2011–2012)
- - - Pyramid scheme, owner stole $4.5 million in Bitcoins (and was fined $40M)
- - Poloniex: 12.3% of its Bitcoins stolen
- - - Managed to survive, repay customers

- Feds Are Fighting Back
- - Besides Silk Road and Sheep, several currency exchanges were closed in May 2013
- - - Liberty Reserve, Asiana Gold, Money Central Market, Exchange Zone, Milenia Finance, Swift Exchanger
- - - Liberty Reserve-ists same guys as Gold Age (2006, $30M)
- - - DOJ, GIFT (IRS), Treasury, Secret Service, DHS involved

- Infrastructure Evolution
- - Payments landscape is constantly evolving
- - - Layers (processors, networks) are sold or spun off
- - - Mergers, consolidations, partnerships (JCB+MC, Discover+JCB…)
- - Threat landscape also evolving
- - - “Carder sites”, international fraud rings growing
- - - Chip cards (EMV) finally here should help some for card-present
- - Protection (via encryption) is spreading
- - - Makes data breaches (almost) meaningless
- - - HPE SecureData helps a lot here

- Threat Evolution - - Some EMV devices use weak random number generator
- - - Enables “pre-play” attacks: cards cloned from POS data
- - $10M stolen by cracking Subway stores’ POS systems
- - - Payment terminals were on the Internet
- - Australian McDonalds customers’ card data stolen
- - - Thieves replaced swipe devices, cloned cards; $4M+ taken

- Summary - - Credit cards are most-used payments technology
- - - Though ACH and wire transfer are far larger $$$-wise
- - For safety, pay attention, but don’t panic!
- - - Encourage your company to run breach exercises, just like disaster recovery drills
- - - Spend some time with Google: you’ll learn a ton more
- - - Read RISKS list, Krebs on Security
- - Watch the news…things will keep evolving
- - - We’ve barely scratched the surface here!

Suggested reading: www.voltage.com and www.voltage.com/blog/

• Contact Information
Phil Smith III
Senior Architect & Product Manager, Mainframe & Enterprise
Master Technologist
HPE Security
phsiii@hpe.com
T 703-476-4511
M 703-568-6662
Hewlett Packard Enterprise
Herndon, VA

• The presentation and meeting ended about 9:30 P.M.

Treasurer’s Report for May 2016

contributed by Tommy Thomas

The balance in the account is $486.59 as of May 22, 2016.

SPARTA Financial Report
3/01/2016 through 5/22/2016

Items of Interest

SPARTA Schedule and Menu for 2016

contributed by Tommy Thomas and Chris Blackshire

June 7, 2016 - Chicken
July 12, 2016 - Subs (avoid July 4 holiday)
Aug 2, 2016 - BarBQ
Aug 30, 2016 - Durham Bulls (your choice of food at the game)
Oct 4, 2016 - Pizza
Nov 1, 2016 - Chicken
Dec 6, 2016 - Subs

Early Registration Deadline for SHARE in Atlanta