Earlier this week, American Express (AMEX) launched its American Express Token Service. Despite what its name may suggest, AMEX isn’t making a pass at the less-than lucrative video arcade space, but rather they’re making a significant move to secure your financial transactions online.

American Express Token Service helps make transactions more secure by replacing payment card details with randomized tokens. Called “tokenization,” this practice is quickly becoming the standard method used to secure your mobile and online purchases.

If the concept of tokenization sounds familiar, it’s because the concept recently made headlines with the emergence of Apple Pay, Apple’s mobile payment solution that employs tokenization for purchases made with an iPhone 6 or iPhone 6 Plus.

So why is tokenization so great?
For as hectic as department stores can get, the payment process is usually quite simple. There is a checkout area, a retail employee, a buyer and a payment card. It’s a direct transaction, albeit a physical one. But go online and you have a more complicated process: there’s the retailer and the means to process payments (the Internet), but there are also millions of other buyers, all competing with one another for the retailer’s attention. Add in a third party payment company and delivery service, and you’ve got yourself a crowd. Unfortunately, mixed in with that crowd are some very attentive listeners, whose ears are tuned to pick out the numbers and names associated with your credit card.

Tokenization is a process where sensitive information is substituted with an insensitive doppelgänger called a “token.” This token, in the context of a payment, represents a credit card number while containing none of that card’s sensitive information. It’s like singing a particular tune to the cash register to pay, rather than shouting credit card numbers. And for each digital cash register you use, there’s a different, unique, tune created.

So what happens if a hacker intercepts your token? Nothing. Unlike if the hacker had obtained your credit card number, a token does not contain your banking info, and a hacker cannot use the token’s information outside of the retailer associated with that specific transaction. These restrictions kill the value of a stolen account. No more panicked calls to the bank and credit agencies needed.

But tokenization is still in its infancy. Many banks and retailers still need to get on board. So what can you do to protect your financial information online in the mean time? Well, there are a few options:

Shop with trusted retailers online. Scammers, always looking to make a quick buck, will be heating up their efforts as the holiday season approaches. Don’t let them trick you. Stick to retailers you’re familiar with and use comprehensive security solutions, like McAfee LiveSafe™ service, to block spam and guard against hackers.

Purchase items on a secure network only. If you’re going to shop online, especially with Cyber Monday coming up, do so safely. Only shop on a network you know is secure—which means avoiding public Wi-Fi. That way you can avoid any man-in-the-middle attacks and other maladies associated with unsecured networks.

Monitor your bank statements. Even with a tokenized service, you should check your bank statements for fraudulent or suspicious activity on a regular basis. They’re not always obvious: sometimes fraudsters charge a few dollars (or even a few cents) on your card before making larger purchases.

Everything you need to know about the Shellshock Bash bug

Remember Heartbleed? If you believe the hype today, Shellshock is in that league and with an equally awesome name albeit bereft of a cool logo (someone in the marketing department of these vulns needs to get on that). But in all seriousness, it does have the potential to be a biggie and as I did with Heartbleed, I wanted to put together something definitive both for me to get to grips with the situation and for others to dissect the hype from the true underlying risk.

To set the scene, let me share some content from Robert Graham’s blog post who has been doing some excellent analysis on this. Imagine an HTTP request like this:

target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
http-header = Cookie:() { :; }; ping -c 3 209.126.230.74
http-header = Host:() { :; }; ping -c 3 209.126.230.74
http-header = Referer:() { :; }; ping -c 3 209.126.230.74

Which, when issued against a range of vulnerable IP addresses, results in this:

I’m a system admin – what can I do?

Firstly, discovering if you’re at risk is trivial as it’s such an easily reproducible risk. There’s a very simple test The Register suggests which is just running this command within your shell:

env X=”() { :;} ; echo busted” /bin/sh -c “echo stuff”

You get “busted” echo’d back out and you’ve successfully exploited the bug.

Of course the priority here is going to be patching at risk systems and the patch essentially boils down to ensuring no code can be executed after the end of a Bash function. Linux distros such as Red Hat are releasing guidance on patching the risk so jump on that as a matter of priority.

 Read More from the original poster.

Did you know?

While internet users in the US struggle with expensive and slow connections provided by cable corporations, Chattanooga, Tennessee’s fiber-optic network, “The Gig”, is a taxpayer-owned public utility that boasts internet speeds 50 times faster than the rest of the country.

SHARE this if the FCC should dump their plans to end net neutrality and classify the internet as a public utility. Let us know what you think about high internet bills.

Google officially announced that using a secure https://  (SSL Certificate) increases the ranking of your site.

It still seems, though, that for all the good this does, others will now make use of this as an argument for other kinds of “nudging” behavior by Google. For years, the legacy entertainment industry has pushed Google to better rank “good” sites and to down rank “pirate” sites — which the industry still seems to think is a simple black and white calculation (it’s not). Google can point out that SSL v. non-SSL is obvious, but fully expect those who seem to think Google should be designed in their own interests, as opposed to those of Google’s users, to jump on this as proof that Google can solve other problems.

This still is a good move, though. Encouraging more encryption on the web is always the right move. It is just still a bit surprising that Google would take this step, and wonder how others will react to it.

EPIC – Electronic Privacy Information Center has filed a formal complaint to the Federal Trade Commission against Facebook for their secret manipulation experiment.

Facebook could be facing a federal investigation. Stay tuned and tell Facebook to STOP: https://cms.fightforthefuture.org/facebook-stop-tests/

This one is worth bringing back because the situation now is as urgent as it ever was. Take action: http://cms.fightforthefuture.org/tellfcc

Big web hosting companies’ get all the attention in an industry they seem to dominate. With exposure, rankings, and search engine results they can often create whatever reputation they want for themselves.  Invariably, most customers go with the big web hosting companies, because these are the only providers they know about from their limited research. But does a bigger hosting company necessarily mean that the company is better? Here is a look at some aspects that might make you choose a smaller company.

Isn’t Bigger Better?

Often times our mentality leads us to think that bigger is always better. After all, how did they get so big in the first place? They must be doing something right. But just because a web hosting company did something right at some point, does not mean they have it all figured out now.

One advantage of going with a smaller company is the fact that they don’t have a huge budget for their advertising. Because smaller companies don’t have bottomless advertising funds, they must take care of their existing customers and rely on word-of-mouth from current customers to get new ones. They will ensure that you get the best offers, prompt customer care, personalized services and do anything else you need, because you are important to their future.

A big hosting company with 1,000,000 users, on the other hand, knows that if you walk away there are 50 new people signing up while you are busy complaining. Your business is not as valuable to a big company as it is to a smaller company. So, in many cases the customer service of the big company does suffer.

The Big Company vs. the Smaller Company

Numerous big web hosting companies offer tons of space and bandwidth that customers don’t necessarily need. Most customers will overlook their actual requirements and settle for quantity over quality.

The big companies also offer excessive quantity to outgun each other; once one does it, all the others have to follow to keep up. Customers need to understand their needs and not get lured in by excessive offers that lack quality. After all, when was the last time you uploaded a 2000 GB file?

Another commonly misconceived notion is that small companies do not offer 24/7 support. In today’s market, big and small companies tend to offer 24/7 customer support. But with big companies, you tend to run the risk of speaking to someone who is poorly trained with no technical background.

While you can’t guarantee that every small hosting company is better than a big hosting company, we just think it is important that you don’t over look small hosting companies during your search. At the end of the day, it isn’t just about the 100000000000GB bandwidth or 100000000GB space that makes a difference in your company, but it’s the quality of service that makes the difference.

Internal Revenue Code (IRC) Section 6050W states that all US payment processors, including PayPal, are required by the Internal Revenue Service (IRS) to provide information to the IRS about certain customers who receive payments for the sale of goods or services through PayPal. PayPal is required to report gross payments received for sellers who receive over $20,000 in gross payment volume AND over 200 separate payments in a calendar year. In order to help you understand these changes, we have prepared the following FAQs.

Questions? Login to your account or call 1-877-569-1129

What is Internal Revenue Code (IRC) Section 6050W?

Under the legislation, we’ll report to the IRS the total payment volume received by US account holders whose payments exceed both of these levels in a calendar year:

US$20,000 in gross payment volume from sales of goods or services in a single year
200 separate payments for goods or services in the same year

IRC Section 6050W applies to all payment processors, including PayPal. Our goal is to help PayPal sellers understand and comply with the new requirements.

Email archiving solutions sound like they fit a certain type of company. It sounds like exactly the kind of thing you expect to find in a box marked ‘enterprise solutions’. But that doesn’t mean that small businesses should ignore it. If you own a small business, ask yourself these email archiving questions.

How Important is Email in my Business?

Some businesses often answer this email archiving question without thinking. They don’t use email to sell, so they assume it’s not important. In truth, the answer to this one is ‘very’. Every modern business uses email every single day. It’s used to discuss issues, inform staff and even invoice and make payment. No business could operate successfully without email.

What Legal Requirements Do I Have?

Another email archiving question that small businesses often answer incorrectly. A lot of small businesses like to think that they aren’t in a regulated industry. The truth is, some industries are more regulated than others but every business is required to retain business records. Legislation like Sarbanes-Oxley (SOX) and the Federal Rules of Civil Procedure (FRCP) mean small business must retain vital documents like email.

 How do I compile eDiscovery Requests?

If your company is ever involved in a lawsuit, how will you compile the required electronic documents? Email is regularly used as evidence in modern lawsuits, which makes it a really common component of email archiving requests. The emails involved might be from years before the case. If they can be recovered easily, it’s likely to be a costly process when done manually.

Do I Have an Email Retention Policy?

If you don’t have a policy, you could be opening yourself up to serious legal difficulties. If you’re leaving it up to your staff which email they keep and which they destroy, you could be left red faced when the request comes from the regulator.

In many organizations, the level of trust between co-workers, between managers and employees, or between executives and the front-lines is low. Perhaps, to some, this is viewed as normal. While it may be common, it is certainly not an effective way of leading an admired organization or supporting a high-performance team. What does it mean for performance and productivity when there is a lack of trust?

• Trust is Key. 79% of people think it is important their leader be trustworthy–in fact it is the top quality they want in their leader.Yet…
• Loss of Trust Happens. 47% of employers think that employee trust has declined as a result of the way their company has managed its cost reductions.  Leads to…
• Top Talent Becomes Disillusioned. 48% of employees who plan to look for a new job cite a loss of trust in their employer as a result of how business and operational decisions were handled as a reason for leaving.

5 Behaviors That Undermine Trust:

• Hype and overpromise. Promoting and publicizing can only do so much. Beneath the hype, there has to be a delivery of value. If there is not, the message that is being sent is that your words have no merit and your promises are empty–that is something people will take note of. Fool me once, shame on you; fool me twice…
• Lies, half-truths, and spin. Many times, people can tell when you are lying.  Evasive communication is perfectly fine when someone asks an inappropriate question and you want to respond in a diplomatic and cordial way. But when someone truly deserves an explanation and you refuse to be up-front with one, you send a very strong and negative message about one of two things: (1) your own character, or (2) how much you value your relationship with them.
• Botched delivery of a difficult message. How you communicate can be just as important as what you say. The way a difficult situation is handled either builds trust or destroys it, period. Certainly by varying degrees depending on the situation, but there is generally no neutral action you can take. Ignoring an issue, delaying explanation, using excuses, not apologizing, relinquishing accountability, shifting blame, condescension, or using the inappropriate communication channels are some of the things to watch out for.
• Not extending trust. A trusting relationship is a two-way street. Withholding trust only serves to create a culture of distrust. A few examples are micromanaging, duplicating or re-checking work, and creating policies that send the message, “we don’t trust you.”
• Combative conflict management style. While task-related conflict can be very productive, getting involved with personal conflicts never is. Avoid threats, win/lose propositions, personal attacks, put-downs, abusing authority, bullying, and stirring up drama.

In the short-term, taking one of these actions might seem like a reasonable solution, even a win, or perhaps it is justified as the only option. But the fact is there are hidden costs in compromising integrity. To support and participate in behaviors that compromise trust—lying, hypocrisy, etc.—is taking a major risk with longstanding relationships and long-term well-being of the organization. Not to mention, it tarnishes your personal and professional brand.

Article Credit: Eva Rykrsmith

What can you do to prevent the same thing from happening to you? Here are three tips for beefing up the security of your passwords:

1. Take advantage of two-factor authentication. Honan notes that, if he had used two-factor authentication for his Google account, his entire nightmare might never had happened. Both Google and Dropbox offer this feature, which works by requiring not just a username and password, but also a second form of proof that you’re you.

That means you must enter a secret code that the company sends you, via text message or voice call to your cell phone, anytime you log into your account from a device that you haven’t previously designated as “safe.” Of course, sometimes this extra step can be a hassle, such as if you lose your cell phone. But ultimately it provides a second layer of protection for your account(s).

2. Avoid the most common passwords. The most popular passwords, according to SplashData, include “password,” “123456,” and “superman.” Think “qazwsx” is clever? Or that substituting a zero for the letter O in “passw0rd” is enough? Think again.

SplashData compiled its list by looking at the millions of stolen passwords that have been posted online by hackers. (Note that LinkedIn, Yahoo, and other popular services have all been recently hacked and had users’ personal information exposed.) The company, which makes security and productivity apps, recommends using passwords of at least eight characters — a mix of letters, numbers, and symbols.

3. Don’t reuse the same passwords. It’s tempting to use the same password over and over again, lest you forget it. But once one account is hacked, this makes the others vulnerable, too. One option is to use a password manager, such as LastPass, which gives you one master password and allows you to access all of your accounts. The Next Web’s LifeHacks offers an introduction to using a password manager.

You can also try some memory strategies to help you create and remember strong, multiple passwords. For instance, you can keep a “base password” and then customize it for each site by adding something like “fb” for Facebook.

Several weeks ago, boxes of confidential records that contained client names, Social Security numbers, dates of birth and invoices were discoveredin a public recycling bin behind a supermarket in Spartanburg, SC. Peggy Garland-Coleman, a tax return consultant who closed her CPA firm three years ago, said she discarded the records after several days of shuffling papers to determine exposure risks.

Three months ago, two individuals were arrested for identity theft after stealing over $16,000 from victims in the Santa Clarita Valley area. By salvaging and reassembling shredded checks from the trash dumpsters of a self-storage facility, this couple collected enough information to open and operate a check counterfeiting racket.

And, last October, sensitive documents with client names, addresses, bank statements, credit card account numbers and Social Security numbers from a law firm were found scattered across the sidewalks, through the streets and along the interstate in Baton Rouge, LA. According to the firm’s owner, a cleaning company was paid to dispose of the documents, but they were not shredded. When asked why, he said a lot of it was public record anyway.

Security breaches such as these happen every day, but when they happen to mom-and-pop businesses, the public rarely hears about it. According to New York City Housing Authority (NYCHA) Chief Privacy Officer Sheetal Sood, CIPP/US, who has multiple security certifications, the smaller businesses have a long way to go before they come close to properly handling data securely.

“Speaking as a privacy professional, which does not reflect the opinions of NYCHA, I believe the smaller businesses have very lax controls around data security,” says Sood. “They usually have very little or no technology to work with, which leads them to perform most of their transactions manually. The SMBs (small to medium businesses) that do have the appropriate technology are prone to hacking attacks, especially if they employ wireless network access.”

According to Avivah Litan, Gartner Research’s lead consumer privacy analyst, many SMBs—unless they are in professional services such as tax accounting or law—are unaware of the laws that govern privacy, such as The Gramm-Leach-Bliley Act (GLBA), the American Recovery and Reinvestment Act and the Payment Card Industry Data Security Standard (PCI DSS). “The typical nonprofessional service business has no training or education on laws governing the collection of personally identifiable information (PII) or other sensitive customer data,” says Litan, “and they are too busy running their businesses to even think about these subjects.”

Sood adds, “As far as the laws are concerned, they have probably heard about the more popular ones such as the Health Insurance Portability and Accountability Act (HIPAA), especially if the SMB is a dentist or a doctor’s office, but general awareness of the law and rules regarding data collection are severely lacking. Large enterprises face fines, reputation loss and brand-tarnishing when PII is poorly managed…The government regulates corporations, especially publicly owned businesses, but small businesses have more gray areas and less direction.”

For example, according to Sood, most SMBs accept credit cards from their customers but do not follow the PCI standards. The PCI standards are very clear and freely available on the Internet. Due to the lack of general awareness regarding the privacy laws and the rules surrounding data security, however, policies and procedures are often missing. Some businesses have policies about data management, but more often than not, there are no procedures. “It’s just a matter of implementing some controls,” she says, “versus having none.”

“The promises you make to customers should include how you are going to protect their personal information and reduce the risk of identity theft,” says Karen Barney, program director at the Identity Theft Resource Center. Policies, procedures and protocols must be developed and in place to protect customer data. An introduction to privacy laws, which all SMBs should implement immediately, is widely available on a number of business websites.

According to Barney, some of the procedures and protocols that need to be in place include:

• Clearly define standard operating procedures.
• Restrict information access to “need-to-know” basis only.
• Secure all sensitive information.
• Truncate or encrypt Social Security numbers and financial account numbers whenever possible.
• Clearly define document-handling procedures, including proper paper and electronic records disposal.
• Control and vet document delivery practices.
• Minimize how much is out of your control; i.e., third parties, subcontractors, disposal companies.
• Conduct ongoing training and education about identity theft awareness and prevention.

“Many small businesses fail to recognize the impact of losing customer information until it happens,” says Rex Davis, director of operations at the Identity Theft Resource Center. “The result can be a devastating surprise for both the business and the customers involved. A data breach, even if not publicized widely, is something that customers do not forget or easily forgive. At the minimum, each small business owner should review the available guidelines regarding the protection of information, make its own checklist of items that apply to that business and then take appropriate measures to restrict and safeguard customer information. A key question should be this: Do we need to keep this information in the first place?”

Katherine Hutt, a spokesperson for the Council of Better Business Bureaus, adds, “Safeguarding privacy is one of the eight BBB Standards of Trust. Every business, large or small, must make the privacy and protection of its customers’ data a foundational principle of its business practices. You cannot build a relationship of trust with your customers if you fail to do everything in your power to protect their data and their privacy.”

Credit To Publisher: Julie Sartain