Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wyndham Settlement: No Fine, But More Power To the FTC (csoonline.com)

Posted by samzenpus on from the power-up dept.

itwbennett writes: Earlier this month, Wyndham settled a lawsuit with the FTC over weak security practices that resulted in 3 major data breaches in 2008 and 2009 that compromised the credit card information of more than 619,000 customers and led to more than $10.6 million in fraudulent charges. But all the settlement requires Wyndham to do 'is what any company that handles credit card data is supposed to have been doing for more than a decade, under the Payment Card Industry Data Security Standard (PCI DSS),' writes Taylor Armerding. There was no fine and it seemed as though Wyndham had 'dodged a bullet', says Armerding, But things are not always as they seem. Because the PCI DSS is not a government standard and is not a law 'the case was not about fines for noncompliance, which the FTC doesn't even have the authority to impose,' says Armerding. 'It was instead about power – the authority of the FTC to charge Wyndham with 'unfair and deceptive' practices because of its security flaws.'

17 comments

  1. Nuisance Suit by Anonymous Coward · · Score: 1

    The FTC's case is simply a nuisance suite for Wyndham. While I'm annoyed at Wyndham for their lax practices, I'm also annoyed, perhaps more annoyed, by the recent efforts of government agencies to exceed their authority and essentially establish laws of their own where they have no such power.

    1. Re:Nuisance Suit by Anonymous Coward · · Score: 0

      The FTC's case is simply a nuisance suite for Wyndham. While I'm annoyed at Wyndham for their lax practices, I'm also annoyed, perhaps more annoyed, by the recent efforts of government agencies to exceed their authority and essentially establish laws of their own where they have no such power.

      What is your solution to almost daily security breaches of potentially life-ruining data?

    2. Re:Nuisance Suit by sinij · · Score: 3, Insightful

      I think government is very justified when looking into cases of negligence when it impacts a large number of people. There is very clear case of public interest.

    3. Re:Nuisance Suit by Anonymous Coward · · Score: 0

      Recent?

      I'm annoyed by your naive failure to appreciate the long-standing history of it.

    4. Re:Nuisance Suit by dgatwood · · Score: 3, Insightful

      What is your solution to almost daily security breaches of potentially life-ruining data?

      More government regulation of credit bureaus and credit card companies so that no piece of data that can potentially be compromised qualifies as "potentially life-ruining". The problem is not that your SSN can be stolen. The problem is that it actually matters whether your SSN gets stolen, which is entirely an artificial problem caused by credit bureaus treating a non-secret number as though it were some sort of password, allowing people to take out credit using entirely different addresses and phone numbers than they've ever used before without doing due diligence to determine whether that person moved, and fraudulently and libelously report nonpayment of those bogus debts as though they were real.

      The credit bureaus are the problem, period. There is no such thing as "identity theft". There is only widespread conspiracy to commit libel resulting from gross criminal negligence on the part of credit bureaus. The only way to fix the problem is to fix the lax regulation that has allowed these companies to libel creditors with near impunity for decades.

      On the credit card side:

      • Require that all credit card readers support NFC, provide short-range magnetic resonance power, and have a spot to place the card during the transaction so that the card is fully visible by the purchaser for the duration of the purchase process.
      • Require that all credit cards have a screen that displays the name of the vendor and requires you to press a button on the card to authorize the transaction using proper PK crypto signatures.
      • Require that all credit cards be able to generate a unique, single-use card number for Internet transactions.
      • Ban all credit cards with fixed card numbers.

      That's quite literally the only way that has even a prayer of eliminating the risk of compromised payment terminals being used maliciously. The device that authorizes the transaction must be an inexpensive and normally disconnected device, such as a thick credit card, as opposed to a cellular phone, because otherwise you're just moving the attack target around. And the button to authorize the transaction must be part of that device so that it cannot be easily compromised. Otherwise, a compromised reader could potentially show the transaction on the screen, authorize it, and then very quickly show and authorize a second transaction before the customer notices.

      And if it isn't mandated by law, the card companies won't implement this, because it is relatively expensive, and they would rather just force merchants to eat the cost of fraud rather than take steps to actually prevent fraud.

      On the credit card bureau side:

      • Require that credit bureaus be able to support all allegations of nonpayment with reasonable evidence, and if they fail to produce that evidence, require them to remove the allegation.
      • Require that credit bureaus provide all consumers with the option to require two-factor authentication (e.g. callback at a known phone number) for all new credit applications, at no cost to the consumer.
      • Require that credit bureaus immediately transition to their own unique identifier for credit purposes that is A. separate and distinct from the SSN, and B. changeable upon request, again at no cost to the consumer.

      And more generally:

      • Make it illegal for non-government entities to use a social security number for any purposes whatsoever other than those explicitly required by law (e.g. reporting of wages).
      • Assign everyone in America a new, randomly chosen, twelve-digit SSN. Require a five-year transition to the new identifiers, after which the old SSNs become irrelevant.

      If government did these things, so-called "identity theft" would just about cease to exist. But they won't, because politicians can win votes by paying lip service to "identity theft" while not actually f

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    5. Re: Nuisance Suit by IBME · · Score: 0

      That's nice but how many times do I have to hear what some poster thinks is the 'best' way to fix something broken. Worse, usually they want to write a fucking book about it, thinking anyone even gaf. As if they have now 'solved' the problem. Pathetic. Try telling the 'proper' entities instead of posting in some random tech site.

    6. Re:Nuisance Suit by khallow · · Score: 1

      I don't know about the original AC's ideas, but we have a court system for this.

    7. Re: Nuisance Suit by Anonymous Coward · · Score: 1

      No. Ohhhhh no. Nonononono. This case was about piercing the corporate veil / common enterprise. It was about a firm seeking to transfer security responsibilities to another firm, thereby avoiding the costs and responsibilities of IT.

      This case sets very interesting precident, add in the past courts have said you can only pierce the corporate veil as a result of fiscal maleficence. But this case raised IT / infosec to the same level. Corporate America should be crapping their pants.

  2. Deception by Visa by Anonymous Coward · · Score: 0

    Lax practices? How about the lax standards for validating charge cards imposed by Visa? Mag stripes are not secure, they've never been secure, and the only thing Visa ever did about it was to make the merchants responsible for adding un-standardized security to protect their weak systems.

    Wyndham was first a victim of expensive but ineffective data protection rules imposed by PCI, then a victim of hackers when those rules failed to protect them. The FTC should be investigating PCI like the FBI's been investigating FIFA, and for mostly the same reasons.

    1. Re: Deception by Visa by Anonymous Coward · · Score: 0

      vISA gets a cut regardless, and their processors get an excuse to raise their fees when a merchant gets hit with a cloned card. VISA is the bad actor here.

  3. Everyone violates PCI by sunderland56 · · Score: 1

    PCI sets many standards; very, very few businesses obey them all, and there is essentially zero penalty for non-compliance. For instance: while Christmas shopping, did every store you visited require the use of a card with a chip? The cutoff date for requiring that at any retailer was back in October.

    1. Re: Everyone violates PCI by rickb928 · · Score: 1

      Many issuers will impose fines against merchants if the merchant suffered data breaches and was not PCI compliant. These are not always minimal. Some issuers put this into merchant contracts.

      It is not always without costs to the merchant.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    2. Re:Everyone violates PCI by Anonymous Coward · · Score: 0

      PCI sets many standards; very, very few businesses obey them all...

      Or obey none. The Obama campaign in 2008 just required a credit card number to make a donation with no name or address verification. Remember Doodad Pro?

  4. Surely by Anonymous Coward · · Score: 0

    ... authority of the FTC to charge Wyndham ...

    Wyndham has a responsibility to its customers, so the government should punish such breaches of care. The fact the law doesn't say "Use plan 9" is a good thing, it allows agencies like the FTC to set flexible targets and stretch goals. It also forces businesses to demonstrate they care; with a certain percentage of man-hours and dollars invested in security, or an industry-supported policy like PCI-DSS. The real purpose of industry-supported policies is avoidance of written-in-stone legislation, allowing businesses to bend the rules whenever enforcement is expensive. But bending the rules everyday is not regulation and, in particular, not self-regulation, so Wyndham should also be punished for its repeated breaches of its own policy.

    The government is not delivering punishment, it is making Wyndham deliver its promise to customers and exercise its duty of care via the FTC. Wyndham would be foolish to complain about such light-handed treatment. Given the inability of the US government to demand good behaviour from corporations and its repeated unwillingness to prosecute blatant fraud, there is ample opportunity for Wyndham to 'water-down' its promise to the government.

  5. Eat A Dick! by Anonymous Coward · · Score: 0

    He answered the previous poster's question precisely. He wasn't talking to you and NO ONE asked for your worthless verbal diarrhoea.

    Please. PLEASE! STFU and FOAD cock gobbler.

    1. Re: Eat A Dick! by IBME · · Score: 1

      I would but I cant seem to find yours. Probably stuck up your ass no doubt.