Wright's Online SANS Education

Jackson County Case Study

Messaging Architects E-mail Policy Workshop

IT Administrators

Twitter

  • Follow benjaminwright on Twitter

Wright's Google Profile

Custom Professional Training

Local ARMA Quote

  • "The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.
My Photo

Blogger

  • Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He is a pioneer in the promotion of public relations to address Internet legal issues and crises. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

  • "The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

  • No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

    Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

    Mr. Wright's public contributions to blogs and the like constitute the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law and Business.

    The only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright often earns money or other reward from organizations he mentions or links on blogs, such as Messaging Architects, SANS Institute, Credant Technologies, state CPA societies, LabMD and others.

    Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

    Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

    Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

    Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

Search Wright's Blogs

Find More on This Blog

  • Google+

« Secured Personal Data On Stolen Laptop | Main | Healthcare Internal Control: Retained E-mail & IM Records »

August 07, 2008

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e553eadb27883400e553f06e268834

Listed below are links to weblogs that reference Payment Card Issuers Over-reacted to TJX:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Jim Graves

FWIW, the DoJ press release said that the accused withdrew tens of thousands of dollars at a time, not total. The latest number I saw for the first credit card ring is $8 million, and the DoJ indictment wants $20 million in forfeitures from Yastremskiy.

I talk about this a bit more on my blog.

Ben Wright

Jim: Thank you! You are absolutely correct about the tens of thousands of dollars at a time. I was mistaken. My original thinking came from USAToday, which did not say "at a time". I cited the US DoJ press release, but failed to read it carefully.

Thus, regarding the ATM withdrawals, it seems the hundreds of thousands of dollars figure is better.

I'm going to look into the other figures you cite. --Ben

Ben Wright

Jim: Regarding the ring of thieves in Florida: The original criminal charges (circa March 2007) filed against the ring used the $8 million figure. However, later press reports like this one in the St. Petersburg Times, speak in terms of a lower figure, i.e., "more than $1-million". I appreciate your contribution to this discussion!

Ben Wright

Jim: Yastremskiy’s indictment, page 10 seeks forfeiture of $11,509,647.

Tracing particular dollars to a break-in at a particular merchant is a forensic nightmare. Yastremskiy et al. are tied to data thefts at many merchants, TJX being just one. Dollar figures tied to Yastremskiy mix TJX with other heists.

Criminal indictments like Yastremskiy’s are not conservative, CPA-audited financial statements. They are negotiation documents, written by prosecutors, i.e., advocates of the government’s position.

The forfeiture sought from Yastremskiy could easily count any given dollar more than once. He was a money launderer; he moved money around. The indictment (apparently) seeks all the money transferred in connection with him during certain periods of time.

Again, thank you for your thoughtful contribution Jim.

Tom Mahoney

Mr. Wright;

Although you've made some good points here, I think you've missed some important ones too.

I'm a merchant advocate but I have no problem pointing the finger directly at TJX and the others. They were not PCI compliant and some areas of their security, wireless in particular, were shoddy at best. To make matter worse, there's ample evidence that they knew it and made the conscious decision to save money by not tightening up. Saved a bundle, didn't they!

I represent close to 3800 e-commerce merchants and I don't think that there was an over reaction at all. What you haven't taken into account is that this credit card information - which is now believed to be in the neighborhood of 90 million accounts - will be floating around for years in the carder chat rooms and bulletin boards that have been created to sell them one by one or in blocks of thousands. And every time one of them is successfully used on line for a purchase, the e-commerce merchant will suffer. He'll loose his money, his merchandise, his shipping fees and a chargeback fee. Chargeback fee, I assume you know, is the payment industry's term for a fine for being a victim of a crime.

The arrests and indictments that we know about so far may well be a drop in the bucket against those 90 million accounts. As you pointed out yourself, tracing particular dollars to a break-in at a particular merchant is a forensic nightmare. The fact is that we'll never know how many dollars were lost, how many of those accounts were used, or how many will be used in the future. From an e-commerce merchant's point of view, every one of those accounts should be closed and new ones issued. And if TJX, et. al. have to pick up the tab, so be it.

Over reaction? Not from where I stand.

Tom Mahoney
Director, Merchant911.org
Developer, Preventing e-Commerce Chargbacks

Rick Aster

When you know a criminal organization is in possession of your card data, it is safer to cancel the card immediately. Waiting for fraudulent charges to actually appear is not less expensive in the long run.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

MY BLOGS HAVE LOADS OF CONTENT. SEARCH! ↓

Audio Invitation

Become a Fan

E-mail Mr. Wright

  • Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. He does not give advice to non-clients.

    Contact Form

Find More on This Blog