A Cautionary Christmas Tale


‘Twas the night before Christmas, and all through the house,

Not an iPad was stirring, nor PC or Mouse;


The shopping had been done on the internet with care,

In hope that the presents soon would be there;


The payments were processed, at least in their heads,

Until they found out their account was in shreds;


What should have resulted in toys in gift wrap;

Had led them into an elaborate trap,


The fraudsters had found an outdated website;

And changed the checkout so it wasn’t quite right,


Away to the next site, Dad went like a flash;

Not knowing his card was in the fraudsters stash


The website looked fine but ‘twas misdirection;

He’d fallen foul of Sequel Injection,


The site wasn’t bad, that should be made clear;

But the standards ignored, no PCI here.


With hackers so many, so lively and quick;

The change was so easy, it was done in a click,


So please spare a thought, when you next do your shopping,

And check that the site that you found while you’re hopping,


Is up to the standard to which we’re reliant;

And make sure it’s one that is PCI compliant.


Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

The Digital Economy

Decentralized cryptocurrencies and Dark Web cartels challenge the effectiveness of legislation, jurisdiction and law enforcement. This poses the question, when the economy is becoming more and more dependent on the internet, is the government losing control?

I’ll leave you to make that decision.

The government uses laws and theories to control and protect economic activity. But what is the significance of the Proceeds of Crime Act 2002 when funds are being stolen and converted into Bitcoin – a decentralized currency that no government has control over? What is the significance of international indictment agreements when the Dark Web conceals the location of the criminals?

Untraceable. Unrecoverable.  Unidentifiable. These are all terms cyber incompetent businesses should get used to. Those are the consequences of negligence on the ever dynamic scene.

Arguably, more intelligence could assist in finding and bring criminals to justice as we have seen in many other high profile cybercrime services. When police budgets are being cut, what is the likelihood that petty cybercriminals will be caught when resources are so limited? As traffic to the Dark Web is increasing due to its exposure in the media and on primetime television shows, this pressure is likely to increase.

Furthermore, perpetrators are not limited by national borders. The UK has one of the strongest digital economies in the world, accounting for more than 25% of its GDP. Naturally, all this noise makes it a prime target for cyber criminals around the world. We would normally depend on our government to take the necessary steps to protect our economy, however, the freedoms provided by the internet make this more difficult. Thus being aware of the threats is not only beneficial to you, but the entire digital economy.

The internet has reformed the way we do business. The playing field is filled with opportunity, but is more dynamic, volatile and uncertain than ever before, and is starting to have a big role within economies around the world. Whether that worries you or not depends on whether you are prepared!

PCI Breach Trend Report September 2015 – January 2016

The period September 2015 – January 2016 is covered in this issue of SRM’s breach trend report which looks at businesses that had a requirement for a PFI investigation. The data presented looks at the most common types of businesses affected as well as their trading size to present a broad picture of how breaches can occur across the industry.

Breach Trend Report September 2015 – January 2016

Kane Cutler: youngest PFI in the world

Newcastle-based Kane Cutler becomes youngest cybercrime expert drafted into exclusive Payment Card Industry investigation team

Newcastle-based Kane Cutler has been accepted by the Payment Card Industry Security Standards Council (PCI SSC) as a Payment Card Industry Forensic Investigator (PFI). At 26 years old this exclusive accreditation makes Kane one of, if not the youngest, PFI in the world. Only three companies in the UK operate in this field and Security Risk Management (SRM) which Cutler joined in early 2015 is one of these. He joins fellow SRM consultants Chris McGee and Andrew Linn in this select field.

Kane’s new role puts him at the frontline in investigating cybercrime. At the request of the PCI, his forensic investigation work will often deal with theft, either of significant sums from online transactions or in terms of personal data theft, putting individuals at risk of a host of other fraud issues. He is also likely to be called upon to deal with major incidents of data theft such as those recently suffered by TalkTalk and Wetherspoons.

To become a PFI, you must be a PCI Data Security Standard Qualified Security Assessor (QSA) which requires 5 years’ industry experience. In addition to this, Cutler is an experienced Information Security Officer and Penetration Tester and has significant experience working with the ISO 27001 standard as both an implementer and as an auditor, including identifying risks and implementing remediation recommendations within an Information Security Management System (ISMS).

As an Information Security Consultant with SRM, Kane Cutler is also responsible for diagnosing and remediating any issues that arise in relation to firewalls, protection software, web filters, mail filters, DNS infrastructure, application testing, and intrusion detection systems.

SRM Director Brian Fenwick, who was responsible for recruiting Kane, commented: “As a North East based company with consultants based nationwide we were delighted to recruit Kane in the North East and to assist him to broaden his cyber security expertise. Kane has joined a cutting edge Cyber Security company that has the intention to be at the head of PCI Forensic Investigation in Europe.”

SRM Blog