STEP and PCI Compliance

Credit cards

As part of our ongoing work to ensure the safety and security of our members, STEP is currently working towards becoming fully compliant with the latest Payment Card Industry (PCI) Security Standards. This means that we will be making changes to the way we accept payments and handle sensitive information.

What is PCI Compliance?

PCI Compliance is an information security standard for organizations that handle credit card details from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB. It’s designed to ensure that companies have all the correct measures in place to ensure the ongoing security of the card information they handle.

How will the changes affect you?

Whilst the vast majority of changes will affect internal systems and procedures, STEP will be making some changes to the way we accept card payments:

Change:
We will now be automatically rejecting any emails sent to us that contain sensitive card information (that includes the card number, expiry date and CVV) please note that direct debit information can still be accepted.

Reason:
This information is currently being rejected by way of an email reply, however rejecting it before it arrives with us will increase the safety of your card information.

Change:
We will no longer be accepting or sending faxes in any form.

Reason:
Faxes are fast becoming an outdated method of communication. STEP currently receives such a low volume of faxes that the decision has been taken to discontinue this service.

Change:
We will no longer be accepting payment over the phone.

Reason:
STEP have been evaluating PCI compliant telephone payment options, however given the low volume of telephone payments we currently process, we have come to the decision that the most effective way we can ensure your safety is to remove this option.

The Future:

All the changes we are making to our payment procedures are intended to make your experience with STEP fully compliant with the latest PCI Security Standards. We have recently upgraded our online payments to accept payments in GBP, USD, EUR and CHF.

We will continue to review our payment options to ensure we are providing you with the best service possible.

For any further information on PCI Compliance, you can find it here www.pcisecuritystandards.org.

For any questions relating to payments, please do get in touch, you can reach us by telephone on +44 (0) 203 752 3700, step@step.org and finance@step.org.

 

James Harris is STEP’s Information Technology Manager.

The ‘Shellshock’ IT exploit: what you should do to protect your home and office systems

James HarrisIn April I provided advice to STEP members on how to handle the protection of their online accounts following the revelation of the ‘Heartbleed’ exploit. A new exploit dubbed ‘Shellshock’ was discovered last week and it is widely recognised as being more serious and far reaching than Heartbleed. With the potential to affect everything from web hosting servers to Apple’s OSX operating system and a large number of home user items such as routers and home automation systems, Shellshock could have very far reaching implications. Particularly worrying is that the vulnerabilities of Shellshock have been in existence in home and office software for over 20 years. Given so many of our members manage firms with extensive IT set-ups, and most would work from home or in transit using Wi-Fi networks each week, I strongly encourage you to review your online security against Shellshock. If your firm has an IT department or IT support provider, I urge you to contact them to ensure your system is secure.

What is Shellshock?

The exploit centres on BASH (Bourne Again SHell), which has a very similar role to the Windows command prompt and allows you to run commands on Unix and Linux systems (popular alternatives to Windows). The problem lies in the fact that you are able to define variables in BASH which specify a function — for example, you could define a variable called Hello_World, the function of which would be to make the message ‘Hello World’ appear on the screen when executed. The code for this would look something like: HELLO_WORLD_VAR='() {echo “Hello World”;};’

The problem with Shellshock is that you can put any command at the end of a normal function and BASH will process whatever you add. You could add a function at the end of the code like this: HELLO_WORLD_VAR='() {echo “Hello World”;}; DELETE ALL FILES. BASH would define the HELLO_WORLD function and then carry out the ‘DELETE ALL FILES’ function. Obviously, ‘DELETE ALL FILES’ is a simplified example, but there is the potential for a hacker with knowledge of BASH to run any command they wish from here.

The good news for users is that this exploit is very different from Heartbleed and you don’t need to change all of your passwords, however the bad news is that it has the potential to impact items that the average users would never think of updating, such as routers and modems. When you also consider Shellshock is likely to affect some very old products still in use that manufacturers are unlikely bother updating, you begin to understand just how much of an impact this could have if you’re unlucky enough to get targeted by a hacker.

Anyone that’s read news articles already will likely have seen mention that Apple users are at risk, which is likely to be the main concern in the minds of home users, however Apple has released the following statement in order to reassure customers:

The vast majority of OS X users are not at risk to recently reported BASH vulnerabilities. Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to re
motely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users
.’Shellshock

That statement implies that the average mac user is not affected; I would certainly recommend paying extra attention to keeping your mac up to date with the latest patches. For anyone else, my opinion is that you should keep up to speed and check for updates where possible. The list of potentially affected products is so large at this point that it wouldn’t be possible for me to give more detailed advice than that.

What does this mean for STEP?

  • STEP’s website host provider was vulnerable to this exploit however we have already taken action to ensure patches are applied
  • Whilst the STEP site was vulnerable, we have no reason to believe we have suffered a breach of security
  • We have also reached out to all our service providers to confirm that no breach was incurred on any of the sites they host

What does this mean for members?

  • Due to the nature of the exploit, members do not need to take any action with regards to their STEP accounts, however everyone should be vigilant to developments over the coming weeks and apply patches where manufacturers provide them

Again, if your firm has IT support I encourage you to contact them to ensure that your systems are secure. If you have any queries about Shellshock and what you need to do please feel free to contact me.

James Harris is STEP’s Information Technology Manager. For more information on cyber security, check out this article from the STEP Journal

If it’s too good to be true, it’s probably just spam

James HarrisLast week several STEP members reported receiving suspicious and unsolicited emails from an individual purporting to work in international taxation. What made the spam email particularly unusual was the attention to detail the sender had paid to make it look like legitimate correspondence and the citation of STEP to add credibility to its content. It seems timely to look at junk and spam email and what you should when encountering emails that don’t feel above-board.

Dealing with spam and junk email

 We’ve all have to deal with unwanted emails, both at home and at work, but as hacking and malware approaches become increasingly sophisticated it’s more important than ever that we understand the risks. Most employers and big email providers (such as Google and Microsoft) are continuously striving to protect us from unsolicited emails, but there are — and always will be — some that slip through the net. So how should we be dealing with spam and junk email that does get through? Firstly, I would recommend that any computer connecting to the internet has antivirus and malware protection installed and, most importantly, it should be up to date. I regularly come across users who bought antivirus software several years ago and didn’t pay to renew it, meaning it’s ineffective as it’s not receiving the latest definitions of what to scan for.

Having ensured your antivirus and malware protection software is up to date, there is a general set of guidelines you can follow to stay safe when reviewing your email, which will vary depending on the type of email you are looking at:

Spam email:

 Spam is totally unsolicited mail and it can take various forms from a scam email trying to convince you to transfer money to a seemingly worthy cause, right through to a seemingly random image or string of nonsensical letters. The first, and most simple, step in approaching this type of email is, if you don’t recognise the sender of the email and it’s not something you’re expecting then delete it without opening it. If you are unsure as to whether the email is legitimate (the email received by STEP members last week is a good example of the lengths spammers go to look authentic) then you will need to open it in order to review it further. The second step to ensure you stay safe is not to click any links in the email unless you are confident that they are trustworthy. If the email in question is from a bank or anywhere that requires you to log in using sensitive information, don’t follow the link in the email; use a browser to go directly to the site to log in instead. This approach guarantees that you are on the site you expect to be on when you are submitting personal details.

There are always expectations to these rules and if you are ever in any doubt I would always recommend deleting the message. If it is important and someone is waiting for a response from you, you’re always better off proceeding with caution, protecting yourself and getting back to them later.stock-photo-computer-security-concept-present-by-magnifying-glass-focus-on-the-red-spam-text-in-binary-code-114574033

Junk email:

Junk will generally be email we receive from an opt-in service such as an online retailer’s marketing email. This kind of mail is annoying but is harmless and should be deleted, ignored or unsubscribed. If you plan to unsubscribe I recommend you don’t click the unsubscribe link in the email. Rather go to the site yourself in a browser and unsubscribe from there. If you do click on an unsubscribe link on spam email masquerading as junk, you may actually be redirected to a site designed to capture your details. If you receive an email that looks like junk but you have no recollection of subscribing for it then you should treat it as spam.

If you encounter any suspicious emails alleging links to STEP please let me know.

James Harris is STEP’s Information Technology Manager. He has previously written about the Heartbleed bug and measures STEP Members can take to protect themselves online.

Are you due for an upgrade?  

James HarrisWhen STEP Members contact me for technical help on using our online services, the advice I provide is often based on the operating system of their computer. Most members are using a recent version of Windows but some are still running Windows XP, which increasingly is going to affect how you access STEP’s online tools.

Microsoft stopped supporting Windows XP earlier this month, bringing the longest standing Microsoft operating system to the end of its life after 13 years. With estimates suggesting that one in five PCs still run XP, this leaves many people with a decision to make regarding whether they’re willing to invest in an upgrade or risk future security issues. While I’m not here to advocate one way of structuring your
IT setup over another, I’m of the opinion that anyone that relies on their computer on a daily basis should definitely invest in at least a Windows upgrade if not a new computer. Microsoft has three main statuses for their products in terms of support, which are:

  • Mainstream support – this is for current products such as Windows 8 and guarantees that security updates, bug fixes and new features will be added as required (Windows 7 is currently due to end mainstream support in January 2015)
  • Extended support – this is for older products (such as Windows Vista) and guarantees security updates only
  • End of life – this is for retired products such as Windows XP and Office 2003 and does not offer ANY bug fixes or security updates without a paid contract. This means that if an issue occurs that requires a software Windows xp RIP_0update then it will not be provided unless you have an expensive contract agreement in place. With the recent Heartbleed exploit making headlines, it reminds us just how serious security breaches can be. Although patches weren’t required for Windows XP or other operating systems in this instance, there are no guarantees that this scenario won’t occur in future.

For more information on upgrading your computer, including handy tools for checking whether your current computer can run Windows 8 and information on how to migrate your data to a new computer, you can see an overview here and some more technical detail here

In February we launched www.stepwebevents.org which is our online source for the latest industry and technical discussions, presentations and updates for the international and domestic tax, trust and estate planning community. The death of Windows XP may not seem to have anything to do with the launch, but I’ve been talking with a number of members wanting to know which operating systems, browsers and other software are supported by the site, so here’s the lowdown:

The underlying technology for playing the video content on the site is JW Player, which is a widely used platform offering support for the following:

 

Desktop Browsersplease note: the last version of Internet Explorer available for Windows XP is 8, so you will need Flash player on Windows XP

This table lists which desktop browsers are fully supported by JW Player:

Browser HTML5 Flash
Chrome yes yes
Firefox yes yes
Internet Explorer 8 yes
Internet Explorer 9+ yes yes
Safari yes yes

 

Mobile devices

This table lists which mobile devices are officially supported by JW Player, using HTML5:

Device HTML5 Flash
Safari on iPhone yes
Safari on iPad yes
Chrome on Android 4 yes
Browser on Android 4 yes

 

An up-to-date IT set up will ensure you’re best placed to make full use of STEP’s online tools. If you have any queries about Windows XP or our new Web Events site and how to access it please feel free to contact me.

James Harris is STEP’s Information Technology Manager.

Heartbleed Exploit: STEP’s response and cyber security measures you should take now


jhwp

A critical new online security exploit dubbed ‘Heartbleed’ was announced on Monday night after being discovered by a member of the Google security team.  The vulnerability is widely considered to be one of the most serious security flaws in the history of the internet and has been potentially exploitable since December 2011. Heartbleed affects the coding used to secure websites (the https:// part of a secure web address), which is estimated to be used in more than 60% of all secure                                    websites around the world.

Heartbleed works by intercepting the ‘heartbeat’ component of the code that allows a server and client to maintain a connection, thus earning the exploit its name. The exploit allows an attacker to reveal the contents of a server’s memory, which can include private information like usernames, passwords, credit card numbers and contact details. It can also allow an attacker to impersonate the server they are compromising.

The good news is that there is already a fix available to resolve this issue and the majority of website hosts have already applied it, however it is also necessary for users to change their passwords before the security of their personal information can be assured.

heartbleed_2876718b

 

What does this mean for STEP?

  • STEP’s website host provider was vulnerable to this flaw however we have already taken action to ensure that all services provided to both members and staff are now secure
  • Whilst the STEP site was vulnerable, we have no reason to believe we have suffered a breach of security
  • We have also reached out to all our service providers and have confirmation that no breach was incurred on any of the sites they host

What does this mean for members? 

  • As a precaution, STEP advises all members to change their password on our website
  • We do not store credit card or payment information on our site, however we would like to take every precaution to ensure your security, this is especially important as many people reuse the same passwords across multiple websites
  • Heartbleed has affected many websites; it is estimated that as many as 66% of all secure websites worldwide were affected
  • The exploit requires fixing at two levels: firstly the hosts of a website need to apply a patch to fix the issue, which the majority of hosts have now done. Once this patch is in place, you should then change your password
  • This applies to every website that you store sensitive information on (shopping sites, email and social media are the most common), not just the STEP site

Not all websites have made the necessary security changes. Until the host of a website resolves the issue, changing your password will not offer you any protection.  If you are unsure as to whether a site has applied the fix you can use this checker. You can also find a list of high profile UK websites and their statuses here and other popular websites here. If you use any of these websites you should change your password immediately.

Again, STEP has taken measures to protect the website and our members’ data from Heartbleed and there is no indication that it has been compromised. The most important thing to remember is to change your passwords on websites that have fixed the problem. If a website is yet to fix the problem, wait until it has done so before changing your passwords as they will still be vulnerable. If you have any queries about Heartbleed and what you need to do please feel free to contact me.

James Harris is STEP’s Information Technology Manager. For more information on cyber security, check out this article from the STEP Journal