Geotab’s security policy on PCI compliance

Geotab works hard to keep all relevant updates, patches, and settings to our services installed and up-to-date, to ensure our systems are as secure as possible. One of the key tools we use as part of our process is an external Payment Card Industry Data Security Standard (PCI-DSS) vulnerability scan, which we run on all builds prior to reaching production, as well as random production servers.

It’s very important to run these scans regularly on new and existing environments, for several reasons. Most importantly, the criteria for a successful scan changes often, based on known threats and technology advancements. Because a system is compliant today does not mean it will be compliant tomorrow. Another important reason is to check existing environments for intentional or unintentional changes made that could weaken its posture.

When a scan picks up a potential threat or weakness, the Geotab Security team works quickly to mitigate the issue, and ensure that all environments are updated to reflect that change.

There are, on occasion, changes to the standards that require application modifications. Changes of this nature cannot always happen quickly and requires development and testing time, and for any potentially impacted customers to be notified with enough time to make their own changes.

See also: All you need to know about Geotab and FedRAMP

Current PCI issues:

TLS

The PCI standard was recently changed to require a more updated version of TLS (version 1.2) for full compliance. In order for our applications to stop supporting the old TLS standard, we have had to make several environmental and architectural changes. These changes are easy to deploy but can impact certain customers who currently rely on TLS 1.0 for API communications.

Geotab has developed and tested a solution, and has sent out notifications to all customers about the pending changes. For more information, please read the blog post “Securing MyGeotab with TLS 1.2.”

Geotab will be addressing the TLS issue in the first week of April. Once we turn off all older versions of TLS, any legacy custom application still requiring TLS 1.1 or lower will no longer function correctly.

Clickjacking

The current PCI scanning standard states that iFrames should be configured to prevent clickjacking (this occurs with when a user is tricked into performing unsecure actions by clicking on hidden links within a browser).

Geotab currently allows for iFrame linking, to provide our customers and partners with the flexibility they require to reuse the MyGeotab web pages in their own intranet or internet websites While it’s very simple to disallow iFrame linking, it will cause some disruption with our existing customer base. We are currently investigating just how many customers are using it this way and to find a solution for those customers while still disallowing clickjacking.

Current risk assessment:

TLS risk

TLS 1.0 reportedly suffers from several cryptographic flaws. An attacker may be able to exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.

As per the PCI Security Standards Council April 1, 2015 document “Migrating from SSL and Early TLS,” all TLS 1.0 encryption usage must include a Mitigation and Migration plan detailing current risk management plus migration strategy to move from early TLS to secure TLS versions such as TLS 1.1 or 1.2 on or before June 30, 2016.

While Geotab will have the potential threat completely closed by April, 2016, we believe the threat risk is very low because of the difficulty in getting all the pieces in place to do a man-in-the-middle attack and feel that our customers data continues to be as safe and secure as possible during this time.

Clickjacking risk

Clickjacking is a low risk issue that requires user interaction and an element of social engineering as victims (generally the more technologically naive) have to voluntarily interact with the malicious page. While it is possible that a hacker could add in some iFrame code to allow for a clickjacking event, the MyGeotab environment is well controlled and as long as users access the proper sites, the risk is extremely low.

Clickjacking is only dangerous if users go to some untrustworthy website to login to mygeotab. We consider this a low risk because that same website could mimic all the MyGeotab pages fooling the user to entering their credentials. This is impossible to avoid and is a risk for everyone. Clickjacking is a subset of this bigger problem. While we disagree with PCI focusing on this as a risk that needs fixing, we will still disallow it in future.

Definitions:

What is PCI-DSS?

PCI-DSS (Payment Card Industry Data Security Standard) is one of the leading security standards, designed specifically for financial systems, which has some of the most rigorous standards and expectations available. Although Geotab does not store any financial data and we do not require PCI compliance, we chose this standard to ensure we are as secure as possible. Geotab uses third-party providers to run external PCI-DSS vulnerability scans on our applications and servers, as part of our security process.

What is TLS?

Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).

What is clickjacking?

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function. The term “clickjacking” was coined by Jeremiah Grossman and Robert Hansen in 2008. Clickjacking can be understood as an instance of the confused deputy problem, a term used to describe when a computer is innocently fooled into misusing its authority.

Related post: Securing MyGeotab with TLS 1.2