Monday, September 14, 2015

PCI-ISA Exam

Last year (July 2014) I took the PCI Professional online course and passed the exam at a Pearson VUE testing center in Mt. Laurel, NJ.  This year I had to take the PCI-Internal Security Assessor course because it became a requirement at my place of employment.  This past Friday I passed the exam at Pearson VUE so I am now a certified PCI-ISA, and I still hold my PCI Professional title as well.  The PCI-ISA certification lasts only one year, so I'll have to re-certify each year, but the PCI-P certification lasts three years.

I felt that these two tests had a lot of overlap, so if you already have the PCI-P certification I would highly recommend going for the PCI-ISA certification if your company is a PCI participating organization and will sponsor you.  The PCI-ISA certification is only valid as long as you work for the sponsoring company.  So if I quit tomorrow or get laid off, I lose the PCI-ISA cert.

If you are taking the PCI-ISA course now and are getting ready to take the exam, I would recommend studying all of the PCI requirements and making yourself very familiar with certain specifics (be aware of things like keeping online logs for 3 months, but keeping additional logs retrievable for 1 year; passwords should be a minimum length of 7 characters and set to expire every 90 days; employees should acknowledge reading the information security policy annually; etc.).  There were quite a few questions on my exam about encryption key management, too.

All questions were multiple choice, with only one correct answer.  No question asked me to choose more than one answer.  There were a handful of True/False questions, but not too many.  I had 90 minutes to complete 75 questions, but I was able to flag any question that I wanted to come back to at the end (whether I selected an answer or not).  I had about 50 minutes left on the clock when I ended the exam, so I had used a little more than half the time.  But I had studied as much as I possibly could have prior to taking the exam.  Despite this, I still flagged about 6 questions early on that I just did not recall studying.  When I went back to them at the end I didn't change my initial answers so I felt pretty good about them.  Of course, you won't find out which questions you got wrong (if any); you just find out whether you passed or failed.

Good luck!

Tuesday, May 19, 2015

Amazon scam

I recently became victim of an Amazon scam that "isn't that uncommon," according to the scammer.  Yes, that's right.  I had an e-mail conversation with the scammer.  More on that later.

The first warning came when I received an e-mail from Amazon thanking me for updating my account's e-mail address.  "What?" I thought.  "I didn't make any changes to my e-mail address for my Amazon account.  This must be a spam e-mail or a phishing attempt."  But no, it's not.  Upon examination of the e-mail, I saw that it was a legitimate message from Amazon Customer Support.

I immediately got to a computer and logged in to my Amazon account.  I usually have the "Remember Me" setting flagged in my browser at home, so when I opened Amazon.com I was greeted with "Hello, Mark."  "Good," I thought.  "My account is probably safe."

But when I clicked on the "Your Account" link to check my e-mail address, Amazon asked me to re-enter my password.  Curiously, the Username field was populated with an e-mail address that was not mine (incidentally, it was a Gmail address for someone named Sir Francis Robble 2).  When I tried to erase that name and put in my real Amazon Username and Password, I was greeted with the dreaded "Your username or password is incorrect.  Please try again."  At this point, I knew I was screwed.

I Googled "Amazon Support Phone Number" and found a toll-free number to call.  The customer rep that I spoke with asked if I had recently chatted with them that day.  I said, "No. of course not."  They asked me to confirm that I was indeed that account holder by providing them with a recent order number.  I had placed an order (and received) a Google Chrome book a couple of months prior so I found the confirmation e-mail and gave the rep the number.  He then asked me to confirm my home address, which I did.  Amazingly, none of that information was changed - only my e-mail address and username (which are, in fact, one and the same with Amazon).

The rep went on to tell me that someone had gotten into my account, changed the e-mail address and username, and then initiated a Chat Session where he claimed to have never received the Chrome Book.  Amazon then issued a Gift Card Balance in the amount of the Chrome Book's purchase price and placed it in my account.

The rep immediately put a freeze on the account, which even prevented me from using it.  The scammer was not able to spend the gift card money because the account was frozen too quickly.  But had I not made the phone call, he would have been able to make a purchase with the gift card balance and have it shipped to a different address than one I have on file.

So now I was locked out of my own Amazon account while the "Fraud Team" took a look at the situation.  I was told that I would be contacted within 24-48 hours by someone from Amazon Fraud Department.  The next day was a Friday, so I didn't expect to hear from anyone until Saturday at the earliest.

In the meantime, I figured I would e-mail the scammer since he was so kind to provide a new e-mail address on my Amazon account.  I basically e-mailed him and called him a name.  Someone named Charlie Muffins responded with this:

"Oh crap yeah I just realized you're not able to get in...
Just give them the billing address and you should be good lol
Well enjoy your $170 of credit."


So I responded with some questions.  I wanted to know "Why me? Why my account? And what did he gain by doing this?"  And I received this reply:

"You buy Amazon accounts which have been used, and check the orders. You then contact amazon and say that you got your order but the box was empty, and then they refund you to a gift card balance.  I was going to use the balance to buy a Moto 360 kek.  Someone was selling your account - and I bought it. It really isn't that uncommon BTW."

Amazing...  So I can just go somewhere online and buy someone else's Amazon account, complain about not receiving a recent order, and receive a full refund in the form of a gift card balance into the account that I purchased?  Wow.  And then you just spend the money on the Amazon item of your choice and ship it to an alternate address, which I'm sure is masked from the real destination in some way.

I asked him if you receive the account's password when you buy the account, and I also wanted to know if he had received the gift card.  (At the time, I assumed a physical gift card was sent back to the scammer.)  The response from Mr. Muffins:


"You buy them with the email and password. They usually include the answers for security questions, if the account needs it.  Not sure how people steal the accounts to begin with. I think they get a list of emails and passwords (dunno how they get those) and run it through a program that checks them for amazon accounts.  And no, the credit was stuck on the account."



After a few days went by (more than the 24-48 hours they told me to wait), I called Amazon again and spoke with another rep who assured me that my account was frozen, no purchases were being made, and that someone would be contacting me soon.  After another day went by and I hadn't heard from anyone (this was a total of five or six days after I first contacted them), I called again and explained that I just wanted to reset my password.  After verifying my identity again, this time the rep allowed me to reset the password and begin using the account again.

I'm not even sure if changing my password regularly would have helped me because it seems like either: A.) it's an inside job (someone at Amazon selling account info), or B.) the scammer can simply initiate a chat session with a tech rep and supply known information about the account (e-mail address, recent order number, home address), and then ask for the refund.


Beware!  Stay vigilant!  Contact support as soon as you are notified about any activity on your account that you didn't initiate yourself.

Saturday, February 21, 2015

Samsung Saga Comes to an End

Yesterday morning Angie called me at work to tell me that the Samsung TV was spewing smoke out of the top of the unit.  She smelled a burning odor, so she unplugged it.  The picture had already gone black and the unit wouldn't power up.

So... I'm finally throwing in the towel on this television set.  The Samsung FP-T5084 was top-rated when I purchased it for about $2,200 from Circuit City in March of 2008.  But after 1 1/2 years of usage it began to give us problems.  We had one repair done under warranty, and then after that I replaced the main board and numerous fuses.

So long, Samsung FP-T5084.  You're getting kicked to the curb.

Life's Good.

Yes, we bought an LG 55" TV to replace the old Samsung.  Long live the LG!

Thursday, January 29, 2015

Fish tank water leakage

Last night, just before dinner, Dillon accidentally knocked a wine bottle into the glass front of our 10-gallon fish tank.  Luckily, the glass held together but enough cracks appeared to cause numerous spouts of water to throw about 8 gallons of water onto the kitchen floor, countertop, and into the rec room!  We had to grab all of our bathroom towels to sop up the water as it fell onto the wood floors, but there was nothing we could do to stop the water from flowing out.  The tank was too heavy to lift with the water in it and various decorative rocks and things, so we had to wait for most of the water to drain out.  I was finally able to lift the tank without the glass breaking all the way through, and carried it out onto the back patio.

After the massive clean-up effort, I took Dillon over to PetSmart so we could buy a replacement tank.  Thankfully, we saved the fish by scooping them out and dropping them into a pitcher of water.  So when we got back from PetSmart we prepped the tank, transferred any water that we managed to salvage from the old tank, loaded up the rocks, and then dropped the fish back in.

Definitely not what I had planned for my evening after work, but it added some excitement to the night.  That's for sure.