BreachExchange mailing list archives
a recurring theme...
From: hobbit () avian org (*Hobbit*)
Date: Thu, 16 Feb 2006 06:02:39 +0000 (GMT)
okay, so I've been on this list all of two days, and so far it's been "organization X got owned, and customer credit cards may be at risk. organization X apologizes." ... very similar to reports I've been seeing filter through a couple of other sources, in fact. Not to disparage the reporting or even the monotonous invariance in overall theme -- my question is, how many such events, and how long is it going to take, before the industry wises up and actually DOES something about it? We HAVE the technology. Why are invariant passwords to money [i.e. credit card numbers, which themselves are only "unpredictable" within the last 5 digits or so] being issued with expected *5-year* lifetimes? Why is the financial industry still relying on crap like the last 4 of the SSN as a default "verifier" of identity? Why the hell don't we have a workable one-time-per-transaction authorization scheme in common use, so this idiocy with stored plaintext card numbers just ceases to be a problem? Because "profitable in the face of tolerable risk" trumps "inherent engineering merit", every time. I would counterargue that these risks are no longer "tolerable", when the volume of loss has gotten so high in the aggegrate. Maybe that's what this list is for -- posting frequency as a gauge of how bad it is. I tried to go change a card number at a local bank not too long ago -- didn't claim it was lost/stolen, I just said it was high time I changed it on principle. They were flabberghasted, and didn't know how to deal, and said that if everyone wanted a new number every 6 months or a year they couldn't afford to offer cards at all. They finally agreed to do it "just this once" and waive the $10 reissue fee, but it was totally pulling teeth to get them to that point. Now, *that* is *broken*. _H* _______________________________________________ Dataloss mailing list Dataloss () attrition org https://attrition.org/mailman/listinfo/dataloss
Current thread:
- a recurring theme... *Hobbit* (Feb 15)
- Re: a recurring theme... security curmudgeon (Feb 15)
- Re: a recurring theme... Adam Shostack (Feb 16)
- Message not available
- Re: Fwd: a recurring theme... sawaba (Feb 16)
- Re: a recurring theme... security curmudgeon (Feb 15)
- Re: a recurring theme... security curmudgeon (Feb 16)
- <Possible follow-ups>
- Re: a recurring theme... *Hobbit* (Feb 17)
- Re: a recurring theme... Mike Fratto (Feb 17)