Re: Fwd: a recurring theme...

[sawaba <sawaba () forced attrition org>]

> ---------- Forwarded message ----------
> From: security curmudgeon <jericho () attrition org>
> Date: Feb 16, 2006 2:49 AM
> Subject: Re: [Dataloss] a recurring theme...
> To: dataloss () attrition org
>
>
>
> : okay, so I've been on this list all of two days, and so far it's been
> : "organization X got owned, and customer credit cards may be at risk.
> : organization X apologizes." ... very similar to reports I've been seeing
> : filter through a couple of other sources, in fact. Not to disparage the
> : reporting or even the monotonous invariance in overall theme -- my
> : question is, how many such events, and how long is it going to take,
> : before the industry wises up and actually DOES something about it?
>
> While the list is intended for such disclosures, this is more along the
> lines of what I wanted to see =) So I will play advocate to start.
>
> The first thing to point out, is your use of 'the industry' in this
> context. These incidents are pretty far reaching, hitting a wide variety
> of companies and organizations. About the only thing they have in common
> is they a) use computers and b) have customers. This leads me to think
> that the problem will remain there, just as countless others do. Why don't
> companies do X and Y when it seems so obvious and they *could* fix it so
> easily (voice mail/prompt hell for example).

I would argue that these companies also have one more thing in common - 
they are subject to VISA's requirements and regulations. Unfortunately, 
VISA's been soft on enforcing requirements, and only one company has 
been made an example of so far. To force most of these companies to change 
their practices, you have to threaten their bottom line. Whether by fining 
them or taking away their processing rights, VISA has options they can 
exercise to push the situation hard and fast if they wanted to.

> : We HAVE the technology. Why are invariant passwords to money [i.e.
> : credit card numbers, which themselves are only "unpredictable" within
> : the last 5 digits or so] being issued with expected *5-year* lifetimes?
> : Why is the financial industry still relying on crap like the last 4 of
> : the SSN as a default "verifier" of identity?  Why the hell don't we have
> : a workable one-time-per-transaction authorization scheme in common use,
> : so this idiocy with stored plaintext card numbers just ceases to be a
> : problem?
> :
> : Because "profitable in the face of tolerable risk" trumps "inherent
> : engineering merit", every time.  I would counterargue that these risks
> : are no longer "tolerable", when the volume of loss has gotten so high in
> : the aggegrate.  Maybe that's what this list is for -- posting frequency
> : as a gauge of how bad it is.
>
> That is one reason the dataloss page was made. We all saw these incidents
> here and there in the news. A steady stream of them every few days or
> weeks. But once seen together, and once some preliminary stats are
> generated (several groups are working on such a thing), will that be
> enough to help 'prove' it is no longer tolerable? If not, what is the
> magic figure? Or is this a case where the 'right' people need to fall
> victim, then we'll miraculously see a change in policy or law that seeks
> to protect it (all the while doing it so wrong)?

Again, nothing will happen unless their profits are threatened. They must 
be forced (tm).

> : I tried to go change a card number at a local bank not too long ago --
> : didn't claim it was lost/stolen, I just said it was high time I changed
> : it on principle.  They were flabberghasted, and didn't know how to deal,
> : and said that if everyone wanted a new number every 6 months or a year
> : they couldn't afford to offer cards at all.  They finally agreed to do
> : it "just this once" and waive the $10 reissue fee, but it was totally
> : pulling teeth to get them to that point.  Now, *that* is *broken*.
>
> You'd think they would happily embrace that and cut a profit off of it =)
> In fact, in the short term, offering such a feature for X dollars (so they
> profit a little) would be a good thing. Eventually, customers would bitch
> and that fee would go away like many banks are eliminating ATM fees.
>
> _______________________________________________
> Dataloss mailing list
> Dataloss () attrition org
> https://attrition.org/mailman/listinfo/dataloss

_______________________________________________
Dataloss mailing list
Dataloss () attrition org
https://attrition.org/mailman/listinfo/dataloss