Firewall Wizards mailing list archives
Re: Equifax Canada
From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 20 Jun 2005 08:53:07 -0400 (EDT)
On Mon, 20 Jun 2005, Adrian Grigorof wrote:
Apparently this was caused by "improper use of a customer's access codes and security password". Can Equifax force its customers (basically all the credit institutions and many others) to use a method of authentication stronger than a user id/password combination? To quote a recent post from
Sure they can- the credit bureaus are close to a monopoly, they just need to all agree on a standard and make all their customers use it.
Marcus J. Ranum:How many of you could tell your customers *that*?! People scream and whine over the idea of putting firewalls in (still) - now, attempting to enforce a local policy against a business partner - that's patently ridiculous. Right? Well, technically it's NOT ridiculous, but everyone has basically blown it off.It is surely cheaper to call 600 customers once a year (ok, make that twice a year) than enforcing an expensive authentication infrastructure. Is it not a basic principle in IT security that the cost of securing same data should be less than what that data is worth? It is true, they loose some
Which is why we need to make it more expensive for them to lose the data...
credibility but since they have almost monopoly on the credit checking business (there is only one other company) that's still cheaper than changing the authentication process. Some heads will probably roll but I doubt there will be any major changes and I expect they will be in the news again sometime in the future... Besides, compared to 40 million credit cards, 600 credit reports are not that bad, eh? Go Canada ;) If I am not mistaken, the previous incident (March 2004) was a case of "criminals masquerading as credit grantors" but I bet the firewall guy(s) were again the scapegoats:(
If they didn't produce "this is the risk of allowing this traffic through the firewalls" in writing, then they *should* be the scapegoats, if they did, then whoever said "I accept this risk" should be. We have to stop treating security as a service industry in companies and start treating it as a fiduciary repsonsibility. The firewall *should* be a hurdle to business, and business should be happy to have that hurdle- make it over and you should have some level of assurance that you're doing better than average, plow through it and you should be penalized. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Equifax Canada Paul D. Robertson (Jun 19)
- Re: Equifax Canada Adrian Grigorof (Jun 20)
- Re: Equifax Canada Paul D. Robertson (Jun 20)
- Re: Equifax Canada R. DuFresne (Jun 20)
- Re: Equifax Canada Paul D. Robertson (Jun 20)
- Re: Equifax Canada Mark Teicher (Jun 22)
- RE: Equifax Canada Brian Loe (Jun 22)
- Re: Equifax Canada Adrian Grigorof (Jun 20)
- <Possible follow-ups>
- RE: Equifax Canada Monkman, Brian (Jun 20)
- RE: Equifax Canada Paul D. Robertson (Jun 20)
- Re: Equifax Canada Keith A. Glass (Jun 20)
- RE: Equifax Canada Ames, Neil (Jun 29)
- RE: Equifax Canada J. Oquendo (Jun 29)