Re: Equifax Canada

["Paul D. Robertson" <paul () compuwar net>]

On Mon, 20 Jun 2005, Adrian Grigorof wrote:

> Apparently this was caused by "improper use of a customer's access codes and
> security password". Can Equifax force its customers (basically all the
> credit institutions and many others) to use a method of authentication
> stronger than a user id/password combination? To quote a recent post from

Sure they can- the credit bureaus are close to a monopoly, they just need
to all agree on a standard and make all their customers use it.

> Marcus J. Ranum:
>
> > How many of you could tell your customers *that*?!   People scream
> > and whine over the idea of putting firewalls in (still) - now, attempting
> > to enforce a local policy against a business partner - that's patently
> > ridiculous. Right? Well, technically it's NOT ridiculous, but everyone
> > has basically blown it off.
>
> It is surely cheaper to call 600 customers once a year (ok, make that twice
> a year) than enforcing an expensive authentication infrastructure. Is it not
> a basic principle in IT security that the cost of securing same data should
> be less than what that data is worth? It is true, they loose some

Which is why we need to make it more expensive for them to lose the
data...

> credibility but since they have almost monopoly on the credit checking
> business (there is only one other company) that's still cheaper than
> changing the authentication process. Some heads will probably roll but I
> doubt there will be any major changes and I expect they will be in the news
> again sometime in the future... Besides, compared to 40 million credit
> cards, 600 credit reports are not that bad, eh? Go Canada ;)
>
> If I am not mistaken, the previous incident (March 2004) was a case of
> "criminals masquerading as credit grantors" but I bet the firewall guy(s)
> were again the scapegoats:(

If they didn't produce "this is the risk of allowing this traffic through
the firewalls" in writing, then they *should* be the scapegoats, if they
did, then whoever said "I accept this risk" should be.

We have to stop treating security as a service industry in companies and
start treating it as a fiduciary repsonsibility.  The firewall *should* be
a hurdle to business, and business should be happy to have that hurdle-
make it over and you should have some level of assurance that you're doing
better than average, plow through it and you should be penalized.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards