Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Dataloss] a recurring theme...

From: security curmudgeon (jerichoattrition.org)
Date: Thu Feb 16 2006 - 01:49:31 CST

: okay, so I've been on this list all of two days, and so far it's been
: "organization X got owned, and customer credit cards may be at risk.
: organization X apologizes." ... very similar to reports I've been seeing
: filter through a couple of other sources, in fact. Not to disparage the
: reporting or even the monotonous invariance in overall theme -- my
: question is, how many such events, and how long is it going to take,
: before the industry wises up and actually DOES something about it?

While the list is intended for such disclosures, this is more along the
lines of what I wanted to see =) So I will play advocate to start.

The first thing to point out, is your use of 'the industry' in this
context. These incidents are pretty far reaching, hitting a wide variety
of companies and organizations. About the only thing they have in common
is they a) use computers and b) have customers. This leads me to think
that the problem will remain there, just as countless others do. Why don't
companies do X and Y when it seems so obvious and they *could* fix it so
easily (voice mail/prompt hell for example).

: We HAVE the technology. Why are invariant passwords to money [i.e.
: credit card numbers, which themselves are only "unpredictable" within
: the last 5 digits or so] being issued with expected *5-year* lifetimes?
: Why is the financial industry still relying on crap like the last 4 of
: the SSN as a default "verifier" of identity? Why the hell don't we have
: a workable one-time-per-transaction authorization scheme in common use,
: so this idiocy with stored plaintext card numbers just ceases to be a
: problem?
: Because "profitable in the face of tolerable risk" trumps "inherent
: engineering merit", every time. I would counterargue that these risks
: are no longer "tolerable", when the volume of loss has gotten so high in
: the aggegrate. Maybe that's what this list is for -- posting frequency
: as a gauge of how bad it is.

That is one reason the dataloss page was made. We all saw these incidents
here and there in the news. A steady stream of them every few days or
weeks. But once seen together, and once some preliminary stats are
generated (several groups are working on such a thing), will that be
enough to help 'prove' it is no longer tolerable? If not, what is the
magic figure? Or is this a case where the 'right' people need to fall
victim, then we'll miraculously see a change in policy or law that seeks
to protect it (all the while doing it so wrong)?

: I tried to go change a card number at a local bank not too long ago --
: didn't claim it was lost/stolen, I just said it was high time I changed
: it on principle. They were flabberghasted, and didn't know how to deal,
: and said that if everyone wanted a new number every 6 months or a year
: they couldn't afford to offer cards at all. They finally agreed to do
: it "just this once" and waive the $10 reissue fee, but it was totally
: pulling teeth to get them to that point. Now, *that* is *broken*.

You'd think they would happily embrace that and cut a profit off of it =)
In fact, in the short term, offering such a feature for X dollars (so they
profit a little) would be a good thing. Eventually, customers would bitch
and that fee would go away like many banks are eliminating ATM fees.

Dataloss mailing list