Slashdot Mirror
Dear Sir: Your Credit Card Number Has Been Owned
An anonymous reader submits: "California has become the first state in the nation to require companies victimized by malicious computer attacks to disclose what might have been compromised to their customers. Dubbed the Security Breach Information Act, companies whose systems are cracked and have credit card, bank account, and/or other significant customer data stolen are required to report the intrusion either by email, snail mail, a notice on their website, or by notification to the news media. Law takes effect Tuesday, July 1 (tomorrow)."
Not a bad idea but, with them having a 38 billion dollar deficit one would think they'd be focused on that.
So glad not to be there now.
This looks like a good start for something that should have happened a long time ago. If people know their information (such as credit card numbers) has been compromised, they can solve the problem. Under Australian law, I think that companies have to tell you if you ask, but I'm not sure they actively publish that kind of information... If they don't, they should! Does anyone know if ISO has a certified standard for web services security? If not ... this might be a good time to make one...
I honestly don't even like the idea of them sending an email with this information. I can see some unscrupulous thief sending an email with forged headers stating: "Hi from amazon, our credit card database system was stolen by some meddlin' hackers, please click this link and reenter your information to reactivate your Amazon account. We apologize for the inconvienience."
When the hacker breaks into the notification server?
Even if they didn't steal any information (other than some emails on the server) they could scare the living crap out of alot of people....like a BIG practical joke.
Then the company would have to send out another email via the notification system to their customers....this ought to be interesting...why trust the company that claimed it was hacked yet it wasn't?
"Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
chances are very good that someone in the press will notice the notice on a site like amazon's, or an amazon customer that does catch it will phone the press. hence, word will still get out that something happened.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
this is only good if they know they have been compromised!
I think this law would be a lot stronger if it mandated contact by all of those forms to the extent made possible by available customer data.
This is kind of a sore spot for me at the moment because of a different, but similar misadventure of my own. Recently, my net banking access got frozen because too many incorrect password attempts had been made on it. However, the bank did not see fit to notify me of this, and I only found out when I urgently needed to do a wire transfer at 11pm on the weekend. And of course their service facility was long closed by that point and wouldn't be open until Monday. Sucks.
YLFI
One god, one market, one truth, one consumer.
Yup.
How about if your local bank didn't lock it's safe at night, and used shitty supermarket padlocks on the doors? Then didn't tell you that people broke in occasionally when no-one was looking, but quietly increased your fees to cover the losses? Sound reasonable? No, of course it doesn't, but it's not far off the level of security some clowns put online. Personally, I'd like to see the sysadmins name posted in the notices too. :-D
Imagine if these were physical break-ins rather than electronic ones. The money's all the same, the only difference is that until now, it didn't make the evening news. It's about time it stopped being swept under the carpet.
Forget thrust, drag, lift and weight. Airplanes fly because of money.
Whatever happened to encryption?
These rules are good. I think both notification and public notices of being hacked should be required. But merchants and customers should be smarter to start with.
Many prominent ecommerce sites insist that if you buy with them, you have to open an account where your credit card info will be stored permanently (read the fine print on PayPal, for example, what happens when you try to erase it).
In order to permit you to reuse the credit card number without reentering it later, it generally has to be stored in a place accessible to the web server applications, aka a very hackable location. They usually claim to protect this via n-bit encryption, but their application can easily decrypt it, generally meaning that a hacker who owns the web server can as well.
If a brick-and-mortar merchant insisted on storing a xerox of the credit cards of all his customers in a filing cabinet on the sales room floor in case any time in the future they forgot their credit cards, I would still feel more secure than this sort of e-merchant makes me feel (because the volume of CC numbers is less and it can't be accessed remotely) than a database with millions of card numbers. There is a huge difference between temporarily using the credit card info in a transaction database and making it permanently available in an account database. Not only can transactions records be more-fully isolated from the web servers than account records, but in the transaction case, the most compromised is far less than the millions of credit card numbers compromised in an account database. You make yourself vulnerable forever if you do business with someone who wants to keep your credit card available in your account, and they probably will not even tell you if it is compromised.
IMO, good merchants do not insist on storing your credit card number in the account, but rather permit you to manually reenter it every time. Just like all the Microsoft email conveniences that turn out to be security holes, this sort of ecommerce convenience is asking to have your credit card number abused, with no notification. The number is safer in your wallet or travelling across SSL than in a web-server database with millions of other credit cards.
PayPal refuses to erase the account info even if you erase it. Perhaps this sort of law will eventually force irresponsible merchants to rethink the way they expose millions of cards to cracking. You can't hack what is not on the server.
People should be responsible if they are negligent, I agree. OTOH, expecting perfect security, as some on this thread seem to be doing, is wishful thinking. The world doesn't work like that. Bank robberies happen, and sometimes they get away with it. Cracks happen, and sometimes they get away with that, too. You should take reasonable steps to secure your facilities and have a sensible contingency plan for when that security fails.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.