Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dear Sir: Your Credit Card Number Has Been Owned

Posted by timothy on from the do-tell-good-man dept.

An anonymous reader submits: "California has become the first state in the nation to require companies victimized by malicious computer attacks to disclose what might have been compromised to their customers. Dubbed the Security Breach Information Act, companies whose systems are cracked and have credit card, bank account, and/or other significant customer data stolen are required to report the intrusion either by email, snail mail, a notice on their website, or by notification to the news media. Law takes effect Tuesday, July 1 (tomorrow)."

12 of 179 comments (clear)

  1. Posting on website wouldn't be enough by CastrTroy · · Score: 5, Interesting

    I don't think that posting the information on the website would be effective enough. Sites such as amazon.com may have my credit card number stolen. If I don't visit the site within the time frame that they are displaying it then I may never find out about it. They need to do something that requires less action from the users such as snail/e-mail. I don't think site postings should be allowed.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  2. ...posted in the basement with no lights. by janda · · Score: 5, Interesting

    To quote the parent:

    ...a notice on their website...

    Yea, all you need to do is find the white-on-white "click here" hyperlink.

    Like I'm supposed to go out every day and check every credit card site, all my bank account sites, every mutual fund site, every stock brocker site, etc, etc, etc?

    Why? Why does the company that has been hacked have to engage in a deliberate act (e-mail, snail mail, phone calls, whatever) except for this? Why not force companies to own up to their mistakes?

    --
    Karma: Food Fight (Mostly affected by Date Plate).
    1. Re:...posted in the basement with no lights. by delta407 · · Score: 2, Interesting
      Like I'm supposed to go out every day and check every credit card site, all my bank account sites, every mutual fund site, every stock brocker site, etc, etc, etc?
      Worse yet, even if you were to somehow check every website on a regular basis, and somehow find the notice (which the law does not give guidelines for, AFAIK), this only covers part of the issue. The other and far more difficult problem: what about when this information gets stolen and the company doesn't notice?

      This seems like a step in the right direction, but the law seems far too loose to be of any practical value.
  3. I'm suprised... by Tokerat · · Score: 2, Interesting


    ...that this WASN'T required by law before!

    --
    CAn'T CompreHend SARcaSm?
  4. Move... by Mullen · · Score: 3, Interesting

    Instead of fixing their security, companies will just find it cheaper to just move their servers out of California.

    --
    Linux O Muerte!
  5. Re:I Remember when... by Anonymous Coward · · Score: 1, Interesting

    it's absolutely ridiculous that the year never shows up on any slashdot story .. so u cant tell what year a story was posted

    fix that damn bug

  6. California's rules are... well, Californian by !Squalus · · Score: 2, Interesting

    Sorry for that. While this is good for the Consumer, it is even better for hosting companies and businesses deciding to move elsewhere. The sad fact is that without really good analytical tools - most companies do not know what was cracked at all.

    Tripwire is one that comes to mind, and if used properly is an excellent forensic tool. Too bad some schmoes don't know that. I know an IT director who believes that wiping everything down and reinstalling from a backup image is the way to go. Of course - backups aren't 100% reliable and you tend to lose data - but who am I and what do I know?

    Trust me - that works until you lose really critical data. Then you are screwed buddy. Oh well, that's NMP. Not my problem.

    Funny thing is that if they don't know theywere cracked, how do they know when to notify you that your account or data might have been cracked and hijacked?

    Think about it. If they were too stupid to catch it, how will they ever know who to notify and who not to notify? When you cannot trust your data, everything else becomes meaningless.

    I wonder if these notices will lead to more false insurance claims from losses due to cracking? After all, how can the banks, credit card companies, etc. prove diddly when they don't even know for certain that you have been cracked or if their data is accurate or just total hogwash.

    Would you trust a business that notified you that your account might have been cracked and you could have some of your valuable precious data being floated around the Internet?

    Of course, they could have avoided all that by using real equipment, but you won't know the truth any more than they know the truth.

    --
    All Ad hominem replies happily ignored as the sender shall be deemed to lack the faculties to comprehend the equation.
    1. Re:California's rules are... well, Californian by hellfire · · Score: 2, Interesting

      Would you trust a business that notified you that your account might have been cracked and you could have some of your valuable precious data being floated around the Internet?

      Short answer... yes.

      Why? Because it means they are paying attention and trying to make an effort at security.

      It is doubtful all attacks will be prevented, and its also doubtful all attacks will be monitored. However, all banks will experience attacks by crackers. If one slips by and its detected, I would want to know about it. It means to me that my institution cares. Obviously its my money so I should be informed and I should direct the company what to do.

      My bank recently, and voluntarily, informed me of an attack where it thought my check card could have been stolen. They offered to replace it at my discretion, free of charge. Changing card numbers, simple effective security. I jumped at it and double checked my statement and have had no problems.

      To say it may be a burden on businesses or businesses can't be expected to catch crackers is silly, because its not a burden and they can be caught. Banks are notorious for trying to pass the burden of securing money to their customers. I've seen banks refuse to reimburse people for funds stolen directly from their account, and had to be taken to court even though it was clear that the signature on the withdrawl slip was not the customers!! Banks have to step up and provide a secure environment for investors and laws like this raise the bar to where it needs to be.

      --

      "All great wisdom is contained in .signature files"

  7. make them pay by slugo3 · · Score: 4, Interesting

    why not make the company responsible for notifying my credit card company? Or better yet make them pay for fraudulent charges that I could prove were from their negligance?
    They screwed up they should incur the cost of cleaning up the mess. If companies were responsible to that degree than watch how high security budgets would skyrocket. If they shouldnt be responsible to that degree with my sensitive information than why bother passing legislation like this?

  8. ... and then they help the intruders. by swordfishBob · · Score: 2, Interesting

    How about that. Someone breaks partway into a system at my bank. The bank may not know exactly what has been compromised, but they then publish a list of what it could be. Intruder now knows how close they are to the money!

    --
    -- All your bass are below two Hz
  9. Re:Prevention is far better than cure. by felix9x · · Score: 2, Interesting

    Yes all the points you make are good but. It all about money. How much will it cost to implement layers of security that is needed to store the CC# safely? A small ecommerce site just dont have the capital to do it. Things would be much easier if we didnt have to deal with CC numbers directly. PayPal is a way to deal with this but common what ecommerce site will force somebody to get a paypal account anyway. PayPal is not the last work in Finantial Internet Transactions. Hey they are not even a bank. We are basicaly missing a secure infrastructure to do finantial personal transaction over the internet. At the end of the day we have Good Old CC number + ssl + who knows what. It would be nice if banks actualy got together and were serious about putting up the funds to create a new infrastructure. We have all the security technology to make it happen we can do authentication, encryption the right way but we dont have banks who want to go through with it.

  10. It might get just like accounting... by leeet · · Score: 3, Interesting

    Where a certified accountant needs to check and make sure everything is up to a certain standard.

    That's good news, more IT jobs coming up?

    --
    -- Leeeter than leet