Slashdot Mirror
158 Million Records Exposed (And Counting)
Lucas123 writes "According to the
The Privacy Rights Clearing House 158 million records have been exposed over the past two years as a result of inadequate security. Data's less secure today because as fast as banks, merchants and consumers add new layers of security to their storage systems and networks, new technologies — or simply careless users — create new security holes, according to Bob Scheier at Computerworld."
At a state level (We could never get our Fed legislative critter to do something for the people) have a 'data protection' right. Bottom line: You lose data: you pay the people who's data you had. You fail to notify the people you pay double. If the information is actually used, damages are double plus ACTUAL / ON GOING losses.
Bottom line: Lock up your data!. We learned this back in the days of the wild west. Now we must - relearn; reinvent the safe for the 21st century data.
My own information, including bank account numbers, has been stolen and sold. I received a letter from a company I've never done business with, explaining how it wasn't their fault that they lost information I didn't give them, and trying to reassure me that nothing bad would happen.
The people running these companies should be considered criminally negligent. Maybe then they'll start to take security seriously.
What's the ugliest part of your body? Some say your nose, some say your toes, but I think it's your mind. -Zappa
I agree to an extent, you also have to take some personal responsibility when dealing online. Your birthday or dogs name is not a 'secure' password.
You are all a bunch of idots.
By making something more than the knowledge of 16 digits required for a loan (which is what they're doing when they authorize a credit transaction). Or even deducting the money directly from my account. Or, God forbid, knowing 9 measly digits from my SSN, as if that somehow were a secret.
It continually baffles me that credit card numbers are assumed to be somehow secret, despite the fact that you hand a waiter making $2.15 an hour a little piece of plastic with that number written on it without a thought.
The customer is in no position to create a new technology that ends this "open secret" way of verifying identities. There are much better mechanisms available, using public-key cryptography and some combination of passwords (entered into a smart card, not passed over the Internet), biometrics, and physical identity tokens.
That's up to the credit card companies. The reason people steal the numbers is that all they have to do is steal the number. Make it harder to steal and they'll stop stealing it. Until then it will continue to shock me that mere knowledge of a password which is regularly transmitted all over the place, and can be stolen from my wallet or my mail, is used as an identifier.
They blame it on the customer because they can, not because it's the customer's fault.
What about a DNS attack, where legitimate customers going to the legitimate YourBank.com site are redirected to a man-in-the-middle site? Everything looks legit (albeit slow) and it's a near-picture-perfect real-time clone of the bank's site and the user's account info. Who has to pony up in this case? Linksys/Cisco for making a router susceptible to DNS hijacking? IE or Firefox for somehow not recognizing the MITM? Verisign for legitimately issuing a certificate to a hacker that he then later misused?
At some point a lot of these fall into the category of technological failings. Are we suddenly going to see disclaimers on routers and ethernet switches claiming "Not suitable for secure financial transaction data"?
The only way to truly end this is to remove the ability to use the data online, and require face-to-face authentication. Shut down commercial use of the internet. Not a likely scenario.
The next best solution would be to train employees and end-users how to safely transact business over the internet. Joe Sixpack can't even identify every button on his TV remote control -- what are the chances he can learn how to check certificates for authenticity? Even if he could be trained, would you then shoulder the responsibility for training him how to spot hacks just in time to have a new hack come out and steal his account information anyway? "Mr. Trainer, I followed your instructions exactly and I still got hacked. Here's a lawsuit for damages due to your incompetence."
And before you place too much faith in IPV6 to solve all these problems, you should take a look at every other piece of technology claiming to solve security problems. They're all flawed -- some more than others. It's just that we don't know IPV6's vulnerabilities yet.
John
You're missing the point.
Right now, the companies whose data is stolen have no financial incentive to beef up their security, but they have plenty of PR incentive to cover up breaches. If such breaches were to hurt their bottom line, the shareholders would make them take their security seriously.
As for the effectiveness of laws, look at Sarbanes-Oxley: corporations have created whole departments just to manage compliance. Sure, they bitch and moan abotu the hassle, but they comply because it's the law. Why can't they be obligated to put the same effort into customer data security?
Learn from the mistakes of others. You won't live long enough to make them all yourself.