Slashdot Mirror
Zero Day Threat
Ben Rothke writes "Zero
Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber
Crooks Steal Your Money and Identity is an
interesting and eye-opening look at how banks and credit card companies make
ID theft and fraud rather elementary. But with all
that, this book must be read in the larger context of how today's society
deals with, and is often oblivious to, risk. When is
comes to risk, American society tolerates tens of thousands of drunk-driving
deaths, gives millions in federal tobacco subsidies, and is oblivious about
near-epidemics such as heart disease, obesity, and diabetes. With
all that, it is doubtful that the myriad horror stories Zero Day
Threat details will persuade Congress or the other players to do anything
to curtail the problem with identity theft and internet
fraud." Keep reading for the rest of Ben's review.
Zero Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity
author
Byron Acohido & Jon Swartz
pages
304
publisher
Union Square Press
rating
9
reviewer
Ben Rothke
ISBN
978-1402756955
summary
Excellent overview on the epidemic of indent theft
The
internet and web have indeed revolutionized society, and there is hardly an
industry that has not been positively affected by the net. On the down
side, the net is the new conduit for criminals. For example, in the few
years before the web became ubiquitous, U.S. and international law enforcement
nearly had a noose around the child pornography industry and brought it to a
near standstill. After the web, authorities have given up hope that
child pornography can ever be contained.
Similarly, white-collar crime and fraud has been exacerbated by the net. Zero Day Threat details the various loopholes that criminals use to carry out their attacks and crimes. Each of the book's 18 chapters is divided into 3 section, exploiters — which details how the crime lords and their teams carry out the crimes, enablers — which details the history and current practices of credit card companies, banks, credit bureaus, and data brokers, and expediters — which recounts how technology and technologies enable these crimes. I found that the breaking up of the chapters into such triplets is occasionally confusing, and you are left wondering what story you are in.
The book is based on the premise that the payment industry, namely the credit card companies, banks, credit bureaus and data brokers have created an infrastructure that is pliable, nearly endlessly extendable, but paper-thin when it comes to security. The system is built for ease of access, ease of granting credit, but without a robust security infrastructure or privacy controls.
Consider that the PCI Security Standards Council was not created until late 2004, and that will give you an idea how security is anathema to the industry. The outgrowth of PCI is the PCI Data Security Standard which is the first uniformly created set of comprehensive security requirements for enhancing payment account data security. While the industry debates the efficacy of PCI, attackers are busy at work running innumerable fraudulent schemes.
The authors paint an honest appraisal of the lack of security in the industry and have their facts in order, although an occasional hyperbole does creep in, for instance when the authors repeatedly state that the hackers in question went weeks without sleep. But a huge error is where they state in chapter 11 that PCI is controversial, with some merchants complaining that it is too costly to implement. There is nothing controversial about PCI, and the security controls it requires are sorely needed. While merchants express their discontent about security and its associated costs, attackers steal from underneath them. The quicker the merchants get that they needed security, the quicker the attacks will stop. But as the book shows, that will not happen anytime soon.
Part of the reason why identity theft will not go away anytime soon is similar to the problem in the air traffic control industry, as detailed in Terminal Chaos: Why U.S. Air Travel Is Broken and How to Fix It. There are too many players in the game, all of which focus on their own interests, and no one wants to take responsibility for the problem. The fact that the Social Security number (SSN) is still used as a key personal identifier, combined with the ease at which an individual 's SSN can be obtained and misused should be enough to give anyone pause.
The primary purpose of a SSN has been to track individuals for taxation purposes. But in the last decade, the SSN has become a de facto national identification number. When established in the 1930s, the Social Security Administration meant for the SSN to be used as a way to track a person's earnings for Social Security benefits. Despite its narrowly intended purpose, the SSN is now used more for non-Social Security purposes, than for the reason it was created. Today, SSNs are used for identity verification, and are the de facto identifier for the credit and financial services industry. With SSNs being aggregated by the millions, they are the fodder for the stories in the book.
Book such as Silent Spring, which helped launch the environmental movement, and The Jungle, which exposed the corruption of the American meatpacking industry, were watershed books that changed America. While Zero Day Threat is not in the same category as either of these books, it is highly unlikely that the level of outrage it will create will be much, nor the indignation significant. Because as bad as identity theft is, and as much grief as it causes, there are far too many politicians, powerful companies, lobbyists and more that are in the way of any change.
Nonetheless, Zero Day is a most interesting look at the many players that work together to facilitate the countless identity theft rings. The book is an absorbing look at the many international players and their enablers involved. While identity theft is not going away anytime soon, Zero Day Threat details the problem, and shows what you can do to ensure that you are not a victim.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Zero Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Similarly, white-collar crime and fraud has been exacerbated by the net. Zero Day Threat details the various loopholes that criminals use to carry out their attacks and crimes. Each of the book's 18 chapters is divided into 3 section, exploiters — which details how the crime lords and their teams carry out the crimes, enablers — which details the history and current practices of credit card companies, banks, credit bureaus, and data brokers, and expediters — which recounts how technology and technologies enable these crimes. I found that the breaking up of the chapters into such triplets is occasionally confusing, and you are left wondering what story you are in.
The book is based on the premise that the payment industry, namely the credit card companies, banks, credit bureaus and data brokers have created an infrastructure that is pliable, nearly endlessly extendable, but paper-thin when it comes to security. The system is built for ease of access, ease of granting credit, but without a robust security infrastructure or privacy controls.
Consider that the PCI Security Standards Council was not created until late 2004, and that will give you an idea how security is anathema to the industry. The outgrowth of PCI is the PCI Data Security Standard which is the first uniformly created set of comprehensive security requirements for enhancing payment account data security. While the industry debates the efficacy of PCI, attackers are busy at work running innumerable fraudulent schemes.
The authors paint an honest appraisal of the lack of security in the industry and have their facts in order, although an occasional hyperbole does creep in, for instance when the authors repeatedly state that the hackers in question went weeks without sleep. But a huge error is where they state in chapter 11 that PCI is controversial, with some merchants complaining that it is too costly to implement. There is nothing controversial about PCI, and the security controls it requires are sorely needed. While merchants express their discontent about security and its associated costs, attackers steal from underneath them. The quicker the merchants get that they needed security, the quicker the attacks will stop. But as the book shows, that will not happen anytime soon.
Part of the reason why identity theft will not go away anytime soon is similar to the problem in the air traffic control industry, as detailed in Terminal Chaos: Why U.S. Air Travel Is Broken and How to Fix It. There are too many players in the game, all of which focus on their own interests, and no one wants to take responsibility for the problem. The fact that the Social Security number (SSN) is still used as a key personal identifier, combined with the ease at which an individual 's SSN can be obtained and misused should be enough to give anyone pause.
The primary purpose of a SSN has been to track individuals for taxation purposes. But in the last decade, the SSN has become a de facto national identification number. When established in the 1930s, the Social Security Administration meant for the SSN to be used as a way to track a person's earnings for Social Security benefits. Despite its narrowly intended purpose, the SSN is now used more for non-Social Security purposes, than for the reason it was created. Today, SSNs are used for identity verification, and are the de facto identifier for the credit and financial services industry. With SSNs being aggregated by the millions, they are the fodder for the stories in the book.
Book such as Silent Spring, which helped launch the environmental movement, and The Jungle, which exposed the corruption of the American meatpacking industry, were watershed books that changed America. While Zero Day Threat is not in the same category as either of these books, it is highly unlikely that the level of outrage it will create will be much, nor the indignation significant. Because as bad as identity theft is, and as much grief as it causes, there are far too many politicians, powerful companies, lobbyists and more that are in the way of any change.
Nonetheless, Zero Day is a most interesting look at the many players that work together to facilitate the countless identity theft rings. The book is an absorbing look at the many international players and their enablers involved. While identity theft is not going away anytime soon, Zero Day Threat details the problem, and shows what you can do to ensure that you are not a victim.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Zero Day Threat: the Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This whole sentence is moronic, but it's easiest to point to the fact that federal tobacco subsidies ended several years ago. If one has to criticize American society, too little hysteria over risk seems like an odd choice.
What I'm listening to now on Pandora...
More than that, it's essentially meaningless. Americans are not "oblivious" to obesity, and do not "tolerate" drunk-driving deaths. Cursory references to large problems like that weaken your opinion and make the reviewer sound flippant rather than bolstering a real or arguable opinion.
American society tolerates 200,000 deaths per month! Most of these are due to heart disease! Why should we care at all about economic systems or fraud?
The answer is we care about both, and heart disease receives a great deal of attention from the best and brightest students and gets a large amount of public and private financing. That need doesn't obviate the need to avoid fraud, or remember your wife's birthday, or all of the other small stuff in the world. Now, let's discuss the book.
Slashdotter, ID #101. UIDs are in binary, right?
in the end they do nothing to improve their condition.
And why is this a problem? Some people choose to smoke even though they know the risks of doing so. If people choose to live unhealthy lifestyles than I'm not going to get real worked up about it. I don't know about you but I'm growing weary of the war on vice.
Provide people with the information but at the end of the day it's up to them to make smart choices.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
And then after that she found out that there were kidnappers and murderers outside so she was smarter and kept you in the house all day. Such paternalism can be taken too far, and it is. Enter video game bans, smoking bans, gun bans, etc...
The analogy is flawed anyway. A child needs such parental protection because they can't know any better. Adults can and should know better, and if they are coddled they will never learn how to make good decisions. Then that becomes justification for ever more laws to protect them from their own stupidity. Quite the cycle.
Also, the idea that "Provide people with the information but at the end of the day it's up to them to make smart choices." is a Republican mantra is laughable when they are the party that has been against contraception education in schools and want to outlaw abortion. It should be everyone's mantra anyway, at least anyone interested in maximizing freedom.