So you punish the whole family because little Jimmy has downloaded some movies? What's to prevent signing up for another account in another family member's name? Internet access is almost a utility these days, as crucial to living in the modern world as power and water. Denying it to the whole family because one member has abused it, or a neighbor has guessed the WIFI password, seems excessive.
What about businesses that NAT their traffic through a single IP but don't have the resources of an ISP to determine who the culprit is. Seems like too many innocents will be punished in their aggressive approach to dealing with the problem.
I wise man once said:
"Never do today what you can't put off 'til tomorrow."
Half the time the things that you are procrastinating are not really that important. Hence you would have wasted time getting them done when you could have done something else.
This idea has been around for a few years and is definately quite feasible. The following site explains the concepts in a more straightforward fashion: http://www.windfromthesun.com/
I hate SUSE. I find Yast incredibly slow and unintuitive. I'd much rather do updates with an easy-to-use command line utility like yum. However, I too became frustrated with the 6 month window of support for Fedora. When I discovered CentOS, which is RedHat Enterprise Linux repackaged without RedHat's name and offered for free, I was hooked. You get all the benefit of a rock solid OS, with easy-to-find RPMs, and easy to keep updated.
Identity theft is less a problem of insecure merchant
databases and more a systemic problem of establishing one's identity. A
determined sleuth can quite easily obtain the necessary identity information of
practically anyone they want to. We need a system where it does not matter if
your name, address, birth date, SSN, etc. are compromised because your identity
is not solely be based on such things. As much as I hate big (inefficient)
government, it seems to me that is where identify establishment should take
place. It is government that already issues SSN numbers, birth certificates,
death certificates, passports, visas, "resident alien" cards, etc. Perhaps it
is time for a national ID card. I think we have more to fear from "big
business" than "big brother". I certainly would not want to trust a Microsoft
or Oracle with all my personal data. Until we have a more secure way to
establish one's identity and keep it from being stolen, the problem will only
get worse.
Which brings me to the next point: identify theft and
credit card fraud are similar but not the same. Both are inherently too easy to
exploit and it is my guess that the latter is a much bigger problem. All one
basically needs is a valid credit card number, expiration date, and CVV (a
correct billing address is an added plus) in order to commit credit card fraud.
All this information is routinely stored in on-line databases by merchants
around the world. When such databases are compromised, a thief has all the
information he/she needs run up credit card bills on all of them.
VISA and MasterCard are mandating the CISP program
(Cardholder Information Security Program) on all merchants, requiring them to
adhere to a certain level of security (e.g. encrypting credit card information,
using 3rd parties to audit security, etc.). This is all fine and
good, but it has long been in the self interest of merchants to make sure their
data remains relatively secure and that new cards are checked with address
verification and/or CVV numbers. Merchants are the ones that suffer the most
when customers issue chargebacks for fraudulent charges; credit card companies
simply stick it to the merchant after reversing the charge to your card. Some
states require merchants to disclose when they know they've been hacked. This
is a helpful step, but hardly a solution. Most merchants are loathe to disclose
this information if they think they can get away with it because they stand to
lose their customer base. If I had received a certified letter from Amazon
saying that my personal information had been stolen, I would think twice about
ever using Amazon again.
Requiring merchants to plug security holes is much like
requiring all the villagers to plug the holes in the dike with their fingers
rather than fixing the dike in the first place. It is the system that needs to
be fixed more than the insecurity of merchant databases. It should not be so
easy to run up a tab on someone else's account just by having their credit card
number and a few other particulars. Rather than putting the whole burden on
merchants to keep an inherently insecure system secure, credit card companies
need to change the way credit is processed online so that it is not so trivial
to abuse. Merchants are not in the security business, but credit card companies
should be. It is simply not fair to put all the entire burden on merchants.
Do we have to resign ourselves to purchasing things online
and then crossing our fingers, hoping that the card we submitted and our
identity will never be stolen? I would be interested in your ideas on how to
fix the current system or what to replace it with.
Slashdot Mirror
So you punish the whole family because little Jimmy has downloaded some movies? What's to prevent signing up for another account in another family member's name? Internet access is almost a utility these days, as crucial to living in the modern world as power and water. Denying it to the whole family because one member has abused it, or a neighbor has guessed the WIFI password, seems excessive. What about businesses that NAT their traffic through a single IP but don't have the resources of an ISP to determine who the culprit is. Seems like too many innocents will be punished in their aggressive approach to dealing with the problem.
Reminds me of this from TheOnion.com: "Multiple Stab Wounds May Be Harmful to Monkeys" http://www.youtube.com/watch?v=S6CSIFi78Nw
I wise man once said: "Never do today what you can't put off 'til tomorrow." Half the time the things that you are procrastinating are not really that important. Hence you would have wasted time getting them done when you could have done something else.
This idea has been around for a few years and is definately quite feasible. The following site explains the concepts in a more straightforward fashion: http://www.windfromthesun.com/
I hate SUSE. I find Yast incredibly slow and unintuitive. I'd much rather do updates with an easy-to-use command line utility like yum. However, I too became frustrated with the 6 month window of support for Fedora. When I discovered CentOS, which is RedHat Enterprise Linux repackaged without RedHat's name and offered for free, I was hooked. You get all the benefit of a rock solid OS, with easy-to-find RPMs, and easy to keep updated.
Identity theft is less a problem of insecure merchant databases and more a systemic problem of establishing one's identity. A determined sleuth can quite easily obtain the necessary identity information of practically anyone they want to. We need a system where it does not matter if your name, address, birth date, SSN, etc. are compromised because your identity is not solely be based on such things. As much as I hate big (inefficient) government, it seems to me that is where identify establishment should take place. It is government that already issues SSN numbers, birth certificates, death certificates, passports, visas, "resident alien" cards, etc. Perhaps it is time for a national ID card. I think we have more to fear from "big business" than "big brother". I certainly would not want to trust a Microsoft or Oracle with all my personal data. Until we have a more secure way to establish one's identity and keep it from being stolen, the problem will only get worse.
Which brings me to the next point: identify theft and credit card fraud are similar but not the same. Both are inherently too easy to exploit and it is my guess that the latter is a much bigger problem. All one basically needs is a valid credit card number, expiration date, and CVV (a correct billing address is an added plus) in order to commit credit card fraud. All this information is routinely stored in on-line databases by merchants around the world. When such databases are compromised, a thief has all the information he/she needs run up credit card bills on all of them.
VISA and MasterCard are mandating the CISP program (Cardholder Information Security Program) on all merchants, requiring them to adhere to a certain level of security (e.g. encrypting credit card information, using 3rd parties to audit security, etc.). This is all fine and good, but it has long been in the self interest of merchants to make sure their data remains relatively secure and that new cards are checked with address verification and/or CVV numbers. Merchants are the ones that suffer the most when customers issue chargebacks for fraudulent charges; credit card companies simply stick it to the merchant after reversing the charge to your card. Some states require merchants to disclose when they know they've been hacked. This is a helpful step, but hardly a solution. Most merchants are loathe to disclose this information if they think they can get away with it because they stand to lose their customer base. If I had received a certified letter from Amazon saying that my personal information had been stolen, I would think twice about ever using Amazon again.
Requiring merchants to plug security holes is much like requiring all the villagers to plug the holes in the dike with their fingers rather than fixing the dike in the first place. It is the system that needs to be fixed more than the insecurity of merchant databases. It should not be so easy to run up a tab on someone else's account just by having their credit card number and a few other particulars. Rather than putting the whole burden on merchants to keep an inherently insecure system secure, credit card companies need to change the way credit is processed online so that it is not so trivial to abuse. Merchants are not in the security business, but credit card companies should be. It is simply not fair to put all the entire burden on merchants.
Do we have to resign ourselves to purchasing things online and then crossing our fingers, hoping that the card we submitted and our identity will never be stolen? I would be interested in your ideas on how to fix the current system or what to replace it with.