-jsq
PS: Seen on Bruce Sterling’s Beyond the Beyond.
Visa U.S.A. Inc. and MasterCard International Inc. will release new security rules in the next 30 to 60 days for all organizations that handle credit card data, a Visa official said this week.Continue readingThe rules will be the first major updates to the one-year-old Payment Card Industry (PCI) data security standard, which analysts said is slowly but surely being adopted.
Visa, MasterCard to unveil new security rules The updated PCI standard will cover Web apps, third-party controls, Jaikumar Vijayan, ComputerWorld 7 July 2006
If you visit the site and enter bogus information to test whether the site is legit — a tactic used by some security-savvy people — you might be fooled. That’s because this site acts as the “man in the middle” — it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.Citibank Phish Spoofs 2-Factor Authentication, Brian Krebs, 10 July 2006
This could be because the people behind such phishing scams are often pretty tech-savvy people themselves. Funny how that happens when there’s money in it.
-jsq
These concerns over privacy were reflected in users’ fears while surfing, with theft of personal information the most commonly cited concern by over one quarter of respondents. Another quarter feared viruses and worms. Nearly one fifth were worried about spyware, while scams and fraud ranked slightly lower (13 per cent). Only 8 per cent found spam something to be afraid of, rather than just a nuisance (Figure 1, left chart), perhaps reflecting a grudging acceptance of spam or improvements in filtering.Such fears cause 64% of respondants to avoid some online activities out of fear. Continue readingPromoting Global Cybersecurity ITU announces results of global survey and launches cybersecurity gateway on World Telecommunication Day 2006 ITU Press Release, Geneva, 17 May 2006
Interesting post in Emergent Chaos about whether encryption really is cheaper than cleaning up after identity theft or other breaches of security. The bottom line seems to be that we don’t know the bottom line, because we don’t have a good handle on the costs of breaches and we know even less about how many breaches there really are.
It seems to me that encrypting large datasets on backups, or when mailing them by e.g. UPS to another location, is so trivially easy that it should be worth it to increase resilience as simple risk management.
Some aspects of risk management can’t be easily quantified, so decisions have to be made anyway. Just doing it like it has always been done is a decision, too.
-jsq
Adam Shostack adds up the latest threat government has provided for us:
8.9% of Americans are at increased risk for ID theft due to that fellow at the veterans administration. Wow. Sure, the 13% at risk for account take-over from Cardsystems was bad, but that was just credit cards. This is about the databases that control our lives. This is horrendous. Maybe we’ll get some better laws about credit freezes out of it.
8.9%, Adam Shostack, Emergent Chaos, 26 May 2006.
This is a pretty good illustration of why depending on social security numbers for authentication is a bad idea. It’s also a pretty good example of why government can be the biggest security threat: it has greater scale and resources than most other entities. And a pretty good example of how the most rudimentary security would have provided sufficient resilience to prevent such a theft. Simple prevention measures are often the best risk management.
-jsq
So, what’s a better key?I think Pete answered your question in his comment. The problem with SSNs is not their use as keys; it’s their use as authenticators. The ubiquity of SSNs is both what makes them useful as keys and what makes them horrible as authenticators, because so many people know them. Pete’s proposal in his blog of making all SSNs public would make it even more clear how horrible they are as authenticators. Continue reading
Anyway, SSV has an interesting comment:
We need to turn this argument on its head and make all SSNs public record. Then, we can work towards a real solution that can protect the individual.Yes, good idea. If SSNs were public, it would be so obvious that they’re horrible keys to use for security that maybe organizations would stop doing so.
-jsq
"What’s your social?" How many times have you heard that question, from credit card companies, doctors’ offices, and just about every other type of organization? Perhaps you were confident that all these organizations are keeping your "social" completely confidential. I’m not so confident about that, and here’s evidence that they’re not:
Security experts held a contest this month to show just how quick and effective Google hacking can be. During a technology security-industry meeting in Seattle, contestants using only Google for less than an hour turned up sensitive information — potentially useful for financial fraud — on about 25 million people. They dug up various combinations of people’s names, dates of birth, Social Security numbers, and credit-card information, including some card numbers apparently left exposed by the U.S. Department of Justice.
Identity Theft Made Easier Hackers Use Simple Tricks With Google, Yahoo Searches To Tap Personal Information By Kevin J. Delaney, Staff Reporter of THE WALL STREET JOURNAL,,,, 29 March 2005
This just adds to all the recent cases where organizations have lost massive sets of identity information on millions of people because they didn’t keep even rudimentary security over them.
What can you do?
Continue reading