Monday, December 19, 2005
Even the experts get hacked
In a somewhat disturbing incident the Washington Post reports that digital forensics company Guardian software was hacked in November. The most troubling part of the news is that the break-in was not discovered until December 7th. The company wrote letters to all affected customers, including law enforcement and security professionals, describing the scope of the incident.
Of course this case is nothing new. Unfortunately the monetary damages incurred by the victims could have been prevented. The losses stem from inadequate security of the database holding the credit card information and failure to comply with published security requirements. Despite requirements by both Visa and MasterCard, critical data was stored unencrypted and kept beyond retention guidelines. Had the published guidelines been followed the damage from this incident might have been close to zero.
How long is it really going to be before we see real and effective security measures that prevents credit card fraud? For example it seems possible to implement a one-time credit card system. In fact American Express began offering just such a system in early 2001 but later cancelled the program. There are still a few programs out there such as Discover Card's Secure Online Account. The idea is simple and incredibly powerful, issue a new account number for risky purchases and only allow one purchase with that account number. If the number is stolen from a database, no problem it's no good.
My guess as to why programs like this aren't more popular is that consumers don't see the benefit. Sure they are scared silly of identity theft, often intermingled with credit card fraud, but they think somebody else should fix it. Why should John Q Public spend the extra time getting a one-time use card number for an online transaction when he has no responsibility to pay fraudulent charges? It's just too much hassle.
Visa and MasterCard aren't much better, they're not really eating the costs either. In the end it's the merchants paying the cost of credit card fraud and they're passing it right back to the consumers in the form of higher prices. I fear that until everyone involved starts taking responsibility and accepting part of the burden we'll see more cases just like this.
Of course this case is nothing new. Unfortunately the monetary damages incurred by the victims could have been prevented. The losses stem from inadequate security of the database holding the credit card information and failure to comply with published security requirements. Despite requirements by both Visa and MasterCard, critical data was stored unencrypted and kept beyond retention guidelines. Had the published guidelines been followed the damage from this incident might have been close to zero.
How long is it really going to be before we see real and effective security measures that prevents credit card fraud? For example it seems possible to implement a one-time credit card system. In fact American Express began offering just such a system in early 2001 but later cancelled the program. There are still a few programs out there such as Discover Card's Secure Online Account. The idea is simple and incredibly powerful, issue a new account number for risky purchases and only allow one purchase with that account number. If the number is stolen from a database, no problem it's no good.
My guess as to why programs like this aren't more popular is that consumers don't see the benefit. Sure they are scared silly of identity theft, often intermingled with credit card fraud, but they think somebody else should fix it. Why should John Q Public spend the extra time getting a one-time use card number for an online transaction when he has no responsibility to pay fraudulent charges? It's just too much hassle.
Visa and MasterCard aren't much better, they're not really eating the costs either. In the end it's the merchants paying the cost of credit card fraud and they're passing it right back to the consumers in the form of higher prices. I fear that until everyone involved starts taking responsibility and accepting part of the burden we'll see more cases just like this.
Subscribe to Posts [Atom]