Saturday, June 18, 2005

Hackers Strike Again and 40M Americans Stand to Lose!!!

To see just how bad things are getting with the security of our personal information you only have to read about the most recent case of data lost by Tucson-based CardSystems Solutions Inc., a third-party processor of payment card data.

Somebody gained access to around 40 Million credit card numbers and the related security codes necessary to use them on line. Master card seems to be the biggest loser in the deal with some 13 to 14 million card numbers possibility compromised but all the major companies have been exposed.

Richard Smith at his website ComputerBytesMan.com described it as eligible for “the Guinness Book of World Records.” Wither that’s true or not CardSystems joined the ranks of Lexus, Bank of America Corp, ChoicePoint Inc., Reed and Elsevier, and Motorola as recent major companies having customer information compromised by their lack of security.

This is more than unacceptable it’s just stupid. As major company after major company commits the same childish security blunders you have to wonder why they can’t learn from the mistakes of others in this business. To keep repeating the same dump practices over and over again defies logic.

By their actions these companies are going to force government involvement and then they will all cry bloody murder. Well I can’t feel sorry for them but I know who will bear the cost of all of these new regulations.

You and I will pay for their stupidity. Both by the losses from the theft of the information and the cost to implement any new regulations required to protect us.

There is no good reason for these data bases not to be encrypted so as to be less venerable. It comes down to greed as the companies involved reduce costs by lowering their IT expenses. Encryption software isn’t expensive and using it would at least make the data basically unusable by the thieves.

This case is made so much worse because not just the credit card numbers but also the security numbers required to use them on line were kept TOGETHER in the same data base.

How stupid can you get???

Any first year computer student could come up with a way to store these numbers in a separate data base to make it harder to match up both the credit card number and the security number. If I were designing a system to store that kind of information I would keep the card holder name, the card number, and the security code each in a separate data base. That way if you didn’t know how to combine these separate files you would only have lists of names and numbers that would be worthless. If these separate data bases were also encrypted it would make it almost impossible to compromise this data.

So……… If I can figure that out then why can’t these so called experts?

When are these companies going to be called to task?

When are they going receive the fines and criminal punishment they deserve?

Only when the public wakes up and demands that the government give some teeth to legislation requiring the protection of personal information in the private sector. These large, many times unknown, companies have an obligation to protect the data they gather about us. They owe us at least a modest attempt at having security that is able to protect us and that isn’t happening right now.

Personally I would like to see fines and in cases of real mismanagement criminal punishment handed out. It’s time to put a stop to this and to do it NOW not later.

A good article on the case is also located on eWeek at this URL
http://www.eweek.com/article2/0,1759,1829378,00.asp?kc=EWRSS03129TX1K0000614

No comments: