Number Security

  • Comments posted to this topic are about the item Number Security

  • I feel that security by financial institutions are not keeping pace. I can understand caution and not implementing every security idea that comes along, however, many of the security mechanisms employed by financial institutions that I use are a decade or more older.

    Is it wrong that my Xbox gamer account is better protected than my bank account?

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • I think there is always reason to be concerned about "security" in the systems operated by financial institutions. We/they should always be trying to improve, because the bad guys are always there.

    One fundamental problem at the "outside shell" is that on the one hand you want to make things easy for the genuine customer, but on the other hand you want to make it hard for the bad guys. Unfortunately some of the technical solutions at the "outside shell" actually make life harder for the real customer and indirectly encourage bad practices (like, for a simple example, keeping an ATM pin on a scrap of paper in your wallet). Solutions should always think about the effect they are having on minority groups. (Think older, disabled in some way, the list goes on...)

    Looking "inside" Steve's example of "Data Masking" is a good example. We need to think about how features might be abused or circumvented, probably quite early in the specification or design process.

    Machine learning may help but I think it would be wise NOT to assume that the only we have access to such technology.

    In the end, I think this is going to come down to a question of cost benefit analysis.

    Tom Gillies LinkedIn Profilewww.DuhallowGreyGeek.com[/url]

  • If there becomes some type of RSA rolling number then how does one used a C Card to pay for something like a cell phone bill where you get your bill automatically taken charged to your credit card if the number changes every charge...

  • I think the whole area of security is not taken seriously by far too many organisations and individuals. On one occasion I set up a number of PCs and afterwards was asked to simply the password as people would never remember them (not sure anybody tried). In the end the passwords I had to set up were barely a level above 'password' and 'abc123'!

    A few years ago I lost an e-mail account because of hacking (despite a mix of letters and numbers password). Just before Christmas a little used Skype account was hacked and unpleasant images sent to most contacts!

    I became nervous about the financial sector after accidently crashing a cash point machine and seeing it reboot in a very old version of Windows.

    Judging by the spam e-mails I get and stupid phone calls the regulators, ISPs, phone companies, etc. seriously need to up their game(s)!

  • It all comes back to "I am who I say I am". How can you prove that with any reliability over distance?

    Short answer, you can't. It's a physically impossible problem to solve even without requiring perfection.

    Which brings us back to square one, and unsatisfactory mitigations.

    Technology isn't going to solve the problem. Murdering every single individual proven to commit the crime of identity theft? Eh, that's just a *temporary* solution, the world will always breed more criminals.

    There is no final answer. The best solution I can come up with is not storing information. Don't store credit card numbers, customer names and addresses, or anything else. Make them fill in the info each time and destroy it afterward.

    Inconvenient? Yes. Foolproof? No (MITM attacks, site spoofing, etc). But it would certainly eliminate the 1 billion+ account attacks. Might even make them unviable.

    Of course you can't really do that for doctors, dentists, etc. But why do they need my credit card info? Why do they need my address? As long as they have a viable phone number that's all they really need. Until the clever ones use burner phones, of course.

    As I said, this problem is not solvable. Not even to keep it to a dull roar.

  • roger.plowman (1/4/2017)


    It all comes back to "I am who I say I am". How can you prove that with any reliability over distance?

    Short answer, you can't. It's a physically impossible problem to solve even without requiring perfection.

    Which brings us back to square one, and unsatisfactory mitigations.

    Technology isn't going to solve the problem. Murdering every single individual proven to commit the crime of identity theft? Eh, that's just a *temporary* solution, the world will always breed more criminals.

    There is no final answer. The best solution I can come up with is not storing information. Don't store credit card numbers, customer names and addresses, or anything else. Make them fill in the info each time and destroy it afterward.

    Inconvenient? Yes. Foolproof? No (MITM attacks, site spoofing, etc). But it would certainly eliminate the 1 billion+ account attacks. Might even make them unviable.

    Of course you can't really do that for doctors, dentists, etc. But why do they need my credit card info? Why do they need my address? As long as they have a viable phone number that's all they really need. Until the clever ones use burner phones, of course.

    As I said, this problem is not solvable. Not even to keep it to a dull roar.

    Dr offices need to keep your address and info on you for insurance verification and once insurance pays the claim if you are responsible for the balance they need to send you a bill.

  • Markus (1/4/2017)


    roger.plowman (1/4/2017)


    It all comes back to "I am who I say I am". How can you prove that with any reliability over distance?

    Short answer, you can't. It's a physically impossible problem to solve even without requiring perfection.

    Which brings us back to square one, and unsatisfactory mitigations.

    Technology isn't going to solve the problem. Murdering every single individual proven to commit the crime of identity theft? Eh, that's just a *temporary* solution, the world will always breed more criminals.

    There is no final answer. The best solution I can come up with is not storing information. Don't store credit card numbers, customer names and addresses, or anything else. Make them fill in the info each time and destroy it afterward.

    Inconvenient? Yes. Foolproof? No (MITM attacks, site spoofing, etc). But it would certainly eliminate the 1 billion+ account attacks. Might even make them unviable.

    Of course you can't really do that for doctors, dentists, etc. But why do they need my credit card info? Why do they need my address? As long as they have a viable phone number that's all they really need. Until the clever ones use burner phones, of course.

    As I said, this problem is not solvable. Not even to keep it to a dull roar.

    Dr offices need to keep your address and info on you for insurance verification and once insurance pays the claim if you are responsible for the balance they need to send you a bill.

    Thus the "unsolvable" part. 😀

  • You change your credit cards yearly you said, right, Steve? Is that a matter of just calling the CC company and requesting a new card (with a NEW cc number)? Sounds like a good plan I should adapt ASAP.

  • Markus (1/4/2017)


    If there becomes some type of RSA rolling number then how does one used a C Card to pay for something like a cell phone bill where you get your bill automatically taken charged to your credit card if the number changes every charge...

    No idea. I guess we might move to some sort of 2 factor verify of the charge or a bank draft type system from the cc account?

  • Michael J. Babcock (1/4/2017)


    You change your credit cards yearly you said, right, Steve? Is that a matter of just calling the CC company and requesting a new card (with a NEW cc number)? Sounds like a good plan I should adapt ASAP.

    You can (or report a loss), but I tend to have one compromised each year as I travel. I've gotten used to the fact that I will need to report something about every year and get a new card. Hence, why I carry more than one.

  • Xbox has lost a greater percentage of its revenue from security issues than banks have.

    Banks seem to be accounting for both the costs of implementing security (both in hard dollars and in time for their users) and the benefits.

    412-977-3526 call/text

  • Michael J. Babcock (1/4/2017)


    You change your credit cards yearly you said, right, Steve? Is that a matter of just calling the CC company and requesting a new card (with a NEW cc number)? Sounds like a good plan I should adapt ASAP.

    Sounds good to me too.

  • roger.plowman (1/4/2017)


    It all comes back to "I am who I say I am". How can you prove that with any reliability over distance?

    ...

    That's certainly the foundation of the problem.

    A COMPLETE solution is probably impossible. It may even be proveably impossible ;-). In the end, most of the time all we are doing is proving that someone (or some thing) is in possession of a given set of credentials.

    However, looking for a pragmatic solution (which is provides an appropriate level of security at a particular time for a particular situation) is the way to go. I'm sure we can do better than we are doing.

    Tom Gillies LinkedIn Profilewww.DuhallowGreyGeek.com[/url]

  • Tom Gillies (1/4/2017)


    roger.plowman (1/4/2017)


    It all comes back to "I am who I say I am". How can you prove that with any reliability over distance?

    ...

    That's certainly the foundation of the problem.

    A COMPLETE solution is probably impossible. It may even be proveably impossible ;-). In the end, most of the time all we are doing is proving that someone (or some thing) is in possession of a given set of credentials.

    However, looking for a pragmatic solution (which is provides an appropriate level of security at a particular time for a particular situation) is the way to go. I'm sure we can do better than we are doing.

    Probably.. but at what cost is the issue? Remember the Internet was not designed with security in mind.

Viewing 15 posts - 1 through 15 (of 28 total)

You must be logged in to reply to this topic. Login to reply