April 2, 2008 at 5:38 am
Biometric -- If a system is storing this information, and it's been approved for security purposes, find another job. Biometrics are of poor quality for use as a means of authentication, as they cannot be easily replaced if compromised. For a more in depth review of biometrics in regard to security, I refer you to Kim Cameron's blog: http://www.identityblog.com/ , search for "biometric".
Medical Information -- Highest risk, and highest value target at this point in time. It appears that several software development houses are taking a "catch me if you can" attitude toward HIPAA. This makes it a low-threshold threat vector, and may result in data, including Soc. Sec., insurance, and credit being indirectly compromised as the result of a single-point attack.
Credit Card Information -- High risk, lower value than medical information as a target at this time. Mechanisms are currently in place and in use to mitigate this threat. Active enforcement regarding this threat has also reduced the value of this target when compared to biometric and medical information.
April 2, 2008 at 6:03 am
Whilst it is true that a "biometric", such as the unique pattern of an iris, cannot easily be replaced, the electronic record of a biometric scan can be replaced/updated. I would put good money on the fact that a biometric fingerprint held by, for example, the Immigration Service, will be completely different to the biometric fingerprint held by your Lenovo laptop. Plus, as I mentioned early, just having (i.e. stealing) someone else's biometric fingerprint is not necessarily of any practical use.
As for biometrics being of "poor quality" as a means for authentication.... a plain-text password is foolproof and reliable and 100% effective????
But I digress from the Steve' original question.
Andy
April 2, 2008 at 10:46 am
[p]As someone who, during a period of severe underemployment, worked indirectly for a major credit card company, I have a great understanding of how dangerous it is for ANY identifying data to be available to miscreants. From a name, birthdate and the ending digits of a credit card number, I could look up that account for the customer. From there, I could access that customer's personal information and any other accounts that customer might have with the company I worked for. Another command would retreive the customer's current credit report. This data was made available at my fingertips by the company and there were times I needed it to properly service the customer.[/p]
[p]While many companies, especially the financial services companies, are covered by the Fair Credit Reporting Act and other consumer protection laws, there are a host of other companies who archive personal information that design their services to be exempt from these laws. There are companies based in third world countires which have NO data protection rules whatsoever. Many of these do not care about the accuracy of their data. Using Net 2.0 services, it would not be difficult to find out anything written (accurate or not) about almost anyone by cross querying a group of databases. This information may then used against the person when they apply for a job, lease an appartment, fall under government suspicion or run for political office. This is what is really scarey![/p]
[p]It does not matter whether you start with biometric data, credit card data, driver's license number or student identification number, the nefarious can get the information they want. It is a good thing that most crooks are not smart and that most smart people are basicly honest![/p]
April 2, 2008 at 11:07 am
true dat!
Viewing 4 posts - 31 through 33 (of 33 total)
You must be logged in to reply to this topic. Login to reply