Interesting.
Regards, Thomas Berg _______________________________________________________ Thomas Berg Specialist AM/SM&S SWEDBANK AB (publ) > -----Ursprungligt meddelande----- > Från: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > För Anne & Lynn Wheeler > Skickat: den 15 juli 2012 19:18 > Till: IBM-MAIN@LISTSERV.UA.EDU > Ämne: Re: Yahoo Password Breach: 7 Lessons Learned - Security - > Attacks/breaches - Informationweek > > scott_j_f...@yahoo.com (Scott Ford) writes: > > Very true..but still I think Yahoo has a responsibility to their > > customers > > We were tangentially involved in the cal. data breach notification act > (the "original" notification act) having been brought in to help > wordsmith the cal. electornic signature act. > > several of the participants were involved in privacy issues and had done > extensive surveys. the #1 issue from the surveys, was identity theft, > primarily the form involving account fraud (fraudulent financial > transactions) primarily as result of data breaches. There seemed to be > little or nothing being done about the problem and there was some hope > that the publicity from the notifications would motivate > countermeasures. The issue was security measures are usually taken for > self-protection, the problem was that the institutions with the data > breaches had little at risk ... it was their clients/customers that were > suffering the fraud ... and so they had no motivation to take corrective > action. Since then the proposed federal legislation has been about > evenly divided between requirements similar to the original cal. bill > and those that eliminates most requirements for notifications (sometimes > disguised by requiring that breach involve multiple different kinds of > personal information that doesn't occur in the real world). > > The same organizations were in the process of doing a Cal. "opt-in" > privacy bill (institutions can only share personal information when > authorized by individual). GLBA is better known for repeal of "Glass- > Steagall". However the rhetoric on the floor of congress was that the > primary purpose of GLBA was to allow those with bank charters to keep > them, but prevent anybody else from getting bank charters (eliminate > competition). However, another provision in GLBA was "opt-out" privacy > sharing (institutions can share personal information unless they have > record of individual objecting; federal preemption of state laws). At > 2004 annual privacy conference in DC during panel with FTC > commissioners, an individual asked from the floor if the FTC was going > to do anything about "opt-out". They said they were involved with most > of the major financial call-centers and none of the "opt-out" call lines > were equipped to record any information from "opt-out" calls (so the > institutions could claim they could share since there was no record of > objections). > > The major motivation for cyberattacks and breaches has been being able > to use stolen account info for fraudulent financial transactions. A > problem is the business process is severely misaligned. > > The value of the information to the merchant is profit on the > transaction (possibly couple dollars; for transaction processor possibly > a few cents). The value of the information to the crook is the account > balance and/or credit limit. As a result the attackers may be able to > outspend by a factor of 100 times (what the defenders can afford to > spend on security measures). > > The account information is also required in dozens of business processes > at millions of locations on the planet. At the same time the threat of > fraudulent transactions requires that the account information is kept > confidential and never divulged. We've claimed that with the > diametrically opposing requirements, even if the planet was buried under > miles of information hiding encryption, it still wouldn't be able to > stop information leakage. > > In the past, the merchants have been told that a large part of the > interchange fee (value subtracted from amount received by merchants) has > been tightly tied to the respective fraud rates ... resulting in studies > that financial infrastructure makes a large profit from fraudulent > transactions ... eliminating any motivation to change the paradigm and > correctly aligned the business process to eliminate fraud. Futhermore, > crooks would likely move attacks to the next lowest hanging part of the > financial infrastructure (which doesn't involve merchants; no > justification to charge hefty profit fee whenever there are fraudulent > losses). > > -- > virtualization experience starting Jan1968, online at home since Mar1970 > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
