Comments on: Mastercard Security Breach Affects 40 Million Cards http://www.robhyndman.com/2005/06/17/mastercard-security-breach-affects-40-million-cards/ any technology distinguishable from magic is not sufficiently advanced Tue, 23 Feb 2010 15:33:03 -0800 http://wordpress.org/?v=2.9 hourly 1 By: Tad McIlwraith http://www.robhyndman.com/2005/06/17/mastercard-security-breach-affects-40-million-cards/comment-page-1/#comment-122 Tad McIlwraith Sat, 18 Jun 2005 14:43:23 +0000 http://www.robhyndman.com/2005/06/17/mastercard-security-breach-affects-40-million-cards/#comment-122 Thanks Rob ... I feel a whole lot better ! At least your answer is satisfactory, thorough, and well thought ... Thanks Rob … I feel a whole lot better ! At least your answer is satisfactory, thorough, and well thought …

]]> By: Rob Hyndman http://www.robhyndman.com/2005/06/17/mastercard-security-breach-affects-40-million-cards/comment-page-1/#comment-121 Rob Hyndman Sat, 18 Jun 2005 11:34:09 +0000 http://www.robhyndman.com/2005/06/17/mastercard-security-breach-affects-40-million-cards/#comment-121 Well, I think two things are happening. First, a new California law that requires notification of unintended disclosure (with many others like it about to be made into law) is publicizing what has been going on for years. Second, the scope and complexity of data aggregation has dramatically increased in recent years, leaving us far more vulnerable to these kinds of security issues. Those who collect and aggregate data have been able to "live in the shadows" for a long time and have gotten by doing less than they should. That's ending now - the series of almost nightmarish disclosures we've seen recently has dramatically focussed attention on the issue and I think the industry is going to shape up fast. And so too will many other businesses who store data. The consequences of not doing enough - particularly adverse publicity - are becoming too serious to ignore. I think we'll see a trickle down or meat-in-the-sandwich effect start to occur - at one end, the credit card companies need to limit cardholder liability in order to maintain the viability of the entire system. At the other, merchants are exposed to losses when fraudsters use credit card info to steal goods and services. In between, underneath of the credit card companies, anyone who manages data and exposes it to risk is going to start get sued for the consequences. BJ's is an example: http://www.robhyndman.com/2005/06/17/bjs-settles-data-breach-case-with-ftc/ They are getting sued by merchants who lost goods and services because of the data breach. Merchants will start to lose patience with a system that lets the banks and card issuers off the hook and they will start to press them to set higher standards and police them more aggressively. And with the U.S. Congress getting involved in this (this issue is good politics) that will likely happen faster rather than sooner. But in any event, at the end of the day, there are fundamental problems with the way information technology systems manage security, and this will be a problem for a long time. I've really enjoyed reading Bruce Schneier's books about security for background info on this - particularly "Secrets and Lies". I think there is very little the individual can do. Other than restrict use of your card. But in this case, the breach was at a processor - so anyone who used their card at any merchant was potentially at risk. So, no easy answer. Well, I think two things are happening. First, a new California law that requires notification of unintended disclosure (with many others like it about to be made into law) is publicizing what has been going on for years. Second, the scope and complexity of data aggregation has dramatically increased in recent years, leaving us far more vulnerable to these kinds of security issues.

Those who collect and aggregate data have been able to “live in the shadows” for a long time and have gotten by doing less than they should. That’s ending now – the series of almost nightmarish disclosures we’ve seen recently has dramatically focussed attention on the issue and I think the industry is going to shape up fast. And so too will many other businesses who store data. The consequences of not doing enough – particularly adverse publicity – are becoming too serious to ignore.

I think we’ll see a trickle down or meat-in-the-sandwich effect start to occur – at one end, the credit card companies need to limit cardholder liability in order to maintain the viability of the entire system. At the other, merchants are exposed to losses when fraudsters use credit card info to steal goods and services. In between, underneath of the credit card companies, anyone who manages data and exposes it to risk is going to start get sued for the consequences. BJ’s is an example:

http://www.robhyndman.com/2005/06/17/bjs-settles-data-breach-case-with-ftc/

They are getting sued by merchants who lost goods and services because of the data breach. Merchants will start to lose patience with a system that lets the banks and card issuers off the hook and they will start to press them to set higher standards and police them more aggressively. And with the U.S. Congress getting involved in this (this issue is good politics) that will likely happen faster rather than sooner.

But in any event, at the end of the day, there are fundamental problems with the way information technology systems manage security, and this will be a problem for a long time. I’ve really enjoyed reading Bruce Schneier’s books about security for background info on this – particularly “Secrets and Lies”.

I think there is very little the individual can do. Other than restrict use of your card. But in this case, the breach was at a processor – so anyone who used their card at any merchant was potentially at risk. So, no easy answer.

]]> By: Tad McIlwraith http://www.robhyndman.com/2005/06/17/mastercard-security-breach-affects-40-million-cards/comment-page-1/#comment-120 Tad McIlwraith Sat, 18 Jun 2005 04:04:59 +0000 http://www.robhyndman.com/2005/06/17/mastercard-security-breach-affects-40-million-cards/#comment-120 What's the answer here, Rob? Is it simply that the security software is shoddy and that the security technology needs to catch up with the consumer-driven technology, if you get my meaning? Do you advocate the end of credit and debit card use? I see you frequent posts about these breaches, but I really don't know how to use the information to help myself. Can I? It seems so out of my hands. What’s the answer here, Rob? Is it simply that the security software is shoddy and that the security technology needs to catch up with the consumer-driven technology, if you get my meaning? Do you advocate the end of credit and debit card use?

I see you frequent posts about these breaches, but I really don’t know how to use the information to help myself. Can I? It seems so out of my hands.

]]>