Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    How businesses fail to protect customer info




    TOP STORY

    How businesses fail to protect customer info


    By Doug Spindler

    Most Internet users should know by now that personal digital security is in large part our own choice and responsibility. But in truth, our electronic security is also in the hands of the companies we do business with — and they're not all taking that fact seriously.

    The full text of this column is posted at windowssecrets.com/top-story/how-businesses-fail-to-protect-customer-info (paid content, opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.
    Last edited by Tracey Capen; 2014-11-05 at 19:13.

  2. #2
    New Lounger
    Join Date
    Oct 2008
    Posts
    6
    Thanks
    0
    Thanked 3 Times in 2 Posts
    I appreciate the info in the current item about what businesses need to do to protect customer data. But it seems to me that you neglected to mention one company that seems to me particularly culpable. A year ago Adobe had some 40 million customer's credit card and other account data stolen. One might imagine that Adobe, a major software company, could have a functioning staff of people protecting that information.

  3. #3
    New Lounger
    Join Date
    Nov 2014
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank you for the fine article, Mr. Spindler. There is one point you may not be aware of - while changing a password standard may be easily implemented with a minimum of worry as to the impact on other systems, other changes sometimes need to be vetted to a much greater degree. Many POS system upgrades and rollouts take years to build and test due to the massive complexity of these systems. Large retailers have to lab test and beta test system modifications quite thoroughly prior to rolling them out. Failure could cost the company millions of dollars very rapidly.

    This is not a defense of Home Depot's delay(?) in upgrading their security as much as it is pointing out that since Target was hacked via a third party HVAC system access (SCADA systems have been long known to be very vulnerable), working with at least one other party, making sure the security in place works and doesn't create havoc is a much more complex undertaking than a simple password configuration change for online accounts.

    I agree in today's world, if I were CIO of a corporation, I would insist on pen testing of any vendor network that connected to my network in such a manner. I would also insist on pen testing of my own systems. I would also insist on maximizing security at every level, which Home Depot neglected to do, against the recommendations of multiple Security Consultants and vendors. While this is not a guarantee this would have stopped the attack, it could have raised the alarm more rapidly, if monitoring was being attended to.

    Unfortunately for them, Home Depot, has had turn over in its I.T. Department and this creates a lot of problems. Many companies do not invest in their I.T. departments enough. I.T. in general and Security in particular is still seen as a black hole in which companies pour money, but it's difficult to put a dollar value on how much a given implementation has saved a company. This creates enormous challenges when trying to convince a CFO of the value of a costly change. CFOs want to see Returns On Investment. How do you show a return on something NOT happening? Yes, now we can say, Target lost millions and their business hasn't recovered and they must redouble marketing dollars to compensate and continue to make examples from there. However, it's still a difficult sell. Unfortunately.


    These are large, complex systems and making changes to them is typically akin to turning a large cruise ship, not a speed boat.

  4. #4
    Lounger
    Join Date
    Dec 2009
    Location
    Ottawa, ON, Canada
    Posts
    43
    Thanks
    0
    Thanked 1 Time in 1 Post
    Mr Spindler: It's good to see that some companies are receptive to input on how to make their passwords more secure. In Canada, two of the biggest internet providers in the country - Bell and Rogers - will not permit any special characters in their passwords. I've written on several occasions, but they clearly do not care about security.

    It's ironic that companies in the internet provision business care so little about the security of their internet clients and their internet information. I suspect that these two "market leaders" will wait until one of them suffers a huge and expensive data breach, then the will both, like lemmings jumping off the cliff, wake up and fix things. Until then, their clients' accounts are at risk.

  5. #5
    Lounger
    Join Date
    Jun 2012
    Posts
    26
    Thanks
    0
    Thanked 1 Time in 1 Post

    Hospital data security - post contract testing

    "I told my colleague that his “unofficial” testing was probably illegal. While under contract, he had permission to connect to and analyze the hospital’s network. But once he’d submitted his report and the contract was complete, he had no right to perform the additional tests. I recommended that he stop his extra curricular activities and instead file a report on the U.S. Department of Health and Human Services (HHS) website."

    That is all very well, but unless he did post-contract testing how would he know that they had not improved security? And is filing a report now effectively admitting to illegal activity? Is there such a thing as a "public interest" defence in the US (I am in the UK), and would it apply in these circumstances?

    Alternatively, to file a report with the HHS website at the same time as he filed his final report with the hospital, is probably unprofessional and would possibly lead to problems in getting his final bill paid!

    So should he include in his standard terms the right to to perform post-contract tests? How many clients would agree to such terms?

  6. #6
    New Lounger
    Join Date
    Dec 2009
    Location
    Richmond, Virginia
    Posts
    6
    Thanks
    0
    Thanked 2 Times in 1 Post
    This is a bit of a "sore point" for me given the extent to which so many companies still use "mother's maiden name" as the first option for a password. I am a professional genealogist with a considerable volume of my work done for courts, either at the specific request of a court or for attorneys who will then present my work to a court, with one of the things I do as a result on an almost daily basis being establishing the maiden name of someone's mother.

    As a result of the continuation of mother's maiden name as part of the standard security protocol, restrictions have been placed on access to some of the means I use to get such information, but does not stop me from doing my work, only made what I ultimately must bill for the same higher.

    Thus, I have always considered classification of "mother's maiden name" as a JOKE, not just informing ANY business who suggests such the reason why it is a joke, but also that if, at a minimum, I am not provided with another option, I will take my business elsewhere.

    Not only am I a big proponent for using special characters, with them, I find it must easier not just to come up with passwords that make sense only to me, but are also easier to remember as the symbols tend to be "clues" if not to the specific password I have chosen, then the reason for my using the same.

  7. #7
    New Lounger
    Join Date
    Jun 2012
    Posts
    4
    Thanks
    1
    Thanked 0 Times in 0 Posts
    I have found that some employees of big box stores like Home Depot and Lowes ask for "the last four digits" on a credit card I give them and then just use the last four digits of the raised-character credit card number, not the security code (as in American Express, above the card number). So many of them do this I wonder how it might affect my security as a customer at those stores.

  8. #8
    New Lounger
    Join Date
    Apr 2014
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Securing credit card accounts is a fixable problem: (1) Use virtual, one-time only card numbers with time and dollar limits for on-line purchases (2) Use PIN priority EMV (chipped) cards for brick&mortar purchases. This likely won't be done without government intervention. Consumers may not have to pay for fraud but they are largely left on their own to clean up the mess. Next October, the banks will shift as much fraud liability to merchants as they can. Merchants will attempt to shift that liability to consumers. We'll see what happens.

  9. #9
    Lounger
    Join Date
    Jun 2012
    Posts
    26
    Thanks
    0
    Thanked 1 Time in 1 Post
    My bank uses:
    Place of Birth (per FreeBMD.org)
    Date of Birth (per Birth Certificate)
    Mother's Maiden Name (per FreeBMD)
    Plus a memorable place and a memorable date.
    Random selection of letters from a Password (all letters),

    I found that they require me to truthfully give my date and place of birth, but I can lie about the other "facts" - as long as I can remember that the response to "my memorable place" is (say) "Armistice Day" and to "my mother's maiden name" is (say) "Park Lane Hotel".

    The place and date of birth has to be "honest" to meet "money laundering regulations"! So they have mixed their transaction security systems and procedures with their account opening systems and procedures!

  10. #10
    New Lounger
    Join Date
    Nov 2014
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I use KeePass to manage strong passwords. This really makes strong passwords usable: I don't have to make them something I can memorize and more importantly I don't have to type a large number of random characters.
    EXCEPT! Some companies (LPL,PayPal,...) have decided that somehow their edit controls provided for entering and/or confirming passwords should have the paste property disabled. I have written to LPL and complained to PayPal that this practice discourages strong passwords - no response!!
    I have tried to find some justification for this practice but so far it seems like an IT prank to annoy customers and weaken user security.

  11. #11
    New Lounger scottls's Avatar
    Join Date
    Feb 2012
    Posts
    15
    Thanks
    3
    Thanked 1 Time in 1 Post
    My security practices!-
    1. I use free LastPass to store my passwords/CC#s, and free Zemana AntiLogger to encrypt keystrokes (foils keyloggers).
    2. When paying bills/purchases- I Never allow them to store my CC# (1 time purchase...).
    3. I Never copy/paste CC#s..., as that info is copied to your insecure Clipboard.
    Win 7 Pro (x86). ESET Smart Security, free Zemana AntiLogger (encrypts keystrokes), free LastPass password/CC manager, and no other active anti-malware.
    Free on-demand AVs- old/fast MBAM (no Pro/Context!), Emsisoft Emergency Kit.
    i5-2500 CPU @ 3.67GHz, WD VelociRaptor sata6 10k rpm/64mb cache HDD's (WOW!).

  12. #12
    Silver Lounger wavy's Avatar
    Join Date
    Dec 2009
    Location
    ny
    Posts
    2,378
    Thanks
    235
    Thanked 147 Times in 136 Posts
    Some companies (LPL,PayPal,...) have decided that somehow their edit controls provided for entering and/or confirming passwords should have the paste property disabled.
    I too have encountered that problem, typing in a 25 charater pw is a royal PITA. I wrote Roboform as to whether their product could over come that but never got a response. Does any one know of a pw progaram that would work ?

    Yeah cutnpaste is maybe not as secure as a password program but I do password first then username.


    David

    Just because you don't know where you are going doesn't mean any road will get you there.

  13. #13
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Bozeman, MT
    Posts
    328
    Thanks
    2
    Thanked 3 Times in 3 Posts
    Thanks for the article. One area not touched on is how many bank credit cards and other firms using credit cards include the full account/card number on their statements. This not only opens the way for someone rifling garbage, but also online where those statements are typically available.

    To jr093: Yes, IT turnover can be a problem, but major turnover is typically the result of employee demoralization at companies that don't want to spend the money necessary to staff and run a top rate IT operation and website. Much of IT spending is still done begrudgingly, seen as accounting and other necessary overhead in the current marketplace. What's not seen is how skimping creates a potential bomb that could seriously undermine major portions of the business. But that's the venality of American capitalism.
    Last edited by highstream; 2014-11-07 at 12:52.

  14. The Following User Says Thank You to highstream For This Useful Post:

    scottls (2014-11-08)

  15. #14
    Silver Lounger RolandJS's Avatar
    Join Date
    Dec 2009
    Location
    Austin metro area TX USA
    Posts
    1,733
    Thanks
    95
    Thanked 128 Times in 125 Posts
    " I have always considered classification of "mother's maiden name" as a JOKE..."
    What I've done to 'What is your mother's maiden name?' is: Her2468NameIs1357Nameless
    Let's a hacker try to uncover that one. I do have to keep a list of these things somewhere.
    "Take care of thy backups and thy restores shall take care of thee." Ben Franklin revisited.
    http://collegecafe.fr.yuku.com/forum...-Technologies/

  16. #15
    New Lounger scottls's Avatar
    Join Date
    Feb 2012
    Posts
    15
    Thanks
    3
    Thanked 1 Time in 1 Post
    Quote Originally Posted by RolandJS View Post
    " I have always considered classification of "mother's maiden name" as a JOKE..."
    What I've done to 'What is your mother's maiden name?' is: Her2468NameIs1357Nameless
    Let's a hacker try to uncover that one. I do have to keep a list of these things somewhere.
    When I call financial/... CS, they often ask for my mothers maiden name for acct. verification-
    If I was on the road with no access to a long-string name list, I'd be SOL!- I use only 1 complex Maiden name for All, that I can remember. Maybe not as secure?, but I'm not locked out!

    Much the same problem holds true with "Trying" to log onto my accts..., from another users computer without the aid of my LastPass PW manager (NOT, unless they also have LastPass installed for Login!?)- I Refuse to use the same PW twice as they may be hacked, and I don't have an answer to this dilemma???
    Win 7 Pro (x86). ESET Smart Security, free Zemana AntiLogger (encrypts keystrokes), free LastPass password/CC manager, and no other active anti-malware.
    Free on-demand AVs- old/fast MBAM (no Pro/Context!), Emsisoft Emergency Kit.
    i5-2500 CPU @ 3.67GHz, WD VelociRaptor sata6 10k rpm/64mb cache HDD's (WOW!).

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •