Recently, I saw
a report on CNN about a Texas salsa company that was caught shipping their orders using shredded checks as packing material. And they didn't use a cross-cut shredder either, so it was a nest of thin paper strips. This was revealed by an honest customer who decided to push back to say "should they really be doing this?" (I'm paraphrasing.) And to prove this point, the customer pieced together enough material to glean a few people's bank routing and account number, names, addresses and signatures. So the questions is: was this a new discovery? Or are there a few "customers" out there that have been quietly making orders over the years to get a box of valuable, exploitable information (and maybe some picante) delivered right to their door?
But stupid mistakes like this happen all the time. Hundreds of unencrypted laptops and PDAs are lost yearly, many (unfathomably) containing sensitive information about all of us even though encryption solutions have been available for years. And once our information leaks out it can travel around the world instantly.
The real problem is that this ill-gotten information can be used far too easily.
For example, there is a gas station (which I no longer frequent) that has pumps that only have "something you have" factor authentication: if you have a credit card (anybody's credit card), you can buy gas. The self-checkout lanes at a home improvement chain (which I also avoid) will let you charge away as long as you have a credit card--any signature will do. And that's the problem. For far too many companies, the key to an illegal purchase, or logging onto someone's financial account, requires just a single form of authentication: something you have (a stolen credit card) or something you know (a person's account information.)
Yes, activity on these stolen accounts will eventually be disallowed once theft is discovered, but there are those few hours until discovery that the thief has free reign to rack up some substantial charges. And then there is the aftermath for the victim to sort through, which sometimes can take years.
The answer is strong authentication at the point of purchase.
There is a great read at
Red Tape Chronicles that details how bits and pieces of information being sold by the virtual truckload all over the world, which criminals can go through to piece together someone's profile. They eventually get enough information to get the victim's password to a financial site--a costly inference attack.
Perhaps we should accept the fact that privacy is as much a myth as 100% security, and insist that the stores and financial institutions we patronize implement stronger forms of authentication, such as 2-factor authentication. Fellow blogger
Tim Bass has also written about this need. There are some
banks and other
financial sites that have begin to pay attention. But for now they are the exception. Let's hope this proactive stance continues to spread, and at an exponential rate, because there's a lot of catching up to do.
More...
09-01-2008
