« November 2006 | Main | January 2007 »

December 20, 2006

Year in review

It is that time of year again, so I am going to take a moment and review what has happened over the course of the last year and speculate about the future.

Information security was one of the hot button issues on the Web in 2006. The struggle between the good and the bad guys on the Internet kept evolving from one area to another with many security problems fixed yet many new high-profile breaches reported almost monthly. In my view, to a large extent 2006 was a year of lip-service to security: more talk than real actions aimed at deploying new and better Internet security technologies. 

With the trends of e-commerce and software-as-service on the Net accelerating, the issues of information security will continue to be at the center of attention next year. Let's hope that in 2007 we will transition from lip-service to much more real security improvements. We all will be better off this way, minus the bad guys, that is.

December 10, 2006

Reinventing the Payment Industry? Not!

I stumbled upon an article by the chief risk officer at Master Card talking about his company's perspective on security for magnetic stripe cards. Boy, a great way to talk a lot but say little of substance!

It appears that this industry is satisfied by the security of mag-stripe cards in the US, because of the magical three digits on the back of each card! Are they kidding? It must have never occurred to them that anybody who steals or possesses your card for a short amount of time can impersonate you and make fraudulent transactions with it. For example, a waiter at a restaurant can record all of your card numbers and make transactions at their convenience. Even if a swipe is required to perform the transaction, it is not a problem; they have a window of opportunity to do it. Remember that in the US the standard practice is to take the card in the back room to initiate the transaction? I know this is not a fantasy: in the past my card has been fraudulently charged by an employee of a restaurant in my city.

Why can't this industry get us to the level of security the people in Europe enjoy? Not only are the Europeans using smart cards but the whole ritual of paying with a card at restaurants is quite different there: the waiter actually brings to you a portable payment terminal, you insert your card, key your PIN in, and thus authorize the charge. Hence, zero opportunity for the waiter to steal your money.

December 06, 2006

Internet security: a real or perceived problem?

There appears to be a widespread confusion about security on the Internet. Over the course of the last few years the problems of on-line identity theft, on-line banking fraud, and all kinds of other hacking have been rising. At least judging by the increase of reports on such problems in the mainstream media, the reports of financial losses by some on-line brokerages, the growth of the information security industry.

One would think that given all that, the service providers on the Internet would take these issues up seriously and come up with real security improvements. Reportedly many have. Unfortunately, I am yet to find one of the providers I use that has deployed real security improvements that would lockmake me feel at ease when I visit them. Instead, the most prominent "improvement" I see on many sites I visit is a picture of a lock, a variation of the one seen here to the right.  Certainly, it is a nice picture and it conveys a sense of security but I know for a fact that nothing has improved on my end. I also now that the Internet gap between my client computer that the remote server is big. So, a picture alone cannot make this feeling justified. The providers I talk about are prominent names in the financial industry and they have a lot at stake when it comes to customer confidence. Yet, they seem to think that as long as they make their customers feel good about the on-line experience, this is all that is needed to tackle the security problems on the Internet. In other words, the security is a problem of perception, not of reality. 

What is going on? Are these businesses out of touch with their customers? I think yes, to some extent. The service providers seem to try to justify their approach by saying that the on-line fraud problem is hyped and that it affects a small number of people. Also, their position implies that the whole issue can be handled through business insurance alone. Never mind that people that fall victims of on-line fraud suffer real pain. Never mind that the dollar value associated with each instance of on-line theft is rising.

This issue reminds me of the situation in transportation. It is a fact that the number of people in the United States involved in car accidents compared to the total number of people driving is small. It is also a fact that the society is not at risk as a whole, even if all traffic accidents were fatal. So, why can't we say that because of this we are not going to demand real safety improvements from the auto industry, such as seat belts, airbags, anti-lock brakes, traction control, etc?

We know all too well that without such safety improvements, innocent lives will be badly affected. The real-life cases of car accident victims provide powerful examples of what may happen to us and the public as a whole is conditioned to not tolerate avoidable disasters. Hence, the auto industry safety regulations.

The approach some on-line service providers seem to be taking is different. By implying that the risks on the Internet are not real, they want to convey the message that the consequences from on-line fraud are not quite as painful as the consequences from other types of real-life risks; to condition the public at large to accept this.

I think, however, that we owe it to the victims of on-line fraud, whose (financial) lives have been ruined, to demand better. Handling this issue through business insurance alone is doing injustice to the people who get slammed with fraud, mostly because their service providers chose to deal with the Internet security problems on the cheap. We must change the way the liabilities for Internet fraud are assessed, to make real security solutions more economically favorable than insurance. Business is business and economic efficiency is the bedrock of any corporation.  

Hosting by Yahoo!