The Credit Debate

  • Comments posted to this topic are about the item The Credit Debate

  • Biometric. As a consumer, if my credit card data are stolen I can cancel them and get new cards. If my biometric data are stolen, I can't easily get new irisis or fingerprints (nor would I be willing to). Security for that reason must be much, much greater than we currently have.

    If I'm building a device to store biometric data for your 'home garage door opener', I need to ensure that it can't be easily broken and those data used to access your bank account. Of course, a garage door opener won't have the resolution of a bank's biometric data, but another bank's database will. As might a building's security system.

  • If I'm honest, I think the question's being tackled from the wrong end. As Steve alluded, it's the (mis)use, potential or real, to which the data is put that is the important factor, not what type of data it is.

    As a person, consumer and parent, I'm more concerned about my family's safety than that of my bank account, so I value the security of my childrens' name and address data more than that of my credit card number. However, as a DBA, I know many companies might get twitchier about a credit card number being mistakenly disclosed than someone's address.

    I think the important thing, therefore, is to have an accurate picture of which areas of data under your responsibility are most important to keep secure, and the damage that not doing so could cause.

    Semper in excretia, suus solum profundum variat

  • As a DBA, the unauthorised copying of any data under my control would be deeply embarrassing. But that wasn't your question!

    My first thoughts were the same as Adam's. But then I started thinking about practical uses of stolen data. Credit Card data can be used instantly for financial gain, with very little chance of being caught.

    What would I do with stolen biometric data? I suppose I could try and sell it, but what would the buyer do with it? Break into someone's garage? You have the biometric data, but that doesn't allow you to circumvent the fingerprint scanner on bolted to the wall. You would have to access the main computer which processes the scans. Which means you would have to break into the house first....

    And at airports and banks? What possible use is a USB stick with stolen biometric data, when the security guard tells you to look into the iris scanner? In theory latex fingerprints and contact lenses can be made from biometric data, but this is hardly within the realms of most criminals.

  • You would have to be insane to contemplate storing biometric data, especially en masse. While only in its infancy biometric data is the holy grail of identity theft. It can't be (easily) changed by a person, and theft is the *least* of your problems.

    Consider if a bad guy wanted access and compromised your system. He substitutes his biometrics for X, he's in and nobody the wiser. When he's done, he switches back.

    Perfect crime.

    Biometrics, a *REALLLY BAD IDEA*. Especially if it becomes widespread.

  • Honestly, neither.

    What scares me is medical data. I was working for a software start-up that provided software to doctors. Not only did it store full patient history, but it had diagnostic software to help the doctor perform a quick diagnosis of the patients. It was a horror show of an app, built over a series of years on top of what was originally a Paradox database. One day, one of the nurses that worked with us said to me, "We're going to kill someone with this." And she meant it. I started looking for new work immmediately.

    Killing people scares me. Losing their money concerns me, but it doesn't scare me.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • The danger of lost biometric data is far more, though at the moment it is of minimal use. But things like SS, bank account info, etc can be changed if compromised, your bio data cannot. So 15 years from now when it's used extensively for everything from employment to insurance, you will at best be constantly putting out fires, or at worst have your reputation and finance in constant ruin.

    btw why would anyone use biometrics on a garage door?

    ...

    -- FORTRAN manual for Xerox Computers --

  • Grant Fritchey (3/28/2008)


    Honestly, neither.

    What scares me is medical data.

    I have to agree. Medical data is definately its own kind of stress. That's what I've been dealing with for the past 10 years, from confidential clinical drug trial data, to HIPAA protected disease surveillance data, insurance claims, and clinical encounter data. I don't think that working with either financial or biometric data would be as harrowing.

  • Grant Fritchey (3/28/2008)


    Honestly, neither.

    What scares me is medical data. I was working for a software start-up that provided software to doctors. Not only did it store full patient history, but it had diagnostic software to help the doctor perform a quick diagnosis of the patients. It was a horror show of an app, built over a series of years on top of what was originally a Paradox database. One day, one of the nurses that worked with us said to me, "We're going to kill someone with this." And she meant it. I started looking for new work immmediately.

    Killing people scares me. Losing their money concerns me, but it doesn't scare me.

    Agreed. I've been involved in a series of these kinds of scenarios and it's pressure I'm just not comfortable with. It's scary stuff to have to handle. Credit can be repaired, but killing someone with bad data is a one-way ticket: there's no "replaying the transaction logs" for that. I've steered clear as much as possible from being involved in direct patient care systems.

    The turning point: I was once asked to be on an eval team for an RFID system to identify patients. The RFID badges were integrated into the order system, which would then send info machines around the patient. The problem was - the effective range of the badges was 1-2 feet, which worked great under normal circumstances; when the patient had a problem though, machines routinely get shoved out of the way...and often into the effective range of the OTHER patient in the room. So the machine starts prompting that the "orders"/dosage, etc... have changed.....The system ended up being scrapped at our hospital, and purportedly updated so that doesn't happen any moer, but still - that's a level of perfection I just plain don't want to have to live up to. I have a hard enough time sleeping, and that's with a clear conscience.

    As an aside - the kind of depth and breadth information you get on people in addition to all of their health info is astounding enough. Why bother going after just credit card info when you can get their payment info AND every piece of demographic info you'd ever need on them, their family members, the family's financial info....

    ----------------------------------------------------------------------------------
    Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?

  • I am not an old bird but it seem like there was a time when a credit card was something important. Over time the security around a credit card has become more passé. The merchant no longer checks the signature panel, a signature is no longer required for a purchase under a specified dollar amount, you all but receive an activated card in the mail during a marketing promotion. It was much more difficult for you to "lend" your financial identity to someone or have it taken by someone in the past. Now credit cards are known to have these weaknesses and people don't trust them as much. It’s not an item I would pin my identity to anymore.

    So the question I see is what will happen when we evolve and biometric data becomes treated in the same manner. What would happen if I no longer trusted my own fingerprints or retinal scan. Would I have an identity anymore? What if one identity was spread across 100 criminals could you ever catch them?

  • I have to say Biometric data used as proof of who you are is the one that scares me the most. As has been proven time and time again encryption does not protect data forever, eventually someone finds a way to crack it and then what happens. It is easy to get people to go "Oh, your credit card information was stolen and misused so we will credit it and you will not have to worry." But with Biometrics you will most likely here "but sir your DNA scan was used for confirmation, I am sorry but we have to believe it was you." Until security is unbreakable then heck no do I want anyone having that information to misuse. And even then you know all these idiot companies seem to put in a backdoor every time which is what usually is the method compromised first.

  • Count me on board the biometric side of the debate. I still think my credit card data is safer in a database than when I hand it to the waiter/waitress at the restaurant and they go out of site to scan it.

  • Jack Corbett (3/28/2008)


    Count me on board the biometric side of the debate. I still think my credit card data is safer in a database than when I hand it to the waiter/waitress at the restaurant and they go out of site to scan it.

    Heh. That's still an argument I have with my mother-in-law.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • Grant Fritchey (3/28/2008)


    Heh. That's still an argument I have with my mother-in-law.

    Mine too... My mother-in-law is convinced if she gets the internet at home, her identity will be automatically stolen.



    --Mark Tassin
    MCITP - SQL Server DBA
    Proud member of the Anti-RBAR alliance.
    For help with Performance click this link[/url]
    For tips on how to post your problems[/url]

  • Given the original question, I also come down on the side of biometric data. And while I agree that using a credit card online is safer than handing it to a person who goes out of site (or at least who's hands go out of site) I still refuse to have any vendor record my credit card number. I'd rather type it in.

    Beyond that I have to agree that in today's world, medical data would pose a bigger problem, if only because the generalized use of biometric data is not really in place.

    And while the act of storing ANY type of personal data behooves the company doing so to ensure the safety of said data, I am of the opinion that the lax implementation of such security (usually only evidenced through a security breach) does not have steep enough penalties. Furthermore, IMHO personal information belongs to the person, not the business entity borrowing it for a transaction, and if the entity wants to use it for ANY purpose other than the satisfaction of the immediate transaction, express written consent from the owner for any such data use should be legally required for every use. This is no different from HIPAA requirements.

    ------------
    Buy the ticket, take the ride. -- Hunter S. Thompson

Viewing 15 posts - 1 through 15 (of 33 total)

You must be logged in to reply to this topic. Login to reply