Home Forums SQLServerCentral.com Editorials The Danger of Algorithms RE: The Danger of Algorithms

  • July 27, 2009 at 6:32 am

    #1030456

    "Credit card companies, banks, and other institutions often have complex rules for how they handle and process data. I think this more of their secure methods of handling data should be published and taught so that other companies can better learn how to build more secure applications."

    Um, no. Just no.

    Banks and credit card companies (Visa, I'm looking at you) have elaborate rules for managing all sorts of things--and believe me you can drive a truck through some of the security holes in their procedures. Don't get me wrong, they *try*. But they have fundamental issues when deciding how to make things secure.

    Let's take the SSN for example. The problem is it's being used incorrectly. It's *supposed* to identify you to the Social Security Office, and it's supposed to be used to track income (for the Social Security Office). That's all well and good.

    The problem comes from using it as a "secret decoder ring ID". :p

    That's just stupid, from a security standpoint. You have a critical identification ID that is *also* being used as a password. How does that make any sense? The SSN's dual role lies at the heart of most kinds of identity theft. Why does a credit reporting bureau need your SSN? I mean, think about it. Are they reporting your income to the Social Security Office? No? Then they shouldn't use it!

    The problem isn't just SSN related. It's the underlying assumption that only the person themselves know certain information and that that information can therefore be used to authenticate the person is who they say they are. This idea is deeply broken. Yet it makes intuitive sense so people keep doing it. *facepalm*

    Two factor ID is better, but still not perfect. People forget passwords, they lose token generators. Biometrics are just as broken as SSN and other "secret" info. Worse, you can't change your fingerprints once they've been used for ID theft.

    Banks and Visa do not have a clue. They pretend otherwise, but having worked with Visa PCI security standards I can tell you they're a bad joke. The very complexity of the schemes often leave lots of room to hide bad actors and their actions. If you doubt me just look at all the data breaches Visa's had to deal with. It all comes down to using a flawed idea as the basis for securityl.

    So please don't hold the banks and credit card companies up as shining examples of How It Should Be Done.

    I may not know a better way, but I can see a swiss cheese defense when confronted with it.