The Hill is about to engage on the issue of reporting of breaches and another little thing called best practices for groups outside the financial community. Some think this is what it says, "standards" of how certain types of transactions are going to be done in retailers. These are really two separate issues, but they are being considered at the same time, belatedly on both counts. Those who don't develop enforceable standard practices are doomed to have them regulated.
The financial community has been ahead of most retailers for years because banks and financial institutions had most of the monetary transactions in the days before credit cards. People were after money, so they developed a number of techniques to get it for themselves. Each time they e.g. recorded a transaction and played it back to cause a payment the second time, or sliced off a bit of a transaction and put it in a new account, the standards got higher. They exchanged information about the attack vectors on a regular basis. We thought most hackers were insiders making money for themselves. Now, we think more about Chinese, Russian, and Eastern European hackers than insiders. There are sufficient internal audit controls to find more of those insiders, but there wouldn't have been had they not cooperated.
Two groups do not want information sharing about incidents: retailers and software developers, the latter staying in the shadows anytime this debate comes up. They do their back doors through trade groups, slipping away into the night when they are discovered. They are deathly afraid of anyone taking an interest in them because of liability for some of these breaches which they have caused through shoddy development and testing of software. Retailers can establish all the standards they want, but until we hold software vendors' feet to the fire by making them responsible for their products, the vulnerabilities will continue to play into the hands of thieves.
No comments:
Post a Comment