An article relating to this blog post on Finextra:
FSA chides financial institutions for data security lapses
The Financial Services Authority has warned UK institutions to improve their data security practices after a review of systems and controls at 39 firms uncovered slipshod practices at banks, building...
See article
Reading between the lines, regulators will continue to take a big stick to institutions that leak personal data. And so they should. But there must be a more artful approach to stem the flood of stolen ID data. As a security professional, I am aghast
at the never ending obsession with policy and process as the only weapons to fight ID theft. That is, why do we think that beefed up security policies, staff training, audits, regulations and so on will make any fundamental difference? What about a bit of
prevention?
IDs get stolen because IDs are valuable. Look at the cyber crime clearing houses where personal data records including mothers maiden names, CCV2s and billing addresses are traded in parcels of 100,000 or more for a few dollars apiece. Card
Not Present fraud is growing at 40% p.a. in the UK and elsewhere, and is now the dominant form of payment card fraud. To organised crime, it's childsplay -- vastly easier than hacking into Internet bank accounts and moving funds around. Instead, just take
stolen cardholder's account details and play them over the Inetrnet to a web merchant.
It is high time that proper protections were put in place to prevent the replay of stolen IDs. Only by rendering stolen IDs worthless to criminals will we cut ID theft.
Stephen Wilson
Lockstep Group
Lockstep Consulting provides independent specialist advice and analysis
on authentication, PKI and smartcards.
Lockstep Technologies develops
unique new smart ID solutions that safeguard identity and privacy.