Tuesday, April 22, 2008

Business practices and computer security

Jeremy Kirk interviews Bruce Schnier
So what do you think is the biggest threat right now

Schneier: Crime.

So how do you fix it? It's expensive to investigate, it's cross-jurisdictional.

Schneier: It might not be fixable. A lot of [the solution] is going to be making the things that criminals are going after harder to get. You're not going to stop the criminals. But in the United States, it's really easy to get a credit card in someone else's name. The credit card companies like it that way. So a lot of it is looking at how the criminals are attacking things and making it harder to attack them. The brokerage companies want it to be easy for you to log on and make trades. Make it harder, and the businesses don't like that.

They're afraid they're going to drive away customers.

Schneier: Of course. If I strip search you before you go into the bank, you might change branches. In the U.S., the government doesn't have the balls to require stuff like [stronger authentication]. You've got to make the banks responsible for losses. The brokerage company has to [reimburse] me if I didn't make the trade. Period. End of sentence.

That's how you fix it. Because then, my brokerage is going to start buying security, otherwise they won't. The basic rule of security: You make the entity in the best position to mitigate the risk, responsible for the risk. Make them responsible. They'll figure it out. That's how capitalism works.

I had a similar take on spam and the issuance of merchant accounts:
Nothing in this writer’s research has explained why VISA, Mastercard, et al, tolerate spammers. Without credit cards spamming would not be possible. So why do these companies traffic with such operators? We need to make this a customer relations issue.

No comments: