“Verified by VISA”: Still Using SSNs Online, Dropped by PEFCU
Country | Number of Stores |
---|---|
USA | 126 |
Europe | 183 |
Thailand | 439 |
Taiwan | 144 |
Japan | 105 |
China | 90 |
Singapore | 65 |
Malaysia | 27 |
Hong Kong | 20 |
Vietnam | 17 |
Australia | 13 |
India | 7 |
Others | 0 |
Country | Number of Stores |
---|---|
USA | 126 |
Europe | 183 |
Thailand | 439 |
Taiwan | 144 |
Japan | 105 |
China | 90 |
Singapore | 65 |
Malaysia | 27 |
Hong Kong | 20 |
Vietnam | 17 |
Australia | 13 |
India | 7 |
Others | 0 |
I completely agree that one centrally hosted password which would work for (almost) every shop would be very comfortable.
But as mention (in)security - in my opinion such a accumulation of passwords on some dedicated servers would definitely be a great target for hackers.
And there is no 100% secure system out there.
So I still prefer to have serveral passwords.
More uncomfortable but a lot more secure on the long run.
John,
It’s true that a central server is an attractive target. There are two threats to analyze: one is the compromise of the entire database of all credit cards, from the point of view of the credit card company. The other is the compromise of a single card, from the point of view of the card owner. Partitioning the database on several heterogeneous servers with different passwords and accounts would in theory make it less catastrophic when one of those is compromised. In that sense I agree with you. However, having identical, complete copies of the same database on multiple servers doesn’t help security, because only the weakest needs to be compromised.
I would agree with you when discussing securing different resources (e.g., if you personally own several credit cards) with different passwords on different servers; that makes sense to me. However, from the point of view of the owner of a single credit card, I disagree. When you spread the same information (the same resource, the credit card) on multiple servers, only the weakest of those servers needs to be breached. I think that multiple parallel passwords don’t help in protecting a single credit card, and actually increase risk.
For the sake of this argument, I’ve ignored the possibility of serial authentication steps that you have to do one after the other on different, heterogeneous servers to access the same resource, and also the possibility of an authentication step for each possible operation on a resource.
While a centrally hosted password would absolutely be more comfortable & convenient, but as John mentioned the place where the password is stored would be a great target for hackers, and nothing, no matter how secure, is unhackable.
I personally think that the best option to protect yourself is to diversify, i.e. different credit cards on different servers with different passwords.
Although, there’s no way to guarantee that your credit card number won’t get stolen. Even if you don’t ever use it online, it can be stolen from the credit card company itself.
Oh what a world we live in…
You can imagine the type of security you will get from a company that makes use of SSNs. Until we all have personal biometric readers in combination with a two factor system, we will have to deal with arcane security.
After reading your original post on the ‘Verified by Visa’ security farce, I shared some of your same concerns about the fact that it seemed open to being abused to basically confirm an SSN (although they’re not too tough to figure out with some demographic info anyway…). No company (or government organization for the most part) should be using SSN as a unique identifier. Also, while having a centrally hosted password sounds convenient, it would be a mistake to put that amount of information and authority into one place. Just imagine what else that wealth of information could be used for; and not just if it got into the wrong hands, but even by the group charged with collecting and protecting it…
I am very distrustful of using information online. I’ve read many times about holes in the security of browsers or programs that the hackers are always ahead of. I found some good advice on this website on how to protect your hard drive information:
<a href=“http://www.hdrecovery.org”>http://www.hdrecovery.org
I completely agree with your statement “...than a hundred+ online shopping accounts that keep my credit card information with varying degrees of (in)security…”
Being with an unmanaged dedicated server hosting provider, I see a lot of servers compromised due to lack of security. You don’t know if the shopping cart you’re purchasing from is hosted on some fort-knox server with huge amounts of security or a 13 year old kid’s server these days. Even if the online company you’re purchasing from is well known and you can trust them, do you truly know who is hosting their web site?
on Tuesday, December 8, 2009 at 12:22 PM