Linked by Thom Holwerda on Wed 6th Jun 2012 22:30 UTC
Privacy, Security, Encryption Bad day for LinkedIn: not only did 6 million of their passwords get stolen and published online (as SHA1 hashes, but still), their iOS and Android applications uploaded your calendars to LinkedIn (after opting in, though). The Sensationalist Headline of the Day Award goes to Ars Technica. I guess everyone's starting to feel the sting of The Verge's fully deserved success.
Thread beginning with comment 521103
To read all comments associated with this story, please click here.
Why not adopt PCI standards for ANY org
by seanc7 on Thu 7th Jun 2012 03:04 UTC
seanc7
Member since:
2012-03-26

This is why I've been saying for years that if banks, credit card companies and transaction processors have to follow PCI standards for storing your FINANCIAL information and passwords, then a subset of PCI should be implemented for ALL companies that store any kind of passwords. That way there's some accountability, the latest Global Payments fiasco aside, overall the PCI standards are good and solid. As long as they're properly enforced and "self auditing" (what a joke!) is removed from the standard.

Reply Score: 3

Alfman Member since:
2011-01-28

seanc7,

I understand your sentiment, but please lets not look to the credit card companies as a model for security. What PCI achieves by keeping secret could be better accomplished by using cryptography.

In a true crypto commerce model, a merchant would receive a digital certificate from customers that entitles that merchant to debit our funds within the constrains listed on the certificate. Whether these are one time or reoccurring, it would simply be impossible to use the certificate elsewhere even if it were published in plain sight. This works because cryptography isn't dependent upon the secrecy that makes credit cards so vulnerable.

Reply Parent Score: 4

seanc7 Member since:
2012-03-26

I work in a financial company that must follow PCI and other standards. PCI is pain but when properly implemented and followed (key words) it's reduces the risk of passwords being stolen. Even if they are, they're properly encrypted.

I understand your concerns about the financial industry, the thefts from Global Payments and the others in the last few years are scary, but it's because those companies are NOT following standards properly. Whoever did Global Payment's audit, needs to loose their job. The auditing we're going through for PCI v2, is an even bigger PITA, but it's necessary.

Reply Parent Score: 1