« Rote Based Access Control | Main | Building a Security Architecture Blueprint »

Price is what you pay, value is what you get

Nice work by Francois Paget (hattip Andrew Jaquith) pulling together underground economy's willingness to pay up for quality

Last Friday morning in France, my investigations lead me to visit a site proposing top-quality data for a higher price than usual. But when we look at this data we understand that as everywhere, you have to pay for quality. The first offer concerned bank logons. As you can see in the following screenshot, pricing depends on available balance, bank organization and country. Additional information such as PIN and Transfer Passphrase are also given when necessary:
Fp_blog_080502_1

Since financial services drives a lot of the information security industry it is fair to ask - are they doing a very good job at securing systems and data or are they just moving more risk on to the consumer? In 2008, should we be telling people to type usernames and password into web forms and the use those "secrets" (cough, cough) to make business decisions?

Weak identity = weak claim = weak access control.

From Ross Anderson's book (2nd edition)

Were I designing an online banking system now, I would invest most of the security budget in the back end.

May 09, 2008 in Security |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/281021/28934182

Listed below are links to weblogs that reference Price is what you pay, value is what you get:

Comments

This is the problem with current "compliance by audit of controls" approach.

Govt sees risk to consumer.

Govt tells corporation "build/buy more controls".

Corp. sees new, higher level of Probable Loss in Risk.

Corp seeks to reduce new risk. Can either ignore risk (not an option with gov't compliance), mitigate risk (which means more cash for a cost center - a bad thing) or transfer (which costs nothing and reduces risk). Hmmmmm.... who wonders which one they'll choose?

Crop creates a mitigate & transfer solution (mitigate an minimum to provide due diligence).

Consumer now has risk transfered to them. Hooray!

If the gov't really wanted to reduce risk to the consumer,they'd focus not on "prevent" but on "detect and respond" on behalf of consumers,with cash penalties paid *quickly*.

This would force the Corp to focus more on "prevention".

Posted by: Alex | May 14, 2008 at 12:42 PM

Post a comment

If you have a TypeKey or TypePad account, please Sign In

My Photo

SOS: Service Oriented Security

Blogroll

Archives

More...