Reason number 2,503,201 why 1995 security architectures based on SSL, network firewalls, and a prayer are not good enough any more. Etrade's 10Q filing (hat tip Dan Geer):
Other expenses increased 97% to $45.7 million and 55% to $101.9 million for the three and nine months ended September 30, 2006, respectively, compared to the same periods in 2005. These increases were primarily due to fraud related losses during the third quarter of 2006 of $18.1 million, of which $10.0 million was identity theft related. The identity theft situations arose from recent computer viruses that attacked the personal computers of our customers, not from a breach of the security of our systems. We reimbursed customers for their losses through our Complete Protection Guarantee. These fraud schemes have impacted our industry as a whole. While we believe our systems remain safe and secure, we have implemented technological and operational changes to deter unauthorized activity in our customer accounts.
I really like web apps. But if you are writing them now you have a responsibility to do a better job with security and identity. And if you are building a framework whether its PHP, SOAP, Rest, Ajax, or whatever security has to be built in. Comparing technology a to technology b based on what makes the developer's life easier is worthless if the technology doesn't protect the customer, factoring in teh framework's practical security mechanisms and support does. Here is one real company (and there are many more) publicly disclosing an 8 figure loss because of poor programming and identity systems.
How long, O lord, How long? This blizzard of shame is getting a little old, isn’t it?-Hunter S. Thompson
**************************************************
Upcoming public SOA, Web Services, and XML Security training by Gunnar Peterson, Arctec Group
--- NYC (April 19), Unatek Web Services (May), OWASP App Sec Europe (May), Helsinki (June), DC/Baltimore (July 19).
Identity theft is just one part of the problem. To learn more about the various types of scams out there, go to…identitysafetytips.com. In order to protect yourself from identity fraud and name theft, you must carefully protect your personal records, and pursue online activities with caution. There are a number of things you can do in your everyday life to prevent identity theft and
http://www.identitysafetytips.com
Posted by: patrick | April 18, 2007 at 09:19 AM