[Dataloss] a recurring theme...

[*Hobbit*]

okay, so I've been on this list all of two days, and so far it's
been "organization X got owned, and customer credit cards may be
at risk.  organization X apologizes." ... very similar to reports
I've been seeing filter through a couple of other sources, in fact.
Not to disparage the reporting or even the monotonous invariance
in overall theme -- my question is, how many such events, and how
long is it going to take, before the industry wises up and
actually DOES something about it?  We HAVE the technology.
Why are invariant passwords to money [i.e. credit card numbers,
which themselves are only "unpredictable" within the last 5 digits
or so] being issued with expected *5-year* lifetimes?  Why is the
financial industry still relying on crap like the last 4 of the
SSN as a default "verifier" of identity?  Why the hell don't we
have a workable one-time-per-transaction authorization scheme in
common use, so this idiocy with stored plaintext card numbers just
ceases to be a problem?

Because "profitable in the face of tolerable risk" trumps "inherent
engineering merit", every time.  I would counterargue that these
risks are no longer "tolerable", when the volume of loss has
gotten so high in the aggegrate.  Maybe that's what this list is
for -- posting frequency as a gauge of how bad it is.

I tried to go change a card number at a local bank not too long
ago -- didn't claim it was lost/stolen, I just said it was high
time I changed it on principle.  They were flabberghasted, and
didn't know how to deal, and said that if everyone wanted a
new number every 6 months or a year they couldn't afford to
offer cards at all.  They finally agreed to do it "just this
once" and waive the $10 reissue fee, but it was totally pulling
teeth to get them to that point.  Now, *that* is *broken*.  

_H*