
It's time to admit that companies can not protect customer data anymore - sbrown12
https://www.inc.com/schuyler-brown/why-companies-cant-protect-consumer-data-anymore.html
======
mikestew
First, I'll say this until I'm blue: articles like this preach to the choir.
MFA? Yeah, raise your hand if you're against that. This is HN, so I'm not
surprised to see only a couple of hands up. You, you in the back in the blue
shirt. Your hand is up, care to explain why. Ah, thank you. Yes, MFA adds
expense for no immediate discernible benefit. One last question: are you a
C-level? Mmm, thought so, thank you.

Just yesterday I interviewed at a company that is next door to a company I
worked for ten years ago, which is why this comes to mind. Biometric MFA by
the flight and dwell times of how you type your password. Clever, it worked
and the company had customers. But our product cost money, security questions
are practically free, and security questions count as "MFA". Without looking,
I doubt the company is still in business. The fact that the company didn't
turn into a license to print money out to tell you something. That was the
"time to admit..." moment for me, some ten years ago.

So, yeah, preach MFA and everything on that list all you want, but you'll have
to convince my CxO who holds the purse strings. And when we get breached, my
CxO will publicly say, "evil hackers, there was nothing to be done!" and get
away with it. A trivial fine at worst, and a little shaming, and life goes on.
Don't believe me? After the Equifax breach, the stock took a hit. When I
thought the worst was over, I bought call options (since sold) and made bank.
Granted, EFX is still down about 25% from its pre-breach highs, but it still
bounced up about 25% from its post-breach low because after rending our
garments we realized nothing much will change, so back to business-as-usual.

~~~
Terretta
The flight and dwell time of how you type your password, Michael Crichton
wrote code published in an early 80’s computer magazine that could do this on
an Apple II.

It worked too, my family couldn’t log into my Apple //c as me even with my
password.

~~~
mikestew
Oh, it's hardly a new idea. I don't remember the details, but I believe a lot
of the work was based on a prior paper, the details of which I'd have to go
dig for. No one at the company was an author on that paper, IIRC.

 _It worked too, my family couldn’t log into my Apple //c as me even with my
password._

Well, that was one of the problems that still needed work. If our credit union
uses this (and it did for a while), then the spouse can't log in even if they
have credentials. And for certain classes of people, it was unreliable enough
to be annoying. I was one of those people, and I rarely got logged in the
first time. Such a relief to move to a new company and I could consistently
log in the first time, every time. :-)

------
bertil
First off, for anyone who hasn’t read it: yet that title is, expectedly,
disingenuous: it is not asking to ban companies from holding customer data but
offers basic advice.

In my experience, people who can implement the solutions that they are
describing i.e. who would enjoy reading that “Have I Been Pwned (…) offers an
API” know about these, are not those deciding whether to work on implementing
it. Managers who allocate budgets are. Having a clear list of things to do is
great but managers tend to see those are part of the long list of things to
do, long list that they do not have the budget to handle.

What could be more helpful is an estimate of how likely not doing it is going
to be a problem and how much that would cost the company. Anyone willing to
associate a benefit to each step?

