"Let's immediately set up a separate domain name that looks like ours" remains one of the weirdest antipatterns in incident response.
Once of the companies I work for has all kinds of crazy domains because the IT department and the Communications Department don't get along the way they should.
I wonder whether it might be better if governments took over the notification side of things. Something like "firstname.lastname@example.org". Companies could pick from a few standard templates and get charged $1.00 per email.
Should we be focusing our efforts more on how to make "identity theft" (i.e. fraud) more difficult, even when someone knows all your data?
Something more tied to your physical self, whether 2FA or something else?
I disagree. I’d take the Economists route, which is looking for the incentives that drive motivation. If companies were held to a higher standard of accountability, imagine how many would beef up their security. For decades, security researchers have been poking fun at how ridiculous some of these sites are at handling security, and nothing ever happens.
Now, imagine if there was severe economic accountability to a company that was hacked. Perhaps payouts to each person affected (in this case, to all 150m). I imagine you’d see security become a top priority very quickly at most companies.
While companies could probably do better than they are right now, hacks like this are probably never going to be eliminated. There are too many companies and too many developers for nobody to make mistakes, even when they're being mindful not to. Investing in solutions that assume hacks will happen seems reasonable to me.
I'm not saying we can be invulnerable but we need to raise the lowest common denominator so that it's not a walk in the park to steal millions of records. You just need the weakest link to make everyone vulnerable but I do think positive collective behavior can counter that -- especially when you make it easy with things like Let's Encrypt.
I dont think you have quite thought it through. Do you honestly want to have to do code audit on all libraries you use? Freeze all versions? Have a chain of signoffs for every change?
I have briefly done consulting in a place like that -- developers were absolutely miserable. Think about every single corporate IT policy that exists and apply it not just to your desktop/laptop/phone but to what you do on that desktop/laptop/phone.
Security is about management of risk.
If developers demand that the tools they use are better built, then the market will deliver tools/frameworks/etc... that are secure from the start.
"Good" coding has become "good enough" coding, and the problem exists from the bottom of the stack to the top.
This is never going to happen because what is considered secure in one place is not considered secure in another place.
> "Good" coding has become "good enough" coding, and the problem exists from the bottom of the stack to the top.
Because it is about risk management, not about absolutes. It is absolutely irrelevant that a smart samsung TV that I have in my office has garbage security because it is used as one thing and one thing only - dumb 48" HDMI monitor not connected to wireless network. Its Wifi antenna connector has been cut. It matches my risk profile.
I'm going to repeat it again - we do not have a security problem with software. We have a risk management problem.
There's absolutely no reason for Marriott store information on previous guests past certain statue of limitations. In fact, they could probably offloaded it to Iron Mountain after 180 days. Storing it online has a certain risk profile. That risk was not correctly evaluated ( probably not evaluated at all ) and hence it was not minimized.
Storing credit card information ( even encrypted ) after the card was charged and transaction creates another risk profile. It also was not evaluated and it was not mitigated.
Businesses are obsessed with data without understanding the risk.
Most professions and companies are (at least in theory) held accountable for their impacts.
There are a lot of really stupid mistakes made in a lot of these data disclosures that a competent IT team (and dev team) can prevent from happening. The current state of things is that there are hardly any consequences for losing people's data, just make a bulk purchase of credit monitoring and call it a day. This is cheaper than actually hiring the right people and implementing the correct processes.
To stretch the car/driver analogy, you could limit all cars to 10 mph so that they can stop fast enough when a deer runs into the road unexpectedly, but that's probably not worth the tradeoff.
Pedestrians, on the other hand, are a predictable fact of life that you need to deal with when you get in a car. So are bad people on the internet. If you put something on an internet connection and aren't constantly aware of that, you should not be putting it on the internet.
Right, which is why we should increase consequences when there are data breaches so companies may actually care about them when they happen.
Why do you think customers are ready to pay extra for the extra data security?
I really wish more developers had at least a basic ethical grounding and didn't just go "fuckit, revenue!". (Or, in larger companies, "fuckit, my boss told me")
And when you consider opportunity cost - even just double-checking you aren't affected takes a minute of time, as a consumer, that means this hack just wasted close to a thousand years of human life.
Where's the accounting for the opportunity cost of that?
If basic ethical grounding requires security to be the top priority, and security work is inexhaustible, then it must be unethical to ever work on the product being secured.
An ethical approach requires you to reason about which actions are moral, not to be "done" with something. As I said, even a basic knowledge would be really helpful.
If basic ethical grounding requires safety to be the top priority, and safety work is inexhaustible, then it must be unethical to ever work on the product being safe.
In other words, this is an irrelevant nit that serves no purpose except derailment.
Does such a world even make economic sense after accounting for the opportunity cost of the time most that building designers would otherwise spend actually building funky new shapes?
Investing in solutions that assume buildings will collapse seems reasonable to me.
Sql injection is bad but not "a bridge with 50 cars collapsed over a city" bad
1) There are 150 million vehicles which can be remotely controlled via the vehicle manufacturer's software, which has generally mediocre application security.
2) The software in question is vulnerable to SQL injection, allowing up to 150 million vehicles to be remotely commandeered by a small group of attackers.
3) No hostages are taken and no owners of cars are deliberately harmed, because this is an application security scenario and not a kidnapping scenario (which is orthogonal).
The scenario you've posed is oddly florid...thinking through it, no, I don't think the robbery of 150 million vehicles is as serious as a bridge collapse with 50 (presumably occupied) vehicles on it.
Speaking more directly to the point - I think this is a really poor comparison. Logistically speaking it's hard to take seriously the idea that 150 million cars would actually be stolen because of any single SQL injection vulnerability. SQL injection is really bad, but it doesn't directly result in injury or loss of life. It's also hard to conceive of a situation in which SQL injection has the potential to cause systemic collapse like you're describing...maybe SQL injection to a database containing credentials that have write access to a server which can launch ICBMs?
In the modal case, I think it's okay to admit that application security is not as serious a concern as architectural stability. But this entire discussion is pretty much a sideshow; we can just all agree that security needs to be taken seriously and that some bureaucratic scar tissue is okay to make that happen.
In any case, the damage to Iran from the hack was not as significant as building collapse.
The situation is identical to you wanting to have an untamed lion in your back yard. Provided you have the right security in place to ensure it can't hurt me, your neighbor, then the litter box is your problem. If however you do not have the right protections in place, then I have every right to ensure the lion is removed from the neighborhood.
If you don't store valuable data, you won't have large premiums.
If your business model requires storing such data, you better have the revenue to pay the premiums.
I can see a time that software developers (leads at least) will need to be chartered just like someone that designers a bridge.
But that's not the worst of it. The Economist here is doing a static analysis, oddly enough. They're making the simple observation that if things cost more or have more risk, they get more attention.
That's if they have more risk today. Once you collect data, it doesn't go anywhere. Every bit that sits on your servers can easily be copied to another server, today, tomorrow, ten years from now. Do you know what all the bits are on your computers?
This isn't copyrighted DRM or porn. You could have a blob hashes and userids. If I put that on your computer, would you know? Could you be expected to find it? Know what it was?
As Facebook and the other platforms are demonstrating, this data continues to have value many years after it was collected. And once somebody gives some data to you, it's effectively both invisible and trackless. Over long periods of time, your cost becomes infinity to maintain this risk. Meanwhile, attack vectors get better and people come and go out of your offices all the time. Could you manage that risk? Forever?
I can't think of _any_ sensitive data on the web that's stayed safe. Why would attaching any amount of value change that?
Right now, there are few penalties, outside of a brief reputational hit, for large firms that lose control of customer data.
The Flirty chat app is fined for leaking 808,000 emails to the tune of 20,000 EUR.
The Cuddly chat app is fined for using plaintext password storage to the tune of 20,000 EUR. (No hack known as of yet?)
As foreword, this occurred under older privacy laws and not quite GDPR. Many sources agree that GDPR would increase fine sizes in a repeat event.
Due to a data breach at Uber exposing 57 million people's records, they were fined 600,000 EUR by the Netherlands and 385,000 GBP by the UK.
 See nkkollaw's comment below/above.
Uber is somewhere around $10b gross revenue, so $400m fine for every breach. Sure it's "just a cost of doing business". It also means that it's better to spend $200m beefing up their security to reduce from 1 data breach every year to one every 5 years.
Marriot revenue is $23b, so that's a potential $920m fine.
IHG (say), who invest in security and don't have a breach, get to charge less for their hotels, or make more profit.
Much more than "just a cost of doing business" for the majority of companies.
If I kill somebody, that person isn't there anymore, you don't think deterring other from killing other people isn't reasonable?
That's why GDPR happened. "Ok, if you're not going to do anything about it, we'll make you do something about it."
So you're not taking the economists point of view at least from the perspective of the free market rather you're thinking about which economic levers you could pull to effect change from a regulators point of view.
That's a pipe dream. Instead we should take advantage of public-key cryptography, so that authenticating to one company does not leave behind infinitely reusable credentials for others.
"There are two types of companies: those that have been hacked, and those who don't know they have been hacked."
Perhaps in the digital world as well, intrusion detection is more valuable than intrusion prevention?
You’re right. These companies should absolutely have to weigh the cost of keeping data because they overestimate their ability to keep it safe.
i.e., instead of the traditional "what are the [last 4 of] your SSN, and/or we'll tell you three things that may or may not be in your credit history and you have to fill in the blank on each of them"...
...why not just use 2FA?
You give everyone a TOTP code on a separate card but tied by the government to your SSN, passport number, and state ID. You provide a government mobile app that they can use if they don't want to use a 3rd party one. When some third party wants to verify your identity, there would be a heavily secured, simple, autited government server that you'd use the app to auth to (ssn + TOTP), returning a temporary auth code/passphrase, stored for 1 day and associated with your SSN. You give that temporary code to the third party, which then verifies that temporary auth code or passphrase with that same government server. You could have an additional voice phone channel to get the temp codes, for people without smartphones.
If your TOTP code card and device are both lost or stolen, you visit in person to get a new one just like normal. Anyone who sees the card can impersonate you, but you shouldn't be carrying it around or waving it around, and even if stolen in individual cases, the scheme eliminates mass identity theft.
U2F could be an option, for anyone with a u2f-capable hardware security key or smartphone, but I'm not sure about mandating u2f because compatible hardware has a non-trivial marginal cost.
This very case is already an example of overreach. The only reason a hotel needs someone's identity is in case they trash the room and skip out. There is absolutely no reason that it should have been kept after checkout, except that we've been groomed to expect this surveillance based on payment cards being similarly broken.
I can see the possibility for reasonable progress in the EU, where a government ID could carry rules that it couldn't be involuntarily used for business purposes (and assuming that would actually last). But in the US, the government will mandate some base system and then let companies abuse it ad infinitum - even social security numbers are already way too much.
If a forum had the option of requiring real-world ID, they'd make the reasoned business-case tradeoff of whether that's likely to improve the forum/business (less trolling) or worsen it (far less signups because people want to be anonymous on that particular forum).
And as for hotels specifically, they require a real identity for public safety, so police can (not just at check-in, but even months or years later) determine where someone stayed in order to solve cases of murder, child trafficking, or other violent crime.
There's this gravely mistaken idea that a business's interests are fundamentally based on serving customers' interests. But both sides of any transaction have diverging interests, and in the real world we see industries uniformly implement arbitrary customer-hostile practices rather than compete. This is especially true when the customers' downsides are not easily quantifiable - see the entire advertising-surveillance industry.
And sure, there is always some prudent-sounding reason why more centralization is needed (essentially the "God narrative"), which is exactly why the safety-above-all ratchet moves ever forward. But in the free world this type of thinking is a red herring - the same scare-reasoning can be applied to mandating that every person have a machine-readable ID code tattooed on their forehead, and this only seems unreasonable because it's not present custom.
Went into force a few months ago.
We need tough, enforced penalties for data breaches, plain and simple. It's a negative externality, just like pollution, and so can only be controlled by regulation.
Your leaked data does not hurt me. So it is NOT like pollution.
If you do not like your data on the internet - do not give it to companies you do not trust.
> can only be controlled by regulation
Your claim is wrong.
Companies behavior is controlled by customers demands. The balance between security and convenience -- is not an exception here: customers demand define where that balance is. There is no need for the government to intervene in this case.
Anyway, these companies are bad at their job as evidenced by the breach happening. And I definitely think we're past the time where it should be illegal for companies to even ask for passport numbers, DOB and social security. A phone company, a hotel, need none of that. They just want it. Big difference.
What we need are more options to transact anonymously. This "show ID for everything" culture needs to stop.
I really don't understand why so many companies think they need so much information about me. Or even if they do need it, why such disparate data as passport numbers, credit card numbers, email address, gender, and home address would be stored in the same database.
Is there a law that requires hotels to collect all this data? I've stayed at some cheap motels where they glanced at my driver's license and accepted a couple of $20 bills, and I got a key, and that was the entire transaction.
If companies knew that there was a database that everyone has access to with all the data you need to signup for new sources of credit for 50% of US residents, there would be a very strong financial incentive to actually fix the problem.
I'm preeetty sure they source DL data from some state DMVs.
I would love to read the comments.
// shit ain't working before, I just changed that bitch just deal with it
I give it 24 hours.
> “Usually when stolen data doesn’t appear, it’s a state actor collecting it for intelligence purposes,” said James A. Lewis, a cybersecurity expert at the Center for Strategic Studies in Washington.
Starwood's hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network.
According to the article the systems were merged 3 months ago.
"The company resolved one major issue involving elite-night credits earned from credit card spending just last week, more than three months after the integration. That problem left many members in limbo, unsure of how close they were to hitting elite-level thresholds before year’s end."
The intrusion was detected on Starwood's system in September according to the BBC article.
"On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database."
It appears to include everyone who's ever stayed in a room at a Marriott, St. Regis, Ritz-Carlton, Bulgari, W Hotel, JW Marriott, The Luxury Collection, Le Meridien, Renaissance, Westin, Tribute Portfolio, Sheraton, Autograph Collection, Design Hotel, Marriott Executive Apartments, Delta Hotels & Resorts, AC Hotels, Element, Gaylord, SpringHill Suites, Courtyard, Residence Inn, Fairfield Inn & Suites, Moxy Hotels, Protea Hotels, TownePlace Suites, Aloft, Four Points by Sheraton, or Marriott Vacation Club property.
For reference, there are under 130M households in the US and around 200M households in the entire EU.
"The hotel chain said the guest reservation database of its Starwood division had been compromised by an unauthorised party."
"Starwood's hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network."
edit: the Marriott website itself confirms as much that this is limited to Starwood properties.
" guest information relating to reservations at Starwood properties* on or before September 10, 2018.'"
"* Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included."
Do you have other information?
Other marketing activities.
Resale to third parties.
You at any point requested to be added to their mailing list and that's linked to purchase history.
Web analytics linked to purchase history.
Corporate policy is not to delete data.
So there's seven reasons of various legitimacy off the top of my head.
especially are great examples of why the GDPR was created, even once we ignore the advertising industry.
Homomorphic encryption is a form of encryption that allows
computation on ciphertexts, generating an encrypted result
which, when decrypted, matches the result of the
operations as if they had been performed on the plaintext.
Homomorphic encryption can be used for secure outsourced
The decryption should happen on back-office payment processing server, with the keys held by a hardware security module.
Or better yet don't store the card details at all, but there are valid business reasons that is sometimes necessary.
TL;DR - PCI compliance was a joke in my experience.
The payment page didn't log requests (made figuring some things out hard), it submitted the encrypted card data (public key) to another server through the firewall with only a single non-standard port open, to the data store with write only access. There was then a trigger on insert that would launch a small console app that passed the decrypted (private key stored locally) card and charge information to Authorize.Net, if successful it would then write a success to the charges database, and send that charge identifier to the application's data store.
Only access to the payment server was from behind the firewall over RDP and MSSQL over non standard ports.
Just the description of this satisfied the PCI guy, and no physical inspection of the hardware was ever done. I'm not sure if what I did was best practice, and I was always so scared it would get hacked. Thankfully after so many fraud charges that my boss couldn't handle the $15 chargebacks we switched to paypal and I no longer had sleepless nights.
It’s still not perfect because an attacker can potentially send requests to the key management server, but they shouldn’t be able to walk away with they keys to perform decryption outside of the system.
You then set up monitoring to watch how many decryption operations are being performed per minute or hour and alert admins when it steps outside of normal useage patterns.
It’s not perfect but can help you to 1) catch an attacker early and 2) have some type of estimate of the size of the breach when discovered. A very patient attacker may not trigger an alarm of decryption operations but in that case he’s got to work much slower, which limits the scope of the attack while they hopefully trigger something else that exposes them.
The gist is you create an encryption key for your row, encrypt it using your encryption service, and store it next to your actual payload. To decrypt, ask the service to decrypt the key which you use to decrypt the payload. If your database gets popped, your decryption server hopefully didnt because you hardened it specifically.
Envelope encryption is a good scheme. Under envelope encryption you have a master key and per-row or per-unit keys. You store the per-unit keys encrypted with the master key, and the master key is stored offsite.
For example on an AWS environment, you would use AWS KMS with IAM authentication to handle the master key crypt for the individual keys, and the encrypted versions of the individual keys are stored in a database that you own.
You encrypt your data with the individual keys (eg, one key per user, or one key per DB row, or one key per namespace, whatever), but the individual keys are decryptable only by KMS.
Under this scheme an attacker must both be able to get ahold of the encrypted individual keys, and be able to decrypt them with the master key.
Of course this leaves you very vulnerable if the master key is acquired, but KMS does not allow you to read the master key at all, you have to use the AWS API to make encryption/decryption requests. So the vulnerability is less about how secure the key is and more about how secure your IAM setup and instances are.
Or are we assuming that the decryption service enforces some policy about what and how much to decrypt?
But you're also forgetting that most data breaches in real life involve database backups, staging servers, development environments, and people with access. So envelope encryption really helps prevent those. Even if someone gets a hand on your DB dump they're unable to use it without authorization to the KMS, which they won't have unless they can also get into your application server.
Don't forget that data is most often leaked by people. DB backups, dev environments, inappropriate transfers. We hear about the big targeted attacks, but probably 90% of actual breaches are due to human misuse.
If you don't need to decrypt the data on the same system, you could always use asymmetric encrpytion, so encrypt with the "public" key and then keep the private key elsewhere.
If you require to be able to decrypt on the system in question then you need a key somewhere, so secure storage of the key is very important.
One option, often deployed in banks, is to store the key in a hardware security module (HSM) and then ensure that it's not available outside of that.
There's a load of tradeoffs to using HSMs but they can be useful where symmetric encrpytion is needed.
Amazon and Azure offer these in the cloud.
An attacker that compromised the customer facing application only has access to tokens and would be forced to access sensitive data via the data bunker. That application is heavily monitored and would hopefully be quickly noticed.
The HSM adds an additional layer of protection against loss of sensitive data via backup tapes or some insider attacks.
Physically separate the key storage from the data storage. Different servers, different user auth mechanism. Make them compromise both systems.
Unique keys per client.
Use key-encrypting keys, periodically replace them.
PCI environment must be totally self contained and not mixed with standard working environment. If an employee is phished, their credentials for email/etc should not gain access to the env.
Don't allow developers to deploy or even read from prod db. Have a separate deployment team, all access to prod database audited via production tickets.
Assuming a layered system, something like Vault transit encryption (perhaps with the master key in an HSM) should keep decryption keys away from front-end machines, though as ever, once you have root and can access the memory of a machine where the encryption keys are stored, most bets are off.
The general idea is to insert some kind of bogus information into a system, with no links to other systems, and then trigger a notification if someone accesses it.
You are already fucked at this point. I would focus my attention on prevent hackers from 1) gaining any unauthorized access. 2) from doing any sort of privilege escalation from a restricted account/service.
That seems like the least interesting bit of information here for individuals.
It's really bizarre to me that people here seem to consider their credit card numbers more sensitive than their travel history or even contact information.
Generally people's level of care will correlate to what nefarious purposes the data can be used for. There aren't that many such purposes with the data exposed here until you consider the passport number (probably something more secure than a SSN for most Americans?), payment info, or login info. The purposes I can think of for the other data are reliant on the metadata that so-and-so was at that location at that time, when I might have believed something else.
I'd be far more concerned about my privacy than my banks money.
As to privacy, after the number of breaches of personal info. there have been, I'd be inclined to let the idea that this level of personal data is private :)
Don't you review your charges regularly? Even without fraud you're bound to be losing money to erroneous charges if you don't.
>b) dispute them
I've usually just had to submit a quick online form consisting almost entirely of checkboxes, while yeah that's some work it's still not going to take more than a minute of my time.
>c) go through the annoying process of having your card re-issued.
Seems like this is vastly more annoying with some card issuers than others.
Also not all of the cardholders will be online customers, so they'll have the delights of call center processes to go through.
Whilst it's obvious you don't regard loss of your credit card information as a serious inconvenience, I don't think that's necessarily a universal sentiment.
I work at a bank, and you would be surprised how many people don't know how much they have in the bank until they get the message saying there's no money.
so many people do this. As long as they don't get that message, they don't worry about how much is in there.
Edit: Ugh. Yes. My mind was apparently elsewhere. Keyspace would drive the time needed.
Though it is a relatively short list of known plaintext. especially if you focus on the bin ranges for say the three most popular banks in the US.
But, only interesting if Marriot was using some encryption with a small keyspace.
If yes, how much would you expect the bruteforcer to earn per successful attempt?
At the very least you'll need cardholder name and expiry to match up, and hopefully you'll need CVV/CVC as well.
Of course I really hope the Marriott weren't storing CVV in a reversibly encrypted format.
You're not allowed to store the CV2 in any form that could be recovered (i.e. plain text or reversibly encrypted) or brute forced (i.e. hashed/salted). PCI rules say you simply aren't allowed to store the CV2 after the call for an authorisation, as it's no longer required. If they were storing the CV2 then they're in trouble.
Credit card fraud is far more involved than just getting payment information, you won't succeed at ordering anything of value without understanding how anti-fraud systems work.
I'm guessing that higher end criminal spend quite a bit of time working out how to bypass anti-fraud systems, it's an ongoing battle.
After spending years hanging around in those circles I'm rather convinced that the only people making real money with credit card fraud are the shops, hackers stealing the cards and reshipping services.
The biggest buyers on the shops seemed to be criminal gangs engaging in relatively small-scale fraud maybe moving hundreds of thousands a month.
Password hashing is different because there is no key space.
Except that doesn't really make anything better, because now an attacker could simply use that salted and hashed credit card number elsewhere to make payments too!
The real solution is to use something like OAuth for payments. You authorize a merchant to take ongoing payments from you, and the card issuer gives the merchant a token which is only useful for making payments from you to them, and can't be used to make payments to anyone else.
It simply means if the card number is used for fraud, it'll be easier to track down who leaked the card numbers.
I think I stayed at a Starwood 2 years ago in PA? But I don't remember if it was a Starwood or some other Marriott brand.
These breaches keep happening and these companies continue to be not held accountable or not punished in anyway, except for bad press for 2-3 days until everyone forgets and it's on to the next security breach.
You want me to shop at your store or use your services, you want me to join your mailing list or give you my address, CC and phone # - I expect at the least, for that information to be kept secure.
The point I was making is that everyone should assume their data is already compromised. The weakest link will always be an issue, and in many cases it is one you cannot control - the government.
As everyone always says about these types of things. We are not the target market so to speak.
Joe user doesn't know to read HN and gets their news from the TV IF they happened to be watching when it was covered.
I'm agreeing with you. I know we should know to be careful. But it's still not acceptable.
service or websiteName @ mydomain.com
Doesn't cover all, but at least it's something...
You can do something similar in Gmail with `email@example.com`, but a shocking number of sites ban valid characters from email addresses (intentionally?). That and a lot of clients have super annoying alias settings, so replying to such an email is a royal pain.
It's free, just give it a try!
Unique passwords (and usernames too if that is an option) are easy to manage via lastpass et al. Unique email addresses are harder but you might be able to fudge something using the "+ label" feature. But the real challenge is payment details. I'd be quite happy using Paypal everywhere if that were possible as then I'd only need to worry about Paypal getting hacked.
What I really don't like is shopping sites that require me to enter my payment details (or worse: require me to save payment details). I avoid those places in almost all cases.
Plus you get the bonus of having an auditable trace (ie via unique virtual cards) of who made what payment. This would be invaluable if you then want to contact the business that compromised your details. For example in some instances they might not even be aware that they've been hacked - eg if they're running an off the shell solution like Magento but not kept up with security updates.
So there are still some benefits to the aforementioned service even aside the topic of liability.
Would this soften the blow if they used an indirect payment system like PayPal instead of directly entering card information? Otherwise how else could you shop online?
> (or worse: require me to save payment details)
Sites actually do this?
I did say "I'd be quite happy using Paypal everywhere if that were possible". Or am I not understanding your question?
> Sites actually do this?
It used to be common years ago but few seem to these days, thankfully. I have still encountered the odd site that does though (or at least not made it clear that they do not store those details).
also using unique passwords as well as aliasing your email address such as firstname.lastname@example.org helps you isolate which breach comes from where. the spam emails you get will start having the alias on it
Does anyone know of the efficacy of these monitoring services? If they were really even slightly more effective than even odds, I would say that consumer protection laws should require free monitoring for a longer period, say 24 months or even 36 months. Ironically though, proper monitoring means sharing all of this same personal information with a 3rd party, and then some.
I also wonder if it's just more effective to take advantage of the free credit report freezing feature, since that doesn't require me to share even more personal information with a 3rd party; and actually restricts access to personal information instead of expanding it.
Also given the potential penalties, probably companies will now start to invest more in proper IT systems.
I'm guessing this was not done either, even for EU guests.
I know they have to hold the minimum amount of information needed, and inform you clearly what they know.
But weren't they always required to announce a breach?
In this case, they discovered the breach on September 8, 2018, and announced it on 30th November, 2018. That’s 1,464 hours, a little bit more than 72.
"Once we have created this database, it is unlikely we will ever be able to tear it apart."
Jebus that seems like a long time before discovering it.
This is peak non-apology apology.
Then when I tried to log in with my new password I was rejected, saying my account is 'under audit' for suspicious activity. God dammit.
Is anyone else unable to log in?
Let's see Target is probably the most obvious parallel: $202 million in reported legal fees and other costs. $18 million to states (fines). $39 million to the financial institutions affected by the breach and a whopping $10 million for the consolidated class action lawsuit (along with the $6.75 million for plaintiffs’ attorneys fees and expenses).
Oh wait, Target annual profits are $20 billion? Never mind.
My last stay at a Starwood property was in January 2016 at the Bangkok LeMeridien.
Not that they would bother to set up a call center number for Switzerland.
Do they really expect me to call internationally at my expense to then hang in a loop for an hour or so?
On the plus side: Nothing bad happened since then.
Nevertheless I'm not impressed.
So I have to get a new passport, get a new phone number, get a new credit card, change my email address... in the US, can I sue in small claims court to recover the costs of doing these things?
It said some records also included encrypted payment
card information, but it could not rule out the
possibility that the encryption keys had also been
This is one of several things crypto currencies got right. You pay by pushing money to the other side.
FWIW I think the "one shot push" model of cryptocurrencies has some serious limitations which I think should be addressed by an "invoice" system - e.g. you can easily pay the wrong person, or even an address which doesn't exist and is owned by nobody! Not to mention dumb errors such as swapping the payment and tip fields. It would be better if the payee crafted a cryptogram for "please pay me (authenticated address) the sum of X", and the payer was simply generating an approval of that.
It would be better if the payee crafted a cryptogram
for "please pay me (authenticated address) the sum of X"
I would also expect a link type to evolve that browsers understand. Something like "payto:1fs8e...?amount=0.01&coin=btc" to pay 0.01 bitcoin to 1fs8e... Similar to the "mailto:user@host?subject=...&body=..." link type.
An when we talk about offline (paying for a restaurant or something) - isn't there a visual link type already? I am not a user of crypto. But I think I have seen barcodes or something used for this.
I have authorized bank withdrawals for paying some bills. This is the "pull" and I don't really feel all that comfortable with it. I once had an irritating issue where an no-longer-authorized withdrawal didn't stop properly.
But I also have scheduled payments, the "push" method, where my bank account will routinely send a configured amount of money to a configured account/company at a configured interval. I like this because of the control and responsibility it gives me.
Something I wish Canadian banks had was a better API for allowing me to say, "instead of paying $x each month, query the bill and pay the exact sum as long as it doesn't exceed $y".
Banks have not managed to implement a payment process for exommerce yet. You have to log in, fill out a form, do some kind of verification, wait for a day or more... yuck! That's fine for big transfers that only occur rarely. For a quick online payment it sucks. That's why nobody is using it for this use case.
Several European countries have an easy online payment process built on top of this.
Sweden has Swish, Denmark has MobilePay, the UK has created PayM (but with little use so far), Finland and Norway have similar systems. These are mobile apps commonly used for transferring money between friends/colleagues, or paying for things from very small businesses or casual transactions. They can also be used online.
There's an example flow with screenshots in the API documentation [1 PDF] for Swish on page 7. After selecting Swish at checkout, a message is sent to the phone app; the user opens it to authorize the transaction.
(And to the GP post: the automatic payments systems in Europe come with strong guarantees. The UK one: "If an error is made in the payment of your Direct Debit, by the organisation or your bank or building society, you are entitled to a full and immediate refund of the amount paid from your bank or building society" and "You can cancel a Direct Debit at any time by simply contacting your bank or building society." — the latter is implemented with a "Cancel" button against each authorized company in my online banking.)
I had to:
* Do a phone call
* Fill out paperwork
* Wait for a new card to arrive
* Go through all services I use the card for and change it
It had the nice side effect of emailing me telling me that pyament for X service had been declined, and made me think twice about renewing it (netflix)
Also, what if you had currently been somewhere else around the globe. How would you gotten the new card?
I guess that may have been a concern, but it wasn't for me. We could come up with any number of scenarios I'm sure, but in reality travelling with a second card covers 99% of the eventualities.
Someone had fraudulently purchased a 23andMe kit on my card (weird, right?) and I only caught it because my account was abnormally low (~250 CAD). I phoned the bank right away and they cancelled the card number, put my account on watch, reversed the charges and I was able to go into the bank and get a new card on the spot. (VISA Debit, not a CC)
It happened to my CC a year or so ago, and my wife just went through that with her debit card 2 weeks ago actually. In both cases, the bank actually alerted us about weird transactions, immediately canceled them and asked us to review online. We indicated that they weren't ours, the bank canceled our cards and sent replacements.
Now, updating services is indeed a pain. I have a policy of never saving CC information on websites (even though it would make "my shopping more convenient next time" as they say). I do that for safety reason, even though I have close to no illusion that they probably still keep it in their DB even when I decline. So for me it didn't really disturb my workflow when paying bills and all.
Why would you need to fill out paperwork? This seems to strictly be a problem with your financial institution and not with fraud.
>* Wait for a new card to arrive
I had my card replaced today because of fraud, my current card will work until I activate the new card which was overnighted (internationally, even) and should arrive monday.
I don't think that's a big issue.
> * Go through all services I use the card for and change it
All the services which I have subscriptions with seem to automatically update when I get a new card.
If the process of replacing your card is a hassle, your financial institution is fucking you over. It has nothing to do with fraud.
People are answering your trick question, and now you’re being argumentative. Your point has been (poorly) made, time to let it go.
Most of my bills are automatically paid on the card, so I had to update my payment information on ~20 sites. At 2-3 minutes per site (optimistic really), plus the fact that one site requires I fax in the request, means it easily took me over an hour.
Why would you need to wait a week? I've always had my cards shipped overnight with fedex international first or equivalent.