The following message is a courtesy copy of an article that has been posted to bit.listserv.ibm-main,alt.folklore.computers as well.
[EMAIL PROTECTED] (Ed Finnell) writes: > They do, but my suspicion is that in multi-tiered model some things > got overlooked in the PCI/HIPPA redesign-all those bytes, so little time! previous post (in this thread) http://www.garlic.com/~lynn/2008i.html#97 We're losing the battle http://www.garlic.com/~lynn/2008i.html#99 We're losing the battle mentioned a post in information security blog. the main part of that particular blog thread was related to majority of the breaches that get in the news (something that PCI has been targeted at addressing). the thread started out regarding a study that something like 84% of IT managers believe they need to comply with breach notification and 61% don't even believe they should notify law enforcement. parts of the thread is repeated here http://www.garlic.com/~lynn/2008i.html#21 Worst Security Threats? after working on what is now frequently referred to as *electronic commerce* (mentioned earlier in this thread), we were brought into the x9a10 financial standard working group which in the mid-90s, had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments. as part of that we did detailed end-to-end, risk, threat, and vulnerability studies. a couple highlights 1) security proportional to risk ... crooks/attackers may be able to outspend defenders 100-to-1. the information for the crooks is basically worth the value of the account balance or credit limit. the information for the merchants is basically worth some part of profit off the transaction. the value of the information to the crooks may be worth 100 times more than the value to the merchants ... as a result, the crooks may be able to outspend 100 times attacking the system. traditional military lore has something like attackers needing 3-5 times the resources to attack a fortified fixed position. potentially being able to marshall 100 times the resources almost guarantees a breach someplace. 2) account number and transaction information has diametrically opposing security requirements ... on one hand the information has to be kept confidential and never used or divulged (countermeasure to account fraud flavor of identity theft). on the other hand, the information is required to be available for numerous business processes as part of normal transaction processing. we've periodically commented that even if the planet was buried under miles of information hiding cryptography, that it still couldn't prevent information leakage. so one of the things done in x9a10 as part of the x9.59 financial transaction standard was to slightly tweak the paradigm ... making the information useless to the attackers. x9a10 & x9.59 didn't address any issues regarding eliminating breaches ... it just eliminated the threat/risk from such breaches (and/or information leakage). http://www.garlic.com/~lynn/x959.html#x959 now the major use of SSL in the world today is that previously mentioned stuff now frequently referred to as *electronic commerce* ... where it is used to hide account number and payment transaction information. The x9.59 financial standard effectively eliminates that SSL use since it no longer is necessary to hide that information (as countermeasure to account fraud form of identity theft). ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
