Log-in | Register Username:   Password:   forgot password? Logged in as | Log-out

blog home blog structured search InfoWorld power search InfoWorld metadata explorer The Screening Room all screencasts popular / general-interest screencasts Friday podcasts Friday podcasts with transcripts Friday podcasts: RSS feed all podcasts all blog items LibraryLookup subscribe with rss: send Jon an email: reading list as opml reading list as html

<<  Monday, June 20, 2005  >> Reducing the attack surface area of credit card data Whenever another batch of millions of credit card numbers is compromised, as happened again recently, the same reactions predictably ensue. Security experts climb out of the woodwork offering interviews on how to harden computers and networks. Payment processors acknowledge mishandling of records. But nobody talks about reducing the attack surface area so that when systems are breached, and when procedures aren't properly followed, the consequences are far less severe. The phrase "attack surface area" shows up mostly in the context of Microsoft's efforts to increase the inherent security of its products by doing the things everybody said they should have been doing all along: running by default with the fewest possible services, and with the least possible privileges. Reducing attack surface area is a general strategy, though. The simple single sign-on technique I've been writing about recently is a variation on the theme. Giving websites derivatives of valuable passwords, rather than the valuable passwords themselves, limits your attack surface area. In the realm of payment processing, a similar idea has been floating around for a long time. It's been six years since I first mentioned the notion of one-time credit card numbers in a couple of columns. Why haven't we advanced this story? There are two main arguments. First, with minimal to no liability for losses related to unauthorized purchases, U.S. cardholders aren't feeling much direct pain. Second, no alternate scheme approaches the convenience of the current one. Both arguments are really lame. Can't we do better? Somebody will. Absorbing losses isn't a great business plan, and neither is operating a system that is demonstrably vulnerable. Convenient one-time credit card numbers -- available not only in your browser for online purchases, but in your wallet for store purchases -- will make some entrepeneur rich, and will make a lot of people feel safer. More generally, we need to internalize the underlying concept. Whenever we transmit or store a datum of permanent value, we expose it to attack. So, wherever we don't have to, let's not do that.

Recent Entries Why can't Johnny download? Because he's stuck in a semantic muddle. Justifying the feel-good labels Screen-sharing's long tail Why can't Johnny download? A conversation with Rajiv Gupta about fine-grained access control XBRL use cases: better late than never Tantalizing hints of the Knowledge Navigator Denise Getts wires the web Beyond the election news cycle A conversation with Jim Russell about the Pittsburgh diaspora The SALT talks All roads lead to VNC Mobile speech recognition The Screening Room #10: Dabble DB Scaling the Tufte effect A conversation with John Schneider about Efficient XML What's the video threshold for face-reading? So many social networks, so little time Conversational dynamics in the blogosphere Intense, simple, active demonstrations A conversation with Cricket Liu about the Domain Name System Drowning in a rising tide DRM by asking nicely In search of non-gratuitous 3D A conversation with Mark Ericson about communications-enabled business processes Levelator! Talk to the avatar WordPress for loosely-coupled comments, part 2 Compound documents for the web A conversation with Ellen Ullman about living close to the machine At the Paris SOA Forum ID card anthropology Second Life, MTurk, and on-demand education The Screening Room #9: Windows Live Writer A conversation with Tim Fahlberg about mathcasts, clickers, and the future of education A conversation with Jeff Bezos about Amazon web services Kim Cameron on why business protocols aren't user-centric yet Show me my account activity! WordPress as a loosely-coupled comment engine How translucency could defuse the Turnitin/McLean High controversy A conversation with Cyril Houri about annotating the planet using a GPS/WiFi/cellular hybrid Turk work Screencasting of tacit knowledge Ongoing discussion of translucency and selective disclosure Half-baked ideas Google Earth live and in realtime The politics of data control Audio editing on the move A conversation with Phil Windley about identity in the real and virtual worlds

Sponsored Technology Links
Qwest - Learn how Qwest voice and data solutions can save you time. MKS - The Power of UNIX/Linux on Windows with MKS Toolkit CA - Manage your IT more effectively. Efficient - Flexible - Compliant CA - Plan better, manage better. Vision Solutions - Is your smaller organization ready for High Availability? Vision Solutions - Is system maintenance doing more harm than good? HP - NEW HP LaserJet P4014n printer Starting at $699 after $100 IS. Rackspace - Fanatical Support Promise: Live Support 24x7x365 HP - HP LaserJet M3035 MFP series Starting at $1,599. SHOP NOW Collabnet - Virtual Test Lab Automation: Manage development infrastructure HP - StorageWorks All-in-One Storage Systems. hp.com/betterstorage HP - Improve Resource Utilization and Lower Operating Costs Ipswitch - WhatsUp Gold V12 - network management & monitoring for any size network. HP - Webcast: 5 Things You Need to Know About Storage Virtualization Xerox - Typhoon 8860: Enter to win a Xerox PhaserTM 8860 network color printer! BEA - Webcast: Dialing up Agility with Business Transformation Verisign - Protect Your Data with SSL HP - Speed, agility, flexibility - The HP BladeSystem c-Class. InterSystems - Development, integration, BPM, and BAM together in Ensemble Citrix - Need simple, low cost server virtualization? Xerox - Enter to win a Xerox Phaser(TM) 6180 network color printer! Mindreef - Key Strategies For SOA Testing		Citrix - Go green.Virtualize servers with Citrix XenServer(TM) - FREE Citrix - Instant server virtualization. Citrix XenServer(TM) - Free! HP - Virtualization: A Step by Step Approach to Success Microsoft - Tech-Ed 08|Microsoft's largest tech conference|June 08 in Orlando Neterion - The Missing Piece of Virtualization Seagate - Maxtor OneTouch(tm) 4 Mini backs up your PC on the go Box.net - Upgrade Your Classic Collaboration Tools Overland Security - The Data Protection You've Been Looking For Lefthand Networks - Free White Paper on Matching Server & Storage Virtualization Vkernel - Resolve Capacity Bottlenecks and Enhance Your Virtual Environment Tripwire - Secure your virtual and physical environments with the same software. Crosscheck Networks - Accelerate Your SOA Projects Nokia - Restore Your Mobile Devices With One Click Oracle - The Power of Two with SOA and BPM Microsoft - Microsoft Forefront security products for business. Learn more. Oracle - Fueling the Responsive Enterprise Microsoft - Meet Windows Server 2008. The server unleashed. Microsoft - Tech-Ed 08|Microsoft's largest tech conference|June 08 in Orlando Microsoft - {Open Source} Heroes Happen Here Xerox - Enter to win a Xerox Phaser(TM) 6360 network color printer! Vizioncore - Vizioncore has solutions for virtually any virtual need.

	HOME  NEWS  BLOGS  PODCASTS  VIDEOS  TECHNOLOGIES  TEST CENTER  EVENTS  CAREERS  IT EXEC-CONNECT	About | Advertise | Awards | RSS | Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist