Security 3259

ref:

one of the ancillary issues in havesting-skimming-evesdropping

of static data shared secrets

or any kind of static data shared secrets are the security breaches and data breaches by insiders. insiders have repeatedly shown to be the major threat for id theft, id fraud, and account fraud; long before the internet and continuing right up thru the internet era to the present time.

one method to plug some of the security breaches and data breaches is by moving to multi-factor authentication (i.e. the static data authentication repositories are augmented) where at least one factor involves some sort of dynamic information (impersonation isn't possible by copying existing repository of authentication and transaction information).

this can help minimize the insider threat which has been responsible for the majority (possibly 75precent or more) of id theft, id fraud, and account fraud. my slightly related, old standby about security proportional to risk

however, it can make the attackers move from focusing on the backend ... to attacking the origin of the transaction and authentication ... including the environment that any authentication takes place in.

one of the other countermeasures for attacks on the backend infrastructure (security breaches and data breaches) is encryption. however, encryption is not going to be very effective if the encrypted repositories are required (unencrypted) by a large number of different business processes and insiders (aka insiders have always represented the majority of the threat). this is somewhat my repeated comment that the planet could be buried under miles of cryptography and still not be able to effectively stem such exploits.

misc. random past posts mentioning even miles deep cryptography may not be able to halt the leakage of various kinds of information (and therefor you have have to change the nature and use of the information, so that even if it leaks, it can't be used for fraudulent purposes):

--