Risks Digest is a great source of information about the everyday risks the we face. Often, it carries examples of privacy risks. The latest issue contains a submission about an insecure practice that ... though sensitve personal information is collected securely using web-browser encryption, the information then treated pretty causally.
The Risks Digest Volume 23: Issue 68:"HTTPS .ne. secure
Fri, 21 Jan 2005 7:25:35 -0500
I recently filed a change of address for some Qwest stock I own. Qwest uses
The Bank of New York (www.stockbny.com) to manage stock accounts, so I went
to their web page, and filled out the form using name, address, SSN, and
account number. Checked for the padlock indicating HTTPS, and convinced
there was *some* degree of due diligence, submitted the form. The
confirmation screen starred out all but the last four digits of the SSN
(i.e., ***-**-9999), which seemed reasonable.Last night I got back an e-mail that they couldn't process my change request
(the reason is unimportant), and included in the text of the message my
name, e-mail address, account number, and SSN. No stars this time to shield
sensitive information. Seems like a pretty useful e-mail to intercept!What kind of security policies allow including this sort of information?
The security & privacy policies don't say anything about safeguarding
customer information.If anyone has a privacy/security contact at Bank of New York, I'd certainly
be interested in talking to them!(This is certainly not a new type of problem; see RISKS 21.83 for another
example I wrote about 3 years ago.)"
Posts
0 comments:
Post a Comment