Credit Data 'Hijacked'

Or 'experts' who need to "have a take that doesn't suck"!

                            

I went on a long rant in one of my previous posts, motivated by the Hannaford Bros. Breach. Not so much because I have anything specific to say about that breach, but simply to express my view that merchants should not be storing credit card numbers in the first place.  I was not planning on saying anything else as I am not really sure what to make of the information we have been provided through the various press releases and news items.

I started to reconsider when I picked up Friday March 21^st San Jose Mercury News (http://www.mercurynews.com/) issue. An associated press article in the business section is saying this is a new type of breach as the data was ‘Hijacked in transit’. Maybe that’s true. I don’ really know. But most of the quoted experts seem to provide more disinformation than anything else.

Aaron Bills, COO of 3Delta Systems was quoted as saying “Catching data on the move is a bit more challenging”. The comparison made is that stealing merchandise from a truck, meaning is it is easier to do if the vehicle is parked than when it is moving. I seriously hope this guy was mis-quoted. Bits are bits in this case, and the motion has almost nothing to do with the degree of difficulty in theft. At rest or in motion, theft requires some access point to the data, and networks tend to provide more access points (Mirror ports, sniffers, electromagnetic taps on copper wire, etc) than file or database servers. In fact, if encryption was being used, the ‘at rest’ variants tend to be stronger than the session based variety. And we are all guessing that encryption was not being used, and that is why all of this data was sniffed off the network.

Then we have Avivah Litan at Gartner asking the question “Would you like to sit at your gas pump for five minutes to get an authorization?” in response to why encryption is not widely used within the processing chain. Excuse me, but don’t all commercial POS systems already have encryption? Wasn’t there a mandate by most of the banks that required switching ATM & POS systems away from DES a few years back as it was a suspect algorithm? Please, educate me if I am blatantly wrong here. My point is we have had encryption in much of the processing chain for a long time, and we do not wait 5 minutes at the pump … well, except for that one Shell station on Carefree Highway that does literally does take that long, and it does in fact drive me nuts, so I would give this argument credence … problem is much of the processing chain is already encrypted and I get authorization in a few seconds in most places. 

Then we have David Navetta, the president of InfoSecCompliance in Denver saying that Hannover was possibly tripped up by ambiguity in the PCI standard. What? Seriously?  We have data breaches in the headlines every week, and we have been talking about deficiencies in PCI for a couple of years, so how could Hannaford Bros. custodial duties become ambiguous? Is that a variant of the ‘Twinkie defense’?  InfoSecCompliance is a law firm if you didn’t guess. 

I must give props for Richard Gorman of Voremetric for providing the sole rational quote “…need to wake up to the fact that they need to encrypt information along every step”.

These stories and many of the quotes are just weird. I’ll chalk this up to more ‘Journalism 2.0’.

Software or Appliance?

When choosing a security solution, what you need to consider.

                            

If you want to have custom software developed, who would you contact? If you needed a database security product, who would you call?  The database vendor?  A big security vendor?  A small security startup? Would Cisco or Juniper make your list?   

 

It’s an interesting question to which I am always looking for input or perspective.  I certainly have some ideas on the subject, but as every company environment is different there is no ‘right’ answer for the market in general.  You can however weed out a few things you should NOT do.  What got me in a recent snit was discovering that a couple companies who have purchased network and/or appliance based database security solutions are less than happy.  OK, no surprise, but when I learned that these same companies had contacted their vendors to write custom software to overcome the issues I just about blew a gasket.  Why on earth would you work with an appliance vendor to make software, especially Network Appliance people working on Database Software.  That is absolutely nuts!

 

Some background: When IPLocks introduced the Database Monitoring Suite, the competition was mostly network based Intrusion Detection Systems (IDS) and agent based System Event Management (SEM) vendors.  Over time, the IDS evolved into more database aware network solutions, and Database Activity Monitoring (DAM) was born.  Later, as these network based DAM appliances missed too may events, the Appliance/Agent DAM combo arrived on the scene.  It still falls short, so now we are seeing the migration from network appliance to full blown software solution. 

 

Why?

 

#1 Cost – The biggest reason.  Those $100k appliances are an expensive way to cover databases, and in a geographically disperse environment, simply untenable.

#2 Unfit for purpose.  The market has changed, and no matter how many appliances you throw at the problem, they are not going to address PCI compliance.

#3 Virtualization can obviate network scanners. If you are not thinking along these lines, you need to be. Depending upon your virtualization model, you may render your IDS and DAM appliances completely irrelevant. 

#4 Context.  Peer based software solutions do not miss transactions that are invisible to network sniffer’s, and can be invisible to external protocol based agents as well.  Peerage to the database not only addresses this deficiency as well as provides referential medium for dynamic adjustments to remediation. 

#5 Flexibility of software.  The network is a simple ‘lowest common denominator’ to build a quick and cheap scanner, but appliances do not adapt as quickly as software, which be adjusted in far less time and money as  IT Environments change.

Software development should not be taken lightly

I have been preaching this for a long time that for certain types of issues, looking at the network is an efficient way to provide security, but wholly unfit for other type of security.  Typically packet inspection is inappropriate for Database Security and Compliance.  The lack of visibility to all activity and the lack of contextual understanding requires a solution that is above the network layer, or at least a combination of network and peer based scrutiny. But this is not just about market appropriateness!  

While the software architect in me has been very amused, smug even, as I watch other vendors alter their architecture every 12 to 18 months, there is a different dimension to this.  IPLocks experimented with appliances prior to our first product delivery, but dismissed the idea in 2002. We went with a software only solution and decided on our architecture at that time. However, that meant a complete systemic overhaul of engineering staff, tools and process!  Any software development manager will tell you that appropriate engineering team skill sets, QA, appropriate development processes and depth of domain experience are critical. Any single deficiency can completely break a project.  Throw architectural deficiencies on top and the migration from appliance to software, from network to database, is a very risky proposition to invest in.  

 

Don’t get me wrong, in some cases appliances are the right solution. In other cases software may be right for you.  It really depends upon your security and compliance goals, as well as the quality of the offering. But if you want database security software, asking a network monitoring vendor is really asking for trouble. 

Risk Management by analogy.

Deming's principles applied to IT security programs

Last week I sat on a panel discussing “Moving from Security to Risk Management” at the Ziff Davis 2007 Fall Security Summit in

Palo   Alto

California

. During the course of the day I encountered many people who had not really considered Risk Management, and were having trouble with the concept or how it applied to them. I realize I have a tough time describing what it is as there are not many similar reference points to exemplify how to think about Risk Management in context to security programs.

 

I first encountered Risk Management about 5 years ago and saw it initially as an efficient way to implement a security program. What struck me after a few months, having studied Kaizen, Deming and participated in a number of different Total Quality Management programs earlier in my career, that there were tremendous similarities in the motivation and processes common to both Risk Management and these quality driven programs. Both security and quality are difficult to quantify and measure internally, but metrics need to be applied. Both are often treated as a ‘thing’ or a destination, when they are in fact a cyclic process. Both are as much about people and process as they are technology, but seldom treated that way. Both need to be systemic to an organization to be effective. Both need to be implemented across the entire process lifecycle. Both are focused on efficiency in their approach to solving problems.

 

Just as a mental exercise, in 2003 I took Deming’s 14 points and converted these concepts to security, leaving the language and intention largely unchanged. I whittled down what I felt were some redundancies, but I thought I could make similar statements for a Risk Management approach.  Take a look at Deming’s original 14 points below, substitute words like ‘productivity’ with ‘security’, ‘materials’ with ‘appliance’ or ‘software’ and see if you agree.

 

1.  Create consistency of purpose toward improvement improving security of product and service, with a plan to become competitive and to stay in business. Decide whom top management is responsible to.

2. Adopt the new philosophy. We are in a new economic age. We can no longer live with commonly accepted levels of delays, mistakes, defective materialssoftware, and defective workmanship.

3. Cease dependence on mass inspection. Require, instead, statistical evidence that quality is built in, to eliminate need for inspection on a mass basis. IT Ppurchasing managers have a new job, and must learn it.

4. End the practice of awarding business on the basis of price tag. Instead, depend on meaningful measures of qualitysecurity, along with price. Eliminate suppliers that can not qualify with statistical evidence of quality security.

5. Find problems. It is management's job to work continually on the system (design, incoming materials software, composition of material system integration, maintenance, improvement of machine hardware migration, training, supervision, retraining).

6. Institute modern methods of training on the job.

7: Institute modern methods of supervision of production workers IT Staff. The responsibility of foremen managers must be changed from sheer numbers functionality to quality security. Improvement of quality process will automatically improve productivity. Management must prepare to take immediate action on reports from foremen concerning harriers such as inherited defects, machines not maintained, poor tools, fuzzy operational definitions.

8. Drive out fear, so that everyone may work effectively for the company.

9. Break down barriers between departments. People in research, design, sales, and production must work as a team, to foresee problems of production that may be encountered with various materials software/tools and specifications.

10. Eliminate numerical goals, posters, and slogans for the work force, asking for new levels of productivity compliance without providing methods.

11. Eliminate work standards that prescribe numerical quotas.

12. Remove barriers that stand between the hourly worker and his right to pride of workmanship.

13. Institute a vigorous program of education and retraining.

14. Create a structure in top management that will push every day on the above 13 points

 

Granted I am leaving out a lot of Risk Management tenets and focusing more on a conceptual model.  Do you agree or disagree? Does it look like overkill? Is security another ‘type’ of quality? Do we treat security statistics as ‘numerical quotas’ and not focus on what is materially relevant? Are we in fact taking a bottom’s up approach to security, when it should be top down? Does your company have management ‘buy in’ on security, or is that something for the IT department to worry about? Who get’s blamed if there is a security breach? A controversial question; can improved security process result in higher productivity?  Perhaps most importantly, as empowerment was fundamental to Kaizen and Deming, is there a ‘pride of workmanship’ factor within IT for security?

 

Just some things to consider.

Network World installing Spyware???

You want me to do what?  And this is a good idea why?

Did anyone else get the “Subscription Status: Qualified” email from Network World?

I received an email today informing me that I qualified for a free subscription, and just click the link to verify.  As always, I checked that the link pointed to the real domain without control characters, so it looked legitimate. Network World has some good stuff, so what the heck, I clicked the link, which takes me to a site that appears to be a legitimate Network World host. What shocked me is the link to the “download the content delivery manager”, and executable that wants to install on your machine, and it launched the download. Are they out of their minds?

 

Network World, I am told, is the Leader in Network Knowledge. They even have a section on their web site about security, so presumably there are people who know, understand and practice security. Never mind if the executable has been tampered with or not, I have no idea what is in this ‘content delivery manager’, which should be enough justification to avoid it. Keytroke logger? Is it grabbing my browser history? Scanning my registry? Turn my machine into a Zombie? Is it just a download tool for content, and if so, why?  Something wrong with browsers and PDF?

I can only come up with a couple possible scenarios:

1. Social Engineering: Network World is performing a social engineering experiment to see how many people are dumb enough to install this executable.
2. Hacked:      Network World site has been hacked and someone is spoofing their      clientele.
3. Benign Stupidity: The PR and Marketing people have never met anyone in Security and have, on their own, concocted an incredibly inept way of delivering content that may create liability (Sony Rootkit anyone?) for the company.

 

I am not claiming this thing is malicious, but I am saying this is a really bad idea.  We have all installed software we cannot fully trust, but at least when I download virus protection files or software service packs, I trust the vendor and I have a secure connection. I may even have a verifiable hash that I can compare.  Not great, but better than nothing. Why on earth would you attempt to distribute media in a method that violates good security practice? If you are an IT professional, why would you trust installing it?

I do not have a VMWare partition or machine I am willing to sacrifice to the cause. Has anyone actually installed this thing? If you have some other legitimate usage I have not thought of, please educate me.

Re: Network World installing Spyware???  

 

            Comment from Sonny on December 14, 2007 12:32:55 PM PST  

 

    Finally someone with the same reaction as me!!!

I couldn't believe that in this day in age, with Sony Rootkits and DRM and spyware and..... that a PUBLISHER would be so foolish as to require additional software just to view their content!

Hmmmm... let's take something that we've paid $XXX  to produce (sunk cost) and ERECT BARRIERS to the exposure of that material.  HUH?

Isn't it all about eyeballs & accessability?  If it's PDF, it's universally readable, ANYONE can view it on ANY platform (Win, Linux, Mac, etc...) and it doesn't require the installation of some piece of unknown software.

I get about 25 technical journals/mags, about 75% electronically, and EVERY SINGLE ONE except for Network World allows a straight download of the PDF to my computer, for perusal at my convenience.  And oh guess what?  That also means other people can also look at the periodical, which is only a GOOD thing.

Insane.

    Re: Network World installing Spyware???  

 

            Comment from Adrian Lane on December 14, 2007 1:46:54 PM PST  

 

Completely agree.  And they keep emailing it to me every day!?!  I even emailed them to tell them this was a bad idea, and if there ends up being security holes they introduce that they are in trouble.  Their response?  A clarification on how to install the download.  Nice!!

                     

 

Agents vs. No Agents

Or “Technology Requirements are expanding to meet the needs of expanding Technology Requirements”

Enterprise Management Associates produced a nice HP sponsored piece on Agent vs. Agent-less technology for Operations Management. It provides good coverage of a lot of the basic issues in deploying an Enterprise Operations Management system with the obligatory sponsor plug. I was interested in this subject as the Security vendors for Application Security, Data Loss Prevention, End Point Security, Intrusion Detection and Database Access Monitoring have all had to deal with the same questions. All these sub-segments have undergone the same maturity curve in product development and customer requirements.

 

But what popped into my head was “Is this the right question to be asking? Use of Agents vs. No Agents?” I mean, there is a business problem to be solved here, but we are so mired in the technology that our discuss of how to solve it centered around using agents or not. The conversation seems to devolve into a technology comparison rather than a business suitability assessment, or worse, the two are equated. 

 

One of my favorite people in Security, Chris Hoff, who has the gift of being able to add humor into otherwise very dry subject matter , said (paraphrasing, with appropriate sarcastic emot-icon inserted here) “A few years ago I really needed a dashboard to manage all of these security functions in one place. Now I have 38 dashboards, and I need The Mother of All Dashboards to manage my dashboards”. 

 

Same problem with Agents, it’s just the other side of the coin.  For almost every application or service provided in IT, several stakeholders need to audit, monitor, control or query it for a purpose other than its core function. Then we write software to automate each of these functions as well. Technology monitoring technology. Lack of a suitable public data collection framework, lack of cooperation between vendors, lack of foresight means we get multiple agents per application. Multiply that by hundreds or thousands of servers and, well, let’s not go there. We have no cohesive way to manage a bunch of data ‘sensors’ that basically all provide the same set of functions and information. 

 

Market demand, or lack of market satisfaction, has pushed security vendors to move from simple network sniffing, to Agents, to peer based (Agentless) Service/XML/JDBC calls, to a combination of Agent and non agent solutions with a wider variety of features and performance trade offs. Fortunately or unfortunately, we will probably continue to have a blend of options available, choosing which is appropriate depending upon business need. But before we can discuss the business need, we need to solve the multiplicity problem. I think the real issue is vendors of ancillary products need to unify or plug into a Common Agent Framework to avoid the multiple agent issue. We have begun to standardize of Vulnerability formats (VULNXML, aDVL, OVAL), Documentation formats (DITA, XCCDF), so why not data collection? 

Anonymous Database Connections Pools and Identity

A fix for adding identities to connection pools … free of charge!

For database administrators who have been around for a few years, you know what an amazing performance benefit Connection Pooling provided to database latency.  The cost of establishing a database connection was, in relation to running most select statements, and order of magnitude more expensive that the select itself.  Pure overhead. To mitigate this issue, database vendors provided ‘connection pools’. By creating a bunch of connection threads in advance, and sharing these connections amongst users of a single application, the speed at which queries were processed dramatically improved.  You need not wait while memory was allocated or the user was (re)authenticated, but simply send the request to the database.  A fast and simple solution to a basic performance problem.

 

But now you are worried about security!  Connection pools, as they are pre-created before users make a request, are set us as the generic application user. They do not have the User Id or name, and therefore are typically not passed with the database transaction. So this is a problem, right? Your security officer and/or your auditors say you must know which user executed that transaction?  Fear not! In most cases is really not a security problem at all, and you have the solution at your finger tips. ‘How so’ you ask? Let me show you:

 

For Oracle, it’s something like “PreparedStatement ps = conn.prepareCall(

  "begin dbms_session.set_identifier(user_Id); end;");”

That’s it. Setting a variable in the database connection used by the application is all it takes!  The user identity is usually known, just not passed.  Simply pass the Identity to the database connection object, and Presto!  You have the user identity in the database, and more importantly, database audit trail.  Sometimes called “Identity Propagation”, “Re-authentication” or “Connection De-anonymization”, these methods provide the necessary security information without an impact on performance.

 

Need more detail? Give me a call and I will see if I can steer you through the process. I have used this with DB2 and Oracle databases, both with and without Websphere, WebLogic and other web servers, so I can provide some advice.  The web platforms use an Interface, so you have to call the underlying object, but that is only a couple extra lines of code.  The database vendors usually provide pretty good illustrations as well.

 

Yes, you could spend lots of money on someone’s software or network appliance to solve this ‘Compliance Identity Problem’, or clear this ‘Visibility Cloud’, but why?  This is faster, cheaper and more reliable. 

Re: Anonymous Database Connections Pools and Identity  

 

            Comment from Anonymous on November 14, 2007 1:08:02 PM PST     #  

 

    How do I deal with getting this information from applications like SAP?  

                     

                      

   

            
         

 

    Re: Anonymous Database Connections Pools and Identity  

 

            Comment from Anonymous on November 14, 2007 9:49:49 PM PST     #  

 

Sure, I'll change all my applications, statements etc. What about software that I do not control, what would you suggest that I can do without installing an external agent or using some network appliance?

      

                  

                  

   

            
         

 

    Re: Anonymous Database Connections Pools and Identity  

 

            Comment from Adrian Lane on November 15, 2007 6:44:40 AM PST     #  

 

    In response to the first anonymous poster ... This is the reason for the post as you do not need to install an agent, and it does not require a network monitor.  Yes, you are changing 5-12 lines of connection code.  You do not have control over this software you say?  If you are a DBA, then this is probably the right separation of duties, and someone in the applications group would need to make the change. Auditing is a company issue, so it should not fall on one person to facilitate all of the needed changes.
-
In response to the second anonymous poster, that is a good question. It will depend upon your SAP deployment configuration, but the Data Source Alias is an interface to the underlying database connection object.  SAP's intention was to make the underlying database connection object 'invisible', and so they have hidden these method calls.   The connection object will have a method called (something like) 'getVendorConection()', which will return the actual connection thread.  After you call the get method to obtain the user Id, use the setUserOnConnection() method in the connection object to pass the information to the database.  You might want to unset (erase) the value once the transaction is complete so the next user of the thread does not inherit the wrong user ID.
I am paraphrasing here, so please refer to both SAP's website and IBM's for up to date information and code snippets, and both have people who are far better with SAP applications than I am.  

      

What is Database Activity Monitoring?

A short rant on why we need to be on the same page.

Database Monitoring, Database Activity Monitoring and Database Auditing are NOT the same things.  While the goals are similar, the net results are not. Each of these concepts differ in how they work, what information is collected, and how that information is used. 

Database Monitoring, Database Activity Monitoring and Database Auditing are NOT new concepts.  The former two having been available for 6-7 years, and the later since the inception of databases.

So why is it that industry experts are all over the map and seldom agree on what these things are?  I read a paper two weeks ago, written by an Independent  Research Firm, talking about 'leaders' in database auditing.  The fundamental problem is the two 'leaders' do not actually provide database auditing.  Oops.  I hope none of you took that advice seriously.

I know that to the average consumer the differences are both unclear and, well, an unwelcome source of confusion.  But if you have a business problem to solve, and even the industry segment experts are getting it wrong, we are all in serious trouble.  Customers will not meet the business goals, and vendors are going to get a black eye for failing to deliver on promises. 

I do offer a partial solution.  The clearest and most insightful discussion on this topic I have seen on any public forum is the one presented on Rich Mogull's Securosis web site.  There are a series of posts on Database Activity Monitoring that go a very long way at defining this segment and the value DAM and Database Monitoring products provide.  If you are considering database security, or implementation of a program for meeting more than one compliance initiative, this series of posts is a must read.  It will help set the terminology, help show what types of products are available, discusses the state of the industry today, and some trends that can be expected in the coming 2-3 year window.  Highly recommended.

Re: What is Database Activity Monitoring?  

 

            Comment from Mastermarketer on November 8, 2007 8:41:22 AM PST     #  

 

   

The challenge of technology definition clarify might be better addressed but helping the IT and general market understand the array of risks and consequences they face in terms that are relevant to them.  While the security industry views the risks as 'must solve' business problems that perspective is not shared by average CIO, CEO or John Q Public. To these the problem is one of 'might want to address' if it 'happens to me or my neighbor'.

The security industry has not adequately connected the dots between the business issue - consequence - solution - outcome. Until the CIO and CEO intellectually and emotionally understand the link between insider/external threats and EPS, this sector will continue to be sisyphus.

Let's shift the conversation from the various assortment of technologies to what the business issue really is and how addressing these issues can improve loyalty, profitability and reputation.   That involves steering the media conversation and using behavioral micro-segmentation for marketing of security solutions.

 

Re: What is Database Activity Monitoring?  

 

            Comment from Adrian Lane on November 14, 2007 6:12:11 AM PST     #  

 

    Marketmaker,

If I read your post correctly, you are saying not only are we not solving the business issues, but security point solutions are unable to improve loyalty and reputation because of the approach. 

While a business problem may drive a particular security initiative, there is not a business as a whole view, nor is there a strategic view.  One week  some PC's are infected with a virus, so for the next 3 months we are going to make sure this never happens again.  Then a laptop was stolen, so for the next quarter we are going to encrypt all laptops.  And so we keep rolling that rock.  Empathy and understanding from the executive team is yet another issue far beyond the scope of what I could cover here.

You raise an issue about loyalty, brand and satisfaction that I had not considered.  Since many of these products tend to be more security problem instead of business problem focused, IT and business speak of the same issue in different terms, and deal with the issues differently.  A genuine disconnect.  Most products have a customer based that understands their value, and they can market to their advantages.  "Quality is Job 1" is fine because everyone knows what a car is, what value it provides and why we need one (or want a better one).   Not so with database monitoring.  IT tends to be a mysterious black box to those outside, and in fact promote this.  I understand you don't want someone looking over their shoulder while you work, but I think getting transparency into IT processes and controls will actually help the couple business problem with technical solution.

Thanks for the post!  

Security Program Simplification

Rich Mogull has been posting a lot of really great security related strategy items over on his www.securosis.com blog lately. Most are fairly abstract and philosophical in nature, but provide a future vision of the security industry that many, including myself, share. However, one of the posts was a kind of anti-strategy, and it had me confused at first. I could not figure out what he was trying to do. But then it dawned on me, he was attempting to simplify the basic approach to one of the most basic security problems: “Where do I start”.

 

I have a couple of goals with this Blog site, one being I want to help simplify some of the security concepts, solutions and processes for those who have not spend the better part of the last 12 years researching security. I have been so entrenched with attempts to create a holistic approach to security, threat modeling, data security, risk assessment, compliance frameworks and security guidelines that I tend to forget that one of the basic problems is the complexity we created when coming up with a model to deal with a breadth of security issues.  These models are an impediment to getting others to participate in solving security issues. This particular post by Rich is trying to tackle this problem in giving someone a realistic starting point for addressing a common security goal.

 

As a programmer, I was taught to take a top down approach in both design and implementation. Think through the various problems and create a unified strategy.  That is conceptually the most efficient method. In practice, this will often fail due to the sheer size and complexity of projects we undertake. As a compliance project, if you have ever read CobIT and considered an enterprise IT implementation plan, you will fully understand what I mean. Pulling another page from my programming background, I offer a parallel example in the origins of Agile Project Management (See “Agile Project Management with Scrum” by Ken Schwaber, Microsoft Press) as a method to reduce complexity in the security implementation process. Complexity is identified as a project killer of software development efforts, and no different in security projects. Agile, in a nutshell: pick a small but important problem, address it, repeat. Sounds simple. It is. But it is also effective.

 

Many of my peers complain about the problem of how the heck to get the IT, Security and Audit teams to work as a single group to tackle compliance problems like Sarbanes-Oxley and PCI-DSS. Three different groups, three different sets of incentives, three different vocabularies and the complexity of the issues further compounds the problem and lead to a spectacularly common set of frustrations. I offer that, if you are about to undertake a security project of any scope, to check Agile Project Management out as it will help with people and process at the very least. 

 

I will offer additional simplification to both concepts and processes in future posts.  As to what Chickens and Pigs have to do with this post, I offer you this. 

Data Security as a Customer Service

This is a long post, so I apologize in advance. Something else occurred to me, after I made the earlier post on ‘Problem Customers’. It’s the concept that data security should be considered a customer service. If I am paying for a service, the vendor and I establish a trust relationship. I trust that you will provide me a valuable product or service, and you trust I will pay you for that product or service. To help protect the merchant either an up front payment, or some personal information that provides a means to ensure payment, are provided. But once the merchant has that information, the customer trusts that they will keep it safe and take care of their confidential information.

During my many hours on the phone with the ‘Customer Care’ organization I mentioned in the previous post, I struck up a few friendships along the way. My first was with an account representative who happened to be former database administrator, under-employed since the technology market crash. When I asked him about the ‘social number thing’ he said ‘they got to have it’. But he added that ‘the entire database is keyed from the social security number, so all the tables require SSN for a unique identifier’. Subsequent calls to other customer service representatives confirmed this was true, and seen by the customer service representative.

Having been working with databases for the last 20 years, I know exactly what he was talking about. I used to do that too, back in the 1980s before anyone had heard of identity theft. Using the Social Security Number as a primary database reference key was a common method to make sure a customer was only in the database once. It’ somewhat akin to the Y2K issue of using two digits to represent the year, and time would show us that both were bad ideas. This practice is all but extinct now, and there is no longer a good technical reason, and probably no good security reason, to use Social Security Numbers. If you are going to collect this data, you had better have a darn good reason for it. Uniquely identifying a customer is not one of them.

What I was worried about at the time was that many other data mining & telemarketing companies used SSN# as their unique key to user identity in the database. The service companies that collected information ‘required’ it as it raised the value of the data they would later resell to these other firms for marketing or sales intelligence. The idea for the company was to make customer care a profit center by giving it a way to generate revenue. But to the consumer it meant the ubiquitous dinner time sales call. As it was something I am given the option of opting out of, I choose not to give it out. My desire for privacy is the reason I am not keen on providing this information to be sold as a commodity on some secondary information market without my permission.

My viewpoint is that is focus on the bottom line without regard for the customer is a problem. You take care of your customer, and part of the way you do that is by protecting their information and not requiring them to bear the burden of poor data security. You do so by not subjecting them to marketing and sales calls. A desire to provide quality customer service should include a willingness to treat the information as you would the customer. After all, collecting this information provides little benefit to the customer rather it protects the business from fraud. There is an assumed custodial responsibility on the business’s part to keep that information safe.

There are several telltales in the way a company treats their customers that are warning signs: Collecting & storing sensitive information un-needed to provide service; selling or sharing customer information outside your organization and outside of their control; a ‘Customer Care’ automated phone system offering dozens of automated ways to “pay now”, but few to zero ways to get a person to help you. I am sure the readers out there could offer a few telltales of their own.

As a “Customer Care” activity, disconnecting users who requests service too often is what I consider to be another telltale of lack of care. Do you think that the 2/10^th of one percent of their customer base they told to go elsewhere was the lunatic fringe, or are they simply the vocal minority who had the time and energy to point out the service provider flaws?  In my mind, it begs the question: did these customers “repeatedly asked for information about other people's accounts” as stated Yahoo! News article, or were they simply asking “Do you treat all your customers this way”?

If you care for your customer, take care of their information as well.