http://www.practicalecommerce.com/articles/704/Interview-Ex-hacker-Mitnick-On-Avoiding-Fraudsters/ User submitted comments to Practical Ecommerce's article entitled Interview: Ex-hacker Mitnick On Avoiding Fraudsters en-us Copyright 2007 Confluence Publishing Wed, 02 Apr 2008 23:29:38 -0600 http://www.practicalecommerce.com/rss/ Practical Ecommerce v2.0.1 Ecommerce kmurdock@practicalecommerce.com bgetting@practicalecommerce.com 60 http://www.practicalecommerce.com/articles/704/Interview-Ex-hacker-Mitnick-On-Avoiding-Fraudsters/#comment8367 Fascinating interview. The social aspect of security is pretty important. I call mostly on small businesses and home users, and I am constantly amazed by the cavalier manner in which my customers treat their data. It's a rare thing for me to be refused when I ask for a password, for example. On the occasion when the password holder is not present but I need access to solve the problem at hand, I am often able to quickly divine a password based on what I know of the customer. My success rate in such cases is about 30%. But if the customer has taken any care whatsoever to use secure passwords, my chances of getting in are much, much lower. It's a constant problem for everyone because more secure passwords are harder to remember and keep track of - unless you keep them stored on paper or in a file somewhere. But if you do that and the file is discovered by the bad guys, your valuable data is splayed for the enemy to do whatever they want with it. On the other hand,... Wed, 02 Apr 2008 23:29:38 -0600 http://www.practicalecommerce.com/articles/704/Interview-Ex-hacker-Mitnick-On-Avoiding-Fraudsters/#comment8367 http://www.practicalecommerce.com/articles/704/Interview-Ex-hacker-Mitnick-On-Avoiding-Fraudsters/#comment8296 There was no mention in this article of PCI Compliance standards. Responsible ecommerce companies spend hundreds of thousands of dollars ensuring that their customers' credit card information is hosted securely. That is what it costs to be PCI Certified, as opposed to just claiming to be compliant. If there is no "out-of-the-box" solution for compliance, then why does Visa certify companies that take PCI compliance seriously? http://usa.visa.com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf Online store owners should take security very seriously, given the costs of a breach. However, simply throwing up scary scenarios does not inform merchants of the information that is already out there on the web: http://www.pcicomplianceguide.org Tue, 01 Apr 2008 15:02:32 -0600 http://www.practicalecommerce.com/articles/704/Interview-Ex-hacker-Mitnick-On-Avoiding-Fraudsters/#comment8296 http://www.practicalecommerce.com/articles/704/Interview-Ex-hacker-Mitnick-On-Avoiding-Fraudsters/#comment8284 Yes, if we only knew WHAT to ask. Or what those "three different technologies" are and how to layer them in order to effectively guard against credit card fraud Soon to go live ecommerce. Tue, 01 Apr 2008 11:04:04 -0600 http://www.practicalecommerce.com/articles/704/Interview-Ex-hacker-Mitnick-On-Avoiding-Fraudsters/#comment8284 http://www.practicalecommerce.com/articles/704/Interview-Ex-hacker-Mitnick-On-Avoiding-Fraudsters/#comment8278 Kevin Mitnick's article is a must read for the little guy (& Gals). It is an eye opener. It is time to ask questions of those nice folks hosting your site for a good start. Joyce Yaffe MarinesUSA.com Tue, 01 Apr 2008 08:27:21 -0600 http://www.practicalecommerce.com/articles/704/Interview-Ex-hacker-Mitnick-On-Avoiding-Fraudsters/#comment8278