Risks Digest is a great source of information about the everyday risks the we face. Often, it carries examples of privacy risks. The latest issue contains a submission about an insecure practice that ... though sensitve personal information is collected securely using web-browser encryption, the information then treated pretty causally.
The Risks Digest Volume 23: Issue 68:"HTTPS .ne. secure
Fri, 21 Jan 2005 7:25:35 -0500
I recently filed a change of address for some Qwest stock I own. Qwest uses The Bank of New York (www.stockbny.com) to manage stock accounts, so I went to their web page, and filled out the form using name, address, SSN, and account number. Checked for the padlock indicating HTTPS, and convinced there was *some* degree of due diligence, submitted the form. The confirmation screen starred out all but the last four digits of the SSN (i.e., ***-**-9999), which seemed reasonable.
Last night I got back an e-mail that they couldn't process my change request (the reason is unimportant), and included in the text of the message my name, e-mail address, account number, and SSN. No stars this time to shield sensitive information. Seems like a pretty useful e-mail to intercept!
What kind of security policies allow including this sort of information? The security & privacy policies don't say anything about safeguarding customer information.
If anyone has a privacy/security contact at Bank of New York, I'd certainly be interested in talking to them!
(This is certainly not a new type of problem; see RISKS 21.83 for another example I wrote about 3 years ago.)"
No comments:
Post a Comment