{"id":304,"date":"2008-08-26T16:14:32","date_gmt":"2008-08-26T14:14:32","guid":{"rendered":"http:\/\/www.ofcourseimright.com\/?p=304"},"modified":"2008-08-25T13:52:31","modified_gmt":"2008-08-25T11:52:31","slug":"beware-best-western","status":"publish","type":"post","link":"https:\/\/ofcourseimright.com\/?p=304","title":{"rendered":"Beware Best Western"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-medium wp-image-26\" style=\"border: 0pt none; margin-left: 5px; margin-right: 5px;\" title=\"cybercrime\" src=\"http:\/\/www.ofcourseimright.com\/blog\/wp-content\/uploads\/2008\/06\/cybercrime.jpg\" alt=\"\" width=\"96\" height=\"132\" \/>The customers of Best Western are the latest to <a href=\"http:\/\/sundayherald.com\/news\/heraldnews\/display.var.2432225.0.0.php\">have their identities stolen<\/a>.\u00a0 As the article goes on to say, the crime gangs are going to have a field day with such live and valuable information that included credit card numbers and home addresses.\u00a0 There&#8217;s a clear lesson here in authorization: <strong>nobody<\/strong> needs to have access to the aggregate data that Best Western had.\u00a0 It might be necessary to modify one or two reservations at once.\u00a0 Perhaps it might even be necessary to know how much of a block is sold.\u00a0 But the whole kitten caboodle?\u00a0 Nobody needs that information.\u00a0 Here are some protections Best Western could have taken:<\/p>\n<ul>\n<li>Apply specific encryption of the credit card information and compartmentalize the use of any decryption key.\u00a0 Hotels have need to retain credit card information in order to guarantee bookings.\u00a0 Encrypting credit card data is nowhere near a perfect solution because there is relatively little clear text information and some of that can be guessed, like the first four digits.<\/li>\n<li>Encrypt all backups and protect the decryption keys so that multilevel authorization is required to access them.\u00a0 Many backups are stolen.\u00a0 If they are stolen no encryption is perfect and so notification is necessary, but with encryption those whose information is stolen can take action, like have a house sitter or change credit card numbers.<\/li>\n<li>Employ intrusion detection within the database.\u00a0 When a specific user acts outside a profile, flag it and see what is going on.<\/li>\n<\/ul>\n<p>In perhaps a more perfect world a separate identity provider could retain identifying characteristics of an individual such as address and credit card number.\u00a0 Commerce likes some of this information because they can market to you, and absent legislation they have very little motivation to protect the information.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The customers of Best Western are the latest to have their identities stolen.\u00a0 As the article goes on to say, the crime gangs are going to have a field day with such live and valuable information that included credit card numbers and home addresses.\u00a0 There&#8217;s a clear lesson here in authorization: nobody needs to have &hellip; <a href=\"https:\/\/ofcourseimright.com\/?p=304\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Beware Best Western&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,9],"tags":[32,147],"class_list":["post-304","post","type-post","status-publish","format-standard","hentry","category-internet-consumer-identity","category-security","tag-cybercrime","tag-identity-theft"],"_links":{"self":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=304"}],"version-history":[{"count":4,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/304\/revisions"}],"predecessor-version":[{"id":310,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/304\/revisions\/310"}],"wp:attachment":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}