Re: Re: choice-point screw-up and secure hashes

[Valdis.Kletnieks () vt edu]

On Sat, 19 Mar 2005 19:27:22 EST, Atom Smasher said:

> the way i see it, some people bought personal info from choicepoint. if 
> that info contained hashed SSNs it would be just as valuable to a 
> LEGITIMATE user for verification purposes.

Explain why.  Remember that I'm sitting down at the bank applying for a loan,
and *I* have no idea what my SSN hashes to, and the bank has a vested interest
in getting back a report they can easily verify  is The Right One - this means
that either the report back from ChoicePoint needs to contain a cleartext SSN
that the loan officer can verify, or the bank needs to be able to hash my SSN
and compare (ever eyeball-checked the MD5sum of a file you downloaded?  Now
imagine a non-techie doing that all day - it's significantly harder than using
eyeball compares for 2 sets of (3,2,4) digit numbers...)

And it has to have one of the 3 following characteristics:
1) It has to work over a fax machine,  because that's what the competing companies
have as the entry level technology.
2) It has to provide *such* additional benefit *to the subscriber* to make them
pay for an essentially one-use piece of hardware.  The fax machine they can use
for all their fax needs, a specialized hardware for connecting to your database
is probably not going to be a win.
3) You have to be willing to pay for the hardware for your subscribers.

Remember - the people who are going to end up paying for the security aren't the
people who care about the security - which will tend to limit your security budget.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/