It’s the ease of putting data online and the difficulty in securing it. Imagine securing a house with 100 doors and windows. Oh, and you want people who are authorized to be able to get in, but only into certain rooms and not others.
Target, the most famous case was hacked because the HVAC company they used had access to their HVAC system. The HVAC company was hacked, and then the hackers got into the Target HVAC system, found their way into the third party POS system which wasn’t secure, but that’s okay, it’s an internal only system, and from there stole almost a hundred thousand credit cards with credit card security codes, customer addresses and your purchase history.
If you have 10,000 customer service agents, each with full access into the billing system, all it takes is for one of them to leak their password. Our company instituted 2FA internally and that was a big mess. It was hard for many of our representatives to understand how it works.
And yet, some companies seem to get it right. I would argue if a company cannot secure my data properly, than it has no business taking and storing it. If they do store it however, and they get hacked, they should feel the full wrath of God come down on them. I’d argue that is what would incentivize them to try harder and get it right. Several existing companies (both large targets and small) demonstrate this can be done, if the problem is taken seriously and sufficient resources allocated. One way to get companies to do that is tough privacy laws (but that requires a government willing to regulate business), the other would be the threat of severe punitive damages brought on by civil suits.
Like you, I also experienced the growing pains of 2FA at my work. There was a lot of resistance and indeed, to this day, it can be a real pain depending on what exactly you’re trying to do, but by now it’s firmly entrenched and there is absolutely zero doubt it will remain.
Indeed. It doesn’t seem to be impossible. I do wonder how the security budgets compare at the companies that get it right versus those that don’t. I’ll bet it’s wildly different.
If indeed that’s the case it would make an even stronger argument for steep fines or punitive damages. If those add to the cost of being negligent it would tip scales in favor of more investments towards security.
I’m not sure why the FCC is investigating, instead of some law enforcement agency, but this incident is clearly not being ignored by government regulators.