C. Warren Axelrod

Are Protected Data Safe?

What am I missing? Time and time again the fortress approach to information security is trotted out in all its glory … only to be deflated by some easy, cheap way of getting to the crown jewels. So it is in a column by Jennifer Saranow Schultz with the title “Data Is Protected, but Is It Safe?” in The New York Times of July10, 2010. The heading of the column is “”Bucks” which gives “Highlights from Bucks, the blog about money …”

In the column/post, Ms. Schultz reports how Mint.com, which offers money tracking services requiring entering of usernames and passwords for one’s bank accounts, protects account information through its being “encrypted and stored on … servers, which are located in an unmarked building.” Also you need to scan your hand, pass by a guard and then go through a long hallway where you’ll be trapped if there are suspicions about you.” Have these folks seen the movie “Air Force One” with Harrison Ford as the president? In the movie there are hand scanners, guards, etc. etc., yet the bad guys get onto the plane and hijack it. In this case, an evil insider duly registered all of his assassin buddies on the authentication system used to screen persons wanting to enter the plane.               

OK, you say, but that’s in the movies, what about real life? Well, Ms. Schultz’s article later quotes Aaron Patzer of Mint.com as saying “The bigger risk … is someone at your bank leaving the [username and password] information in an easily obtainable area or someone breaking into your own computer and catching your bank username and password as you enter it … Inside, the servers are locked in a cage separated from other systems and constantly monitored. The only way to decrypt the usernames and passwords from those servers is to use an encryption key that is broken up on five separate smart cards carried by senior Mint.com executives.” This all sounds very impressive, but does little to provide real assurance that all is well with your data.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*