Monday, August 27, 2007

A Monster Paradigm Shift

With all of the work I am doing related to PCI Compliance right now, I found the coverage on the Trojan at Monster very interesting for a couple of reasons:

The type of information it was designed to capture
The possible reasons behind it
And will we be seeing more of this activity?

The PCI-DSS is designed to enable best practices around data security for customer data. What I found interesting about the Monster incident was that the Trojan was designed to get key pieces of data from a group of people likely to provide it, since who is going to lie about where they live if they are looking for a job? Clever.

I can understand why criminals (or clever idiot savants) would do this – It’s public information for the most part – or you can get it through public records (tedious but not impossible) – and while is not the coveted SSN, through social engineering one could probably open up a line of credit someplace without giving the SSN up at all.

This got me wondering on a larger scale if this type of thing would occur, and where the juicy targets are. If retailers are going to be more difficult to hack because of implementing PCI compliant systems, then where is the low hanging fruit, that will give the clever criminals license to steal?

Job Boards
Public records/town offices of wealthy towns

What happens when a 3rd party violates your privacy policy?


Post a Comment

<< Home