One of the messages from the recent iSMG Fraud Summit was the need to share information about security issues, fraud, and fraudsters between companies—so that an attack that has been detected by one company stands a good chance of not working anywhere else. It's a bit like the way our immune system works—once one infection has been defeated, the world of interconnected e-Commerce systems needs to develop antibodies, which make further infections less likely. And, by the way, let's talk about "fraud", not "security breaches"—these days, people don't steal user-ids and personal information 'just for a lark', they steal them in order to be able to make money from fraudulent transactions (or simply from sale of the compromised identities) later on. Controlling fraud is a major governance issue for developers of automated eCommerce systems
In a previous life, I worked for a bank that tried to maintain the fiction that its systems were invulnerable. They weren't, but this attitude made removing vulnerabilities extremely hard. These days, such an attitude just makes an organisation look stupid (or perhaps it just means that it assumes that none of its customers can understand governance and security, which isn't particularly clever of it). Organisations need to own up to security and fraud issues, as part of helping their customers and bushiness partners to control the impact, and as part of helping the industry as a whole to recognise and control its vulnerabilities—and such an open organisation should be able to use its public-spirited disclosure to appropriate parties as a basis for continual governance improvement. It could even do its reputation some good, as customers can gain confidence in such a company—whereas who knows what bad things are going on in a company that pretends fraud doesn't exist? Obviously, however, fraud disclosure is a maturity thing—it needs to be managed as part of a continual improvement program that gives confidence to all of the stakeholders in eCommerce; running around like a headless chicken, sobbing "mea culpa" isn't going to be much help.
And yet, we've just had yet another bank (JP Morgan Chase) with a major security breach—and, presumably, a major potential for fraud down the line—and it's apparently not really sharing information with the industry as a whole about what went wrong, so that others won't make the same mistakes. Involving the FBI and US Secret Service is something (I wouldn't want to be too hard on JP Morgan), and is probably unavoidable, but it's not really enough.
I fully agree with Gavin Millard—Tenable's EMEA Technical Director, when he says: "Yet another breach of a huge amount of personal information but little detail of how the attack occurred is disclosed. Was it a phishing attack directed towards a JP Morgan employee, a zero day vulnerability utilised or simply a poorly configured edge device giving access? Organizations would benefit from more information sharing between investigators and interested affected parties, but today’s business environment does not support that as common practice. We need to take a closer look at why it’s problematic to share and what’s being done to improve information sharing. This would benefit every other business defending against attack.”
I sometimes wonder whether fraud is such a big part of the economy as a whole that it has tacit approval, as long as it doesn't get too obvious! Shorely shome mistake - Ed (Private Eye passim).