TJX Fallout

May 5th, 2007 | by Sean |

As many of you may have recently read, the super-retailer behind TJ Maxx and Marshalls lost control of a ton of personally-identifiable customer information like credit cards and social security numbers through their own lax security procedures.

I firmly believe that “we’ll get around to it” and “it’s not that important” are never valid answers when handling data security. It does matter. It always matters. It should always be at the forefront of your thinking when there is significant risk involved.

Rep. Barney Frank (D-NY) and several others may resort to legislative action to control the blame when data security lapses like this occur. Too right they should.

A second congress, a Congress of Concerned Customers, should demand solutions to these problems. Let’s distill this down a bit:

The problem?
A series of numbers that identify you may be used to steal your identity. The numbers themselves are authentication and authorization.

The solution?
The numbers alone must not be that powerful. Reduce the numbers to one of authentication or authorization. In practice, a signature is not a valid authorization mechanism, as it cannot be approved or denied automatically.

The bogus solution?
Using another otherwise meaningless (static) number to secure another number. E.g; a social security number authorizes access to the credit card number.

A workable solution (maybe):
Embed a one-time password to credit-card numbers for single transactions, similar to an RSA token. For recurring transactions (e.g; regular coffee orders or bill payment) the consumer can request a recurrence code from their bank, which, for one retailer and card combination, allow for recurring transactions. Limitations could be installed at the bank for how often and maximum recurring amount. All of this requires the bank to be an epitome of security; but I think we all must insist this be a given.

An alternative solution:
Biometric authorization. (not workable yet)

I would like to say that, in the meantime, banks should be required to reissue (at no cost) credit cards with new numbers once per month until a better technical solution is arrived upon. However, realizing that this would raise costs significantly behind-the-scenes, I believe it’s impractical.

You must be logged in to post a comment.