http://alanzeichick.com/wp-content/uploads/grocery_store_checkout_pos_credit_card_swipe.jpg 213 320 Alan Zeichick http://alanzeichick.com/wp-content/uploads/alan-zeichick-logo.png Alan Zeichick2011-12-21 00:19:002013-09-26 05:38:57Securing the data
Whose fault is it when data is stolen? It’s rarely blamed on the programmers.
If a company executive leaves a laptop filled with confidential data in a taxicab, you probably wouldn’t blame a software developer. Instead, you’d presumably ask, why was that data on the laptop to begin with? I’ve often wondered why corporate executives have access to customer card information in the first place, and why security policies allowed such data to be downloaded to any end device, especially a not-locked-down laptop. But you wouldn’t blame the programmers.
If an unencrypted data backup tape disappears en route to a secure offsite facility, you’d yell at a sysadmin, not at a C++ coder. “Why wasn’t the data encrypted?” you’d want to know. “How could it be written in plain text?” That’s the fault of the backup software, or again, security policies – not programmer who wrote the applications whose data is being backed up.
Now, who do you blame when hackers violate credit-card terminals? My family’s local grocery store – Lucky’s in Millbrae, Calif. — was recently penetrated by so-called skimmers, who tampered with in-store card readers and grabbed up to 500 customers’ credit card numbers. As far as we can tell, our credit card wasn’t compromised – but you can trust that we’ll be scrutinizing the Visa bill extra closely from now on.
Certainly, you can blame Lucky’s, for not ensuring the physical security of those devices. But what about the back-end programmers for the grocery chain? How about the embedded developers of the card reader’s firmware? Or how about any number of applications that were involved, from the credit-card clearinghouse to the bank? Could programmers be anyway responsible? Could they have done something, anything, to prevent this incident?
The reality is, well, no. It’s unlikely, especially since the devices were physically tampered with. But even so, it’s impossible for programmers to anticipate every possible scenario, or to model every type of threat to a complex web of applications developed by many companies, and administered by many companies.
No series of locks and alarms can truly prevent a home from being targeted and robbed by criminals – or burned down by arsonists. And there’s an increasing awareness that there’s nothing that developers can do to sure today’s modern interconnected application 100%. But that doesn’t mean that we shouldn’t try.
Z Trek Copyright (c) Alan Zeichick