Financial Cryptography: April 2012 Archives

April 10, 2012

What's the takeaway on Audit?

OK, so I edited the title, to fit in with an old Audit cycle I penned a while ago (I, II, III, IV, V, VI, VII).

Here's the full unedited quote from Avivah Litan, who comments on the latest 1.5m credit card breach in US of A:

What’s the takeaway on PCI? The same one that’s been around for years. Passing a PCI compliance audit does not mean your systems are secure. Focus on security and not on passing the audit.

Just a little emphasis, so audit me! PCI is that audit imposed by the credit card industry on processors. It's widely criticised. I imagine it does the same thing as most mandated and controlled audits - sets a very low bar, one low enough to let everyone pass if they've got the money to pay to enter the race.

For those wondering what happened to the audits of Global Payments, DigiNotar, Heartland, and hell, let's invite a few old friends to the party: MFGlobal, AIG, Lehman Brothers, Northern Rock, Greece PLC, the Japanese Nuclear Industry disaster recovery team and the Federal Reserve.... well, here's Avivah's hint:

In the meantime, Global Payments who was PCI compliant at the time of their breach is no longer PCI compliant – and was delisted by Visa – yet they continue to process payments.

That's a relief! So PCI comes with a handy kill-switch. If something goes wrong, we kill your audit :)

Problem solved. I wonder what the price of the kill-switch is, without the audit?

Posted by iang at 06:41 PM | Comments (2) | TrackBack

April 02, 2012

Does this work? Signing with your face & thumb. The answer is ...

Chris Skinner looks at this:

Question is, does that work? Well, the answer is YES. To find out why, here's one tip:

[Stephen Mason's ] Electronic Signatures in Law is now its third edition (published in January 2012 by Cambridge University Press). This edition provides an exhaustive discussion of what constitutes an electronic signature, the forms an electronic signature can take and the issues relating to evidence, formation of contract and negligence in respect of electronic signatures.

After you've read Mason's definitive work on electronic signing, you will understand why Face ID works or doesn't work :)

Curiously, Chris ends with this postscript:

p.s. this was an April fool!

Posted by iang at 07:24 AM | Comments (2) | TrackBack