Data breaches like the one reported in Wired magazine’s Threat Level blog are
the reasons that the Federal Trade Commission’s (FTC) Red Flags Rule will be a
groundbreaking—and necessary—call for standardization and compliance of
consumer and business security measures. According to the story, a class action
lawsuit is now being brought against the manufacturer of a bank-card-processing
system that failed to meet industry security standards for payment systems. The
lack of security resulted in consumers having their personal financial data
stolen by a hacker operating in Romania.
Radiant Systems, the manufacturers of the Aloha POS System,
designed its product to copy and store magnetic card stripe data after the card
has been swiped to complete payment. This left a cache of consumer data on the
machine that was easily accessible to hackers. The program, PCAnywhere, allowed
Radiant technicians to address IT issues remotely. The out-of-date software was
“secured” with simple, and very guessable, usernames and passwords that allowed
the hack to take place with minimal effort. The data breach was allowed to
continue for over three weeks, resulting in an undetermined—but
substantial—number of thefts.
The FTC Red Flags Rule , when implemented, will mandate the use of frequently updated
security protocols by financial institutions. Id verification and id authentication tools like those offered by EVS can secure and
restrict access to payment information stored in compliance with Payment Card
Industry (PCI) security standards. And, while the Aloha POS system was far from
compliant, the Red Flags identity security standard could have made the difference
in keeping consumer information safe.