Sears has a portal that lets you lookup past purchases. It also allows you to lookup purchases of others if you know their name and phone number. In violation of their own privacy policy. Oops.
The article makes a lot of noise about privacy issues, but to me this is primarily another example of poor (or no) security engineering.
By analyzing the data sensitivity, existing requirements (like that privacy policy), and the data flow for the portal, it should've been obvious that stronger authentication and authorization controls were needed.
Saturday, January 05, 2008
Privacy or Security Engineering
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.