Timeline for Storing plaintext passwords for detecting fraud
Current License: CC BY-SA 3.0
10 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Aug 3, 2012 at 19:58 | comment | added | James | Whatever you are, I sure your not Linkedin and extending an example from a market leader with no competition anywhere close that get's most of it's money from recruiting agents who will just carry on regardless isn't going to get you far. I agree with you that from a business point of view it's a pure question of balance, but even if you don't think developers have a responsibility here, I know which side I'd come down on in most cases. Anyway, If you have to I've already suggested ways that you can do it better in the comments above. | |
| Aug 3, 2012 at 17:58 | comment | added | nohat | Just to be clear, I'm not suggesting there are no consequences for password breaches. I'm just suggesting that the received software engineering "religion" that password breaches are catastrophic, death-penalty type situations for a company is, perhaps, an exaggeration of reality. It seems doing a careful balance of the risk/reward for doing what was proposed seems like a smarter business strategy than just dismissing it out of hand for being computer security heresy. | |
| Aug 3, 2012 at 17:40 | comment | added | nohat | @Ramhound, I am interested in answers to my question, but suggestions to change the unchangeable in the scenario aren't very helpful. | |
| Aug 3, 2012 at 17:40 | comment | added | nohat | @James Dunno why anyone thinks my employer is a "small retailer". But, for example, LinkedIn just reported exceeding their revenue expectations for the quarter after having a worst-case scenario password security breach. | |
| Aug 3, 2012 at 12:40 | comment | added | Ramhound | @James - Don't bother...Its clear the user doesn't actually want to hear us. | |
| Aug 3, 2012 at 7:10 | comment | added | James | Would love to see some fiqures about that. Tho I suspect the situation would be very different for a small retailer than it has been for those big players, so you have to make sure your comparing like with like. | |
| Aug 2, 2012 at 15:16 | comment | added | nohat | Even in the case of worst-case scenario password security breaches (LinkedIn, eHarmony, Last.fm) it's not clear that there have been substantial revenue impacts. | |
| Aug 1, 2012 at 11:45 | comment | added | James | Like I say, it's a trade-off. The cost of fraud may be high, but that's nothing compared to the cost to your business if you actually leak passwords. It's up to you. I wouldn't. | |
| Jul 31, 2012 at 19:08 | comment | added | nohat | Sure, those are also useful signals for fraud detection, but if you are dealing with a lot of fraud you need to use all available to signals to detect it and maximize the loss. | |
| Jul 31, 2012 at 7:51 | history | answered | James | CC BY-SA 3.0 |