For your security, please email your credit card and driver’s license (and what PCI has to say about that)
One of the things people often ask me about in regards to software security is “Are there any standards that these people should be following? Any governing bodies? Any recourse for screwing things up?” Ok, that’s three things but you get the idea and people are usually pretty surprised when they learn that for the most part, no. No standards, no governing bodies, no recourse. You can go and create a new website today storing everyone’s credentials in the clear, send them around willy nilly via email then get pwned big time and short of whatever reputational damage is done, there’s no recourse whatsoever.
Case in point: last year I wrote about how
Tesco screwed up pretty much every conceivable web security pattern known to man. It was so bad that
the Information Commissioner’s Office in the UK investigated them and… did nothing. In a way that’s understandable as to the best of my knowledge nobody actually incurred any sort of loss or harm as a result of dodgy coding. On the other hand, the premise that a multi-billion dollar organisation can so haphazardly stand up software that had a good likelihood of doing damage to customers (and you just know those customer passwords are going to unlock a whole heap of other accounts…), is a bit alarming. And that’s the real problem – no
disincentive not to screw up.
