Risky display-only use cases (ACTION-193) from michael.mccormick@wellsfargo.com on 2007-04-13 (public-wsc-wg@w3.org from April 2007)

From: <michael.mccormick@wellsfargo.com>
Date: Fri, 13 Apr 2007 13:09:25 -0500
To: <public-wsc-wg@w3.org>
Message-ID: <8A794A6D6932D146B2949441ECFC9D680360857C@msgswbmnmsp17.wellsfargo.com>

I offer the following for closure of ACTION-193 - "Provide high-risk display-only use cases":

  _____  

From: member-wsc-wg-request@w3.org [mailto:member-wsc-wg-request@w3.org] On Behalf Of McCormick, Mike
Sent: Wednesday, April 11, 2007 6:20 PM
To: member-wsc-wg@w3.org
Subject: Risky display-only web sites

In anticipation of the action item I received this morning, let me take preemptive action by giving some examples of how a display-only web page can be medium or high risk.

First however, some definition of terms.  In the US banking industry, the level of transactional risk in a web application has taken on a fairly specific meaning based on the October 2005 FFIEC e-banking authentication guidance.  This is being further elaborated in ANSI standard X9.49 which uses a 3-tier risk rating system:

 Low: No money movement to 3rd parties nor display of sensitive customer data. 
 Medium: Money movement to 3rd party and/or display of sensitive customer data, BUT dollar amounts are limited and data displays are for a single customer.

 High: Unlimited money movement to 3rd party and/or bulk access to sensitive customer data. 

Sensitive customer data is clearly defined by US bank regulators and ANSI, but for our purposes suffice to say it's a combination of two things:

 (a) customer identifying information such as name, address, phone, userid 
                 - AND - 
 (b) private data of value to criminals such as SSN, account number, credit card, PIN, password. 

By now it should be clear that a display-only web site can indeed be medium or high risk based on the preceding definitions.

For example, a page that displays my name and social security number is medium risk.  And a page that displays a list of names & socials is high risk.

A more obvious example that most people would agree is risky (even outside the banking industry) is a page that displays my userid and (unmasked) PIN number.

I hope this helps. 

Michael McCormick, CISSP 
Lead Architect, Information Security Technology 
Wells Fargo Bank 
255 Second Avenue South 
MAC N9301-01J 
Minneapolis MN 55479 
*      612-667-9227 (desk)             *       612-667-7037 (fax) 
(     612-590-1437 (cell)             :-)       michael.mccormick@wellsfargo.com (AIM) 
*       612-621-1318 (pager)            *       michael.mccormick@wellsfargo.com <mailto:michael.mccormick@wellsfargo.com>  

“THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS FARGO" 
This message may contain confidential and/or privileged information.  If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein.  If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message.  Thank you for your cooperation.

Received on Friday, 13 April 2007 18:09:44 UTC