Those years, I tasted the fresh of the Internet
I am a database security practitioner, and although every day I hear, see, and deal with security events related to this area, it is based on a fluke, inferred from a probabilistic perspective, never thought, never happened, and this kind of thing really falls on your head. Although I have a number of phone calls every day from a variety of bank guarantees, investment banking, foreign exchange transactions, but these are not enough to touch my sensitive nerves, until a normal afternoon, this happened ...
I am also a fan of the internet model, a variety of related to the new business, the latest application, I will be brave to try to provide personal information, the information includes, name, phone, mailbox, and even associated with this * * * number (used by mobile banking know, Does not offer is not able to enjoy its services), who knows? Even if I don't say that, after gathering some fields, according to the current Big data identity analysis technology, I am afraid I have been able to intelligently solve the " Who Am I " in the philosophical field of complex issues, and in the reality of identity authentication, about "Who I am" has been solved.
I was deeply attracted by the mobile banking. Direct mobile phone Download App, I am this way, praise, tried, pay the first time to view, banking online operation, transfer minutes of things, do not platoon brigade, do not have to look at the four rows of girls pampered face. Then, the Internet finance came, do not forget, I am a fan of the internet, nature will not miss the opportunity of early adopters, so pleasant loan, Ying Yingying Financial Management and other road APP was I tried all over. This information, all need to * * * information, I have all contributed, I believe the financial industry, the safety of the banking insurance institutions. Until one day, a series of calls to inquire, I was all hair.
From iniquity, not to live, finally on the job.
just in the near future,7 months an afternoon, accurate time ten points , I received an e-mail, in my personal name registration of a foreign Exchange financial transactions account registration success, and the name, telephone, email address exactly match. This story has no fiction, it is completely true, there is a picture of the truth. Next, at every point in time, the wonderful things are happening, and my little heart is speeding up.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/7A/wKioL1W4h6Dh_W8rAAF13fkTMd0426.jpg "title=" dbsec_ 1.jpg "alt=" Wkiol1w4h6dh_w8raaf13fktmd0426.jpg "/>
Then, the second email to attack, this time is to obtain the financial account login password information.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/7A/wKioL1W4h8yQUPvDAAEbNWFxf3M762.jpg "title=" dbsec_ 2.jpg "alt=" Wkiol1w4h8yqupvdaaebnwfxf3m762.jpg "/>
immediately after 4 minutes, received the financial foreign exchange company customer service calls, but the first two were not answered because of unknown telephone.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/70/7A/wKioL1W4h-WwP0dIAADQmo36DKc599.jpg "title=" dbsec_ 3.jpg "alt=" Wkiol1w4h-wwp0diaadqmo36dkc599.jpg "/>
after 2 minutes, the email continued to hunt, and the financial Exchange agency asked me to contact him.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/70/7A/wKioL1W4h_fDzF0AAAD9JCbpvdI478.jpg "title=" dbsec_ 4.jpg "alt=" Wkiol1w4h_fdzf0aaad9jcbpvdi478.jpg "/>
In the afternoon , because the other side of the phone many times, I answered the telephone. Customer service asked me whether I am my own, mobile phone number is I, is not in today's a few minutes with what mailbox account how to do. After a series of questions in the phone call, they scared themselves into a cold sweat. Each other's professional, intuition told me she is not a liar, and after my verification confirmed, found not my operation, directly eliminate the account, failed to further practical operation. The inquiry process is over, my Lenovo is not over, linked to the previous in the bank left a lot of information, open through the many Internet accounts, which is tied to my purse, How can not worry?
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/70/7D/wKiom1W4hhaBI4oBAADWo3qLJy8066.jpg "title=" dbsec_ 5.jpg "alt=" Wkiom1w4hhabi4obaadwo3qljy8066.jpg "/>
The whole incident, my personal information exposed, without my knowledge of the situation, the passive completion of the foreign Exchange trading platform registration process, if there is no manual verification of the verification link, in my name is registered account, will carry out a series of trading actions, it will probably also be linked to my existing bank account, then this platform generated trading profit and loss will correspond to my account. Or I am sloppy, directly to the account of the deposit operation, the other party directly to the benefit of the fisherman.
Stand on the shoulders of the database security industry
As mentioned above, I am a database security practitioners, we face every day banking, insurance, funds, internet finance all kinds of enterprise users, in the financial sector as a whole information construction process, information security construction followed, but the ability of hackers is also in progress, and the more complex the system, its own loopholes will be more, The more loopholes are accompanied by the hacker's attack means will be more and more. Traditional security protection thinking has not been able to adapt to the current security posture development, the original deployment of anti-virus, Gateway-Class basic security products, has not been enough to resist the more complex attack behavior. This is like we put the wealth at home, we feel relatively safe, and then you put the security door in the home, you think the home of the things themselves do not need to do any security measures. This is like the database is placed inside the enterprise or intranet, in the periphery with a firewall, and then add some control becomes very safe. In fact, this is far from enough, take the bank's internal system, the first is a lot of third-party developers, they can directly access the database, there are some good, get a test library, but the test library and the real database of the same data, In fact, in this case the data in the database can be directly taken away by the developer; The second is the OPS, most of the banks do not have enough operations and maintenance personnel, operation and maintenance is also outsourced services, which results in external operators can directly contact the system's production library, So these external ops people can take the data from the database directly. There are also some more ridiculous, one year, the Hong Kong Citibank to do the renovation, decoration process due to the safety protection did not do well, the database server was lost. After the database server is lost, actually those data stores on the backend are completely restored to plaintext. At that time, some of the data's own safeguards had been compromised, and all of Citibank's customer data had been leaked.
Emerging Internet finance, multi-gold, multi-user, is busy business, busy system how to quickly support and operation, the importance of security issues is not the first factor to consider, but stand in the perspective of individual users, low risk, security is the first premise, and then how the security based on the financial appreciation. From the data stored in the media, the core data will eventually fall into the database, if the database is overturned, all zero, for the Internet financial enterprises, the loss can not be estimated. Therefore, security is a bucket principle, often from the shortest plate where the outflow, then the information leakage event 90% above and the database, database security, the shortest wooden bucket short board, in the Internet finance this new field can not be ignored.
database security in this field, because the new, because the network security has not yet formed the same market size, the basic knowledge of the industry is still in the database security audit and protection, the market is recognized more, more user acceptance is a database audit products, this kind of ex-post audit products are indeed in the financial industry application more , but from the security protection process, the database security also contains the pre-database security checkup, the database security access control defense in the matter, the encryption of data in the library and the post-mortem behavior monitoring and auditing. And after the retrospective reflection, Fast also to 3 to 6 months, enterprises will know, and scattered in the outside of the data, in this time, do not know how many times have been circulated and sold. Therefore, pre-defense and process control in the matter are indispensable. Typically, database firewalls and data-path encryption products can solve such problems.
Now access to data more ways, then in the system left the backdoor and the way to steal data has become more, the value of user data has increased, so now the frequency of data leakage is also an inevitable phenomenon, the database security is gradually increased maintenance awareness. Enterprise security awareness in the improvement, involving personal privacy information, but also the need for strict confidentiality. Truly let users enjoy the Internet financial convenience services at the same time, feel at ease.
This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1679679
Love and hate, crime and punishment, on the security hidden trouble of internet finance