<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16809" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Interesting thread. I am not doing this
commercially, so I don't know all of the issues at stake. My initial
reaction was, "what problem"? But, subsequent posts have clarified
that some.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I do see some mitigating factors though,
particularly re the banking model. First, telecom providers aren't
generally dealing with large amounts of material susceptible to identity theft
the way many other businesses are, nor are hackers generally looking there for
such. The main potential loss I am aware of, and that has been discussed
here is provided services.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>The impact of that depends on the model a
particular company is working on. The worst case is a re-seller who has to
explicitly pay for each minute used/billed. Other providers are paying for
bandwidth, but that is more nebulous. Sure, a provider makes money by
selling minutes. But the guy in China that hacked his way in isn't going
to buy minutes of his hacking is denied, so there is no loss of potential
revenue, only loss of available bandwidth. If that bandwidth is
significant it should raise an alarm, which one would hope would cast light on
the "leak" and cause it to be discovered, rather than the available bandwidth
increased. If the loss is not significant enough to draw attention to
itself it may well be a minor cost of doing business.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>The OP mentioned insurance. I'm not sure, at
least in many cases, if the amount of potential hard cash liability exposure is
sufficient to warrant insuring. If someone is getting hacked to the tune
of 10% of their bandwidth or revenue, and doesn't have any way of noticing the
problem, they probably aren't qualified to be running such an
operation.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>One relevant example from the banking
industry. About once a year I get a call from one of my credit card
providers wanting to know if I indeed made such and such a purchase at such an
such a location. Their potential exposure is very large and they do
continuous, fine tuned profiling. They know I don't live in Australia and
if they start getting charged from companies in Australia, they want to know
why! They have it a bit easier, because they have more information to work
with, but there are certainly things that can be profiled. Most users are
going to originate from one or a small number of IPs. Some may originate
from every Starbucks in the state, but that's a recognizable pattern.
Fortunately most hackers don't know that profile and won't necessarily steal the
account information of someone who has a profile like they do. Also, they
tend to "call their girlfriend in Mexico 50 times in two weeks", which is hugely
different that the real user does. If nothing else, identity thieves (this
is a form of identity theft) tend to use the stolen identity as much as possible
before it gets discovered and stopped. That alone is a major profile
difference from a typical user.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Wilton</FONT></DIV>
<DIV> </DIV></BODY></HTML>