Fairly or not, the name Microsoft has become synonymous with insecure in some circles of the IT world. In a move that screams "we care about your security -- really!" the company has teamed up with the National Cyber-Forensics and Training Alliance (NCFTA) and other private and public groups to create Internet Fraud Alert (IFA), a system through which security researchers can quickly and securely report the discovery of stolen customer data to companies, such as financial institutions and online retailers.
The system has obvious benefits for organizations of all types, both nonprofits and governmental groups dedicated to fighting cyber crime, as well as private companies that have been targeted. The question, though, is how much it will help the other victims of cyber crime: customers. This system still leaves customers at the mercy of affected organizations. Can they be trusted to promptly alert customers that their credit ratings or identities may be at risk?
The benefits of IFA are clear for private organizations, including IFA supporters Citizens Bank, eBay, and PayPal. Through the IFA, participating security researchers have a process by which to report potentially costly and embarrassing security breaches directly to companies, thus reducing the chance that an alert falls off the radar or gets lost in a morass of bureaucracy.
Moreover, a secure, clear process presumably reduces the likelihood that news of a breach will get leaked to the media or watchdog group that might be prone to trumpeting the incident to the public. That means an affected company can take the proper steps internally to investigate and act without the distraction of heated inquiries, overblown rumors, and various demands from reporters and worried customers.
But what about those worried customers who have every right to be concerned? Who wouldn't want to know immediately that their credit card info and Social Security number had been laying around for some cyber criminal to exploit? With this sort of system, customers are still at the mercy of their bank or other service provider to alert them in a timely manner that their information may have been breached.