So the three big credit bureaus are adopting a single data encryption standard to "further assure the protection of sensitive consumer data when transmitted between data furnishers and credit reporting companies" (link).  Great. 

Except that data encryption isn't the problem.  All of the widely publicized recent attacks have been either from insiders, or from organizations that were customers.  Such attackers already have access to the data.

The answer isn't going to be that easy.  It is going to require some type of rights management that ties the data to the consumer, the usage and the time that it is valid. 

The real message here is that this isn't for consumer protection at all.  It is to make life easier for the purchasers of credit reporting data, who today have to deal with different schemes from each of the big three.  Maybe there is some benefit here for the consumer, but it isn't immediately obvious.

The CSIA is sort of the British version of NIST, with respect to IT.  They've invented their own accreditation for security tools (link), basically looking to validate the vendor's claims (thus the name, "Claim Tested Mark").  This is a very different approach to that used in the Common Criteria process, which seeks to apply a single set of standards to many different products. 

I think I like the British approach more -- it provides customers with some amount of trust that the products will perform as described, without making the verification process so onerous that only the products with the largest volumes (e.g. Windows Server) would ever be put through the process.

If you have a high-performance machine with a good video card, check out http://www.microsoft.com/max/.  It's the Codename Avalon user interface used for photo browsing.  Not only is it really pretty, but it also shows some great ideas around how a UI can provide context for users. 

An interesting paper to be published shortly by three clever people at UC Berkeley reports that without training (other than a 10-minute recording of someone typing) a recognition algortithm can be built to derive what is being typed, including passwords.  There are many caveats here, including the requirement that the typist is typing in one language (they used English) and that the recognition rate is far from 100%.  But nevertheless it provikes thought.

So what does this tell us?  First off, relying solely on passwords is a bad idea -- even if this attack wasn't possible, there are just so many others.  Two-factor authentication is not foolproof but it does greatly reduce the risk.

Second, this reiterates the old saw about physical access.  If I can get close to your PC then I have a reasonable chance of obtaining your user ID and password.

Type quietly, everyone!