[thrashh]

I think why regulation hasn’t happened is because the computer industry has changed so quickly. Two-factor auth wasn’t even a commonly accepted best practice two decades ago.

And regulation takes a while to create and put into practice and with the rate things are going, by the time regulation has been out in place, the current best practices will have changed.

Whereas writing regulation on building bridges is easy because the timescale of us building bridges spans literal millenniums.

[photon12]

I agree completely. I didn't ask why government enforced regulation hasn't happened. I asked why industry self-regulation has failed. I've worked in a regulatory/security role for a major conglomerate before.

I'm not saying I expected self-regulation to work. But, if you are in a position of customers seeing direct harm every day, it's not unreasonable to ask why there is a failure here.

[thrashh]

I think it has failed because the industry is moving way faster than most people can keep up.

Even your average developer isn’t going to be aware of security changes in the industry to know what’s important or not. It’s going to be even less likely they someone not in engineering to remotely know what’s important or not.

Security professionals know but do you seek out a cardiologist first before you ask your GP? Probably not because, being not at all trained, you have no clue about anything. And if your GP doesn’t know, you are kind of on your own.

[photon12]

"People" don't need to keep up, the internal controls team needs to keep up, and it's possible to staff such a team with people who know how to mitigate phishing attacks when you are one of the largest corporate targets of phishing by volume on the earth.

[thrashh]

They do because they are the ones hiring.

If you’re trying to decide between electricians but you know nothing about electrical jobs, you’re going to be unable to make any meaningful decision. You’re just going to pick the one that sounds the best.

Heck, you could be using the same mediocre electrician for years and even recommend it to friends because you still have no clue about the workmanship.

[clintonb]

What does it mean for the industry to self-regulate? How do you define industry? Is it telecoms, or all tech companies?

Self-regulation has failed because the cost of a data breach remains relatively low compared to implementing security measures, at least on the surface.

[photon12]

Regulation generally is targeted at preventing consumer harm. Self-regulation is the practice of appropriately mitigating consumer harm. I mean mobile subscription providers here by "industry."

[wahnfrieden]

You can find an answer in their profitability in spite of repeated negligence.

[xorcist]

> Two-factor auth wasn't even a commonly accepted best practice two decades ago.

Maybe, had you said three decades? But not two. It was already mature by then.

Two decades ago was 2003. Even consumer banking was online, and in many countries exclusively 2FA.

I've worked the banking space then and we absolutely had smart cards. Military and defense had them everywhere. Proprietary solutions had already gone away replaced by PC/SC. NT 4.0SP6 had support out of the box, because it was already a hard requirement for many customers two and a half decade ago.

[thrashh]

Sure. My dad had a 2FA dongle in the 90s too

But outside of government, defense and banking, who exactly was using it?

It was not on the radar of the vast majority of people. Most technology takes decades to filter through the world

[xorcist]

Well, the vast majority of people live in impoverished areas of the world, so in a strict sense that's true.

But it was absolutely a standard form of authentication already, and regarded as best practice security for those who cared about such things.

Which perhaps weren't that many, but then again, still isn't.

[unbalancedevh]

I had to use it in the 90s for a job I had at an automotive OEM.

[bearjaws]

I would bet most peoples first encounter with 2fa was 2013+, I didn't even have to use it at my job (in healthcare!) until 2015.

[azinman2]

That’s assuming you regulate a very specific thing versus the end goal. To me the appropriate regulation is to find a way to cause real harm to T-Mobile when they are breached. When repeated like this or if done through effectively negligence, then they shouldn’t be allowed to be in business anymore. We gotta stop the tiny fines.. jail, billions of dollars in fines, remove their business license… something large needs to happen. Once that’s in place, you won’t need specific regulations as the incentive structure will be there to do the right thing.

[phaedrus]

One way to do so would be to make it so wireless companies can lose access to spectrum as a consequence of customer data breaches. Let someone else who can keep customer data secure have it instead.

[fauigerzigerk]

Most countries only have three large mobile carriers. You can't take action against their actual operations because you would be running out of alternatives pretty soon plus you would cause huge disruption to customers.

I think financial penalties are still the best bet if they are large enough to really hit profitability but not large enough to kill the company.

[clintonb]

That ultimately hurts customers more than the data breach. Limiting access means less availability for customers. If all the customers leave, you’ve just contributed to a monopoly/oligopoly.

[azinman2]

Or reserve it for the next company that could pony up at a significant discount.

Look - too big to fail means we let too many companies merge. This isn't a healthy situation that losing T-Mobile means having no competition left. We should probably unwind some mergers first.

[duckmysick]

Aviation industry can introduce new regulation fast. One example would be reinforced cockpit doors. Prompted by events in September 2001, new standards published four months later (January 2002), expected to be completed fifteen months after that (April 2003).

https://avalon.law.yale.edu/sept11/faa_001.asp

[thrashh]

It makes sense for a change about doors. Doors are old as time. Everyone understands how doors work. The impact of a door change is straightforward. There are relatively few moving parts involved in a self contained door (figuratively and literally).

[duckmysick]

It was a first example that I thought of. There are others, less straightforward changes in recent years. They involve safety teams, risk assessment, terrain awareness system, voluntary reporting programs, hazard recognition. They made commercial flights safer and we can measure it.

https://www.faa.gov/newsroom/out-front-airline-safety-two-de...

[clintonb]

Was that the industry, or the government?

[duckmysick]

Both. My point was, with enough motivation and resources it can be done. I gave an example of such industry in the sense of a sector of an economy.

[vxNsr]

My dad worked in telecom for a baby bell and they had 2FA fobs since at least 2004 (probably earlier but I didn’t see it until then). He wasn’t even in a consumer facing company, they made equipment for other companies. If they could implement this 20 years ago, there’s no excuse for Tmobile today.

[wmeredith]

> I think why regulation hasn’t happened is because the computer industry has changed so quickly.

It also doesn't help that the US government is a barely-functioning kleptocracy. They're more concerned with passing legislation about transgender boogymen while they line their pockets than they are about ... well, anything else.

[alex_sf]

A more reasonable alternative view is that regulations are largely opposed by most in the industry for good reasons. Including the fact that the explicit absence of such is what allow for the internet to exist at all.