Language Selection

English French German Italian Portuguese Spanish

Data Theft: How to Fix the Mess

Filed under
Security

IN the early 1970's, Senator William Proxmire, the Wisconsin Democrat who was the scourge of the banking industry, decided something needed to be done about the chaotic state of the credit card business.

Credit cards were still relatively new, and all over the country, banks were peppering Americans with unsolicited cards - sending them not only to the heads of households, but to their children, their dogs and their dead grandmothers. Thieves would follow the postman doing his rounds, steal cards out of mailboxes and use them. People were being billed for things they'd never bought with cards they'd never asked for - and the banks were demanding payment. Even though the banking industry insisted that only a small minority of transactions were fraudulent, the public outcry was enormous.

Here's what Mr. Proxmire did. First, in 1970, he drafted a bill that banned the practice of "dropping" credit cards on people without their consent. Four years later, he pushed through a bill that limited consumer liability to $50 if a credit card was used fraudulently.

The banking industry was apoplectic as these bills became the law of the land, especially the $50 limit. Why, bank lobbyists complained, should the institutions have to take the hit if a customer was so careless as to have his wallet stolen or credit card snitched? Shouldn't people be responsible for their own actions?

But in time, the banks came to see that it owed Senator Proxmire a debt of gratitude. He hadn't hurt the credit card industry. He had saved it. By forcing the industry to solicit customers, instead of simply dropping cards on them, he gave Americans the feeling that the decision to have a credit card was theirs, not some bank's.

And with the $50 liability limit, people no longer had to fear the dire consequences of having their card stolen. They could embrace credit cards instead of fearing them, which for better or worse they've been doing ever since; there are today over a billion credit cards just in the United States. Over the years, banks and consumers learned to deal with credit card fraud, so that it has become little more than an irritant. Banks don't even demand the $50; they cover the entire loss themselves.

The current "identity theft" crisis, in which we're learning, daily it seems, that institutions like Bank of America, ChoicePoint, Citigroup and many others have allowed our personal financial data to be lost or stolen, is fundamentally an outgrowth of our dependence on credit.

Credit cards are the primary means of buying things on the Internet. Credit card information is what is most often stolen in a data breach case, like the recent CardSystems Solutions fiasco, in which as many as 40 million credit cards may have been compromised. Even in the worst case, when data thieves get enough personal information to impersonate someone electronically, the bad guys usually wind up using that information to establish credit in order to buy things in that person's name.
So when I read the stories about data theft, I can't help thinking back on that credit card crisis of the 1970's. Now, as then, the chances of facing that worst outcome are pretty rare. The vast majority of modern cases classified as identity theft are really just old-fashioned credit card fraud, easily dealt with. (In fact, most of the time, the fraud is committed the old-fashioned way: through the lifting of a wallet.) According to TowerGroup, a financial services consulting firm, only about 160,000 people last year had their financial identities - as opposed to their credit card information, which numbers in the millions - stolen by fraudsters.

Many of the data losses are just that: lost data, not stolen data. The problem isn't even that new; the main reason we are learning about all these cases is a 2003 California law that required, for the first time, that consumers be informed when their personal information was compromised. Before 2003, there were plenty of examples of hacked data. But we didn't hear about those, so we weren't as worried about it.

But so what? In the end, it doesn't matter if the problem isn't new or the risk of being hurt by a data theft is small: the fear is palpable. "In the ChoicePoint case," said Robert Richardson, the editorial director of the Computer Security Institute, "people weren't just uncomfortable that their data was stolen."

"They were also upset to discover that this company that had insufficiently protected their data even had their data."

ChoicePoint is one of those murky "data aggregators," which describes itself as being involved in the "identification, retrieval, storage, analysis and delivery of data." Just reading the description is unsettling.

There is an uneasy sense that people simply do not have control of their own financial information. Most victims of identity theft have no idea how it happened. Their data is out there in the ether of the Internet or on the computers of companies they've never heard of. And if, heaven forbid, they should have their financial identity stolen, the prospect of disaster looms. Is it any wonder that, according to recent surveys by both the Gartner Group and Forrester Research, the percentage of people who say they have stopped using the Internet to pay bills, has risen substantially?

And yet so far, what we've mainly heard is that the onus is on us, the consumer, to become more vigilant. We are told to check our accounts online regularly and to sign up for services that will allow us to monitor our credit rating. True, banks are finally trying to do a better job of securing credit card and other personal data, but there is no legal requirement for them to do so, and there are plenty of bankers who think the problem is overstated.

"Ever since we've had credit, we've had fraud," said Jerry Silva, a TowerGroup analyst. "There is a feeling from the institutions that they've had this problem solved. And there is not a lot of ID theft, which is what all the hullabaloo is about."

Which is why I wish William Proxmire were still on the case. What we need right now is someone in power who can put the burden for this problem right where it belongs: on the financial and other institutions who collect this data. Let's face it: by the time even the most vigilant consumer discovers his information has been used fraudulently, it's already too late. "When people ask me what can the average person do to stop identity theft, I say, 'nothing,' " said Bruce Schneier, the chief technology officer of Counterpane Internet Security. "This data is held by third parties and they have no impetus to fix it."

Mr. Schneier, though, has a solution that is positively Proxmirian in its elegance and simplicity. Most of the bills that have been filed in Congress to deal with identity fraud are filled with specific requirements for banks and other institutions: encrypt this; safeguard that; strengthen this firewall.

Mr. Schneier says forget about all that. Instead, do what Congress did in the 1970's - just put the burden on the financial industry. "If we're ever going to manage the risks and effects of electronic impersonation," he wrote recently on CNET (and also in his blog), "we must concentrate on preventing and detecting fraudulent transactions." And the only way to do that, he added, is by making the financial institutions liable for fraudulent transactions.

"I think business ingenuity is top notch," Mr. Schneier said in an interview. "And I think if you make it their problem, they will solve it."

Yes, he acknowledged, letting consumers off the hook might cause them to be less vigilant. But that is exactly what Senator Proxmire did and to great effect. Forcing the financial institutions to bear the entire burden will cause them to tighten up their procedures until the fraud is under control. Maybe they will invest in complex software. But maybe they'll take simpler measures as well, like making it a little less easy than it is today to obtain a credit card. Best of all, once people see these measures take effect - and realize that someone else is responsible for fixing the problems - their fear will abate.

As Senator Proxmire understood a long time ago, fear is the great enemy of commerce. Maybe this time, the banks will finally understand that as well.

JOSEPH NOCERA
The New York Times

More in Tux Machines

Linux and FOSS Events

  • Debian SunCamp 2017 Is Taking Place May 18-21 in the Province of Girona, Spain
    It looks like last year's Debian SunCamp event for Debian developers was a total success and Martín Ferrari is back with a new proposal that should take place later this spring during four days full of hacking, socializing, and fun. That's right, we're talking about Debian SunCamp 2017, an event any Debian developer, contributor, or user can attend to meet his or hers Debian buddies, hack together on new projects or improve existing ones by sharing their knowledge, plan upcoming features and discuss ideas for the Debian GNU/Linux operating system.
  • Pieter Hintjens In Memoriam
    Pieter Hintjens was a writer, programmer and thinker who has spent decades building large software systems and on-line communities, which he describes as "Living Systems". He was an expert in distributed computing, having written over 30 protocols and distributed software systems. He designed AMQP in 2004, and founded the ZeroMQ free software project in 2007. He was the author of the O'Reilly ZeroMQ book, "Culture and Empire", "The Psychopath Code", "Social Architecture", and "Confessions of a Necromancer". He was the president of the Foundation for a Free Information Infrastructure (FFII), and fought the software patent directive and the standardisation of the Microsoft OOXML Office format. He also organized the Internet of Things (IOT) Devroom here at FOSDEM for the last 3 years. In April 2016 he was diagnosed with terminal metastasis of a previous cancer.
  • foss-gbg on Wednesday
    The topics are Yocto Linux on FPGA-based hardware, risk and license management in open source projects and a product release by the local start-up Zifra (an encryptable SD-card). More information and free tickets are available at the foss-gbg site.

Leftovers: OSS

  • When Open Source Meets the Enterprise
    Open source solutions have long been an option for the enterprise, but lately it seems they are becoming more of a necessity for advanced data operations than merely a luxury for IT techs who like to play with code. While it’s true that open platforms tend to provide a broader feature set compared to their proprietary brethren, due to their larger and more diverse development communities, this often comes at the cost of increased operational complexity. At a time when most enterprises are looking to shed their responsibilities for infrastructure and architecture to focus instead on core money-making services, open source requires a fairly high level of in-house technical skill. But as data environments become more distributed and reliant upon increasingly complex compilations of third-party systems, open source can provide at least a base layer of commonality for resources that support a given distribution.
  • EngineerBetter CTO: the logical truth about software 'packaging'
    Technologies such as Docker have blended these responsibilities, causing developers to need to care about what operating system and native libraries are available to their applications – after years of the industry striving for more abstraction and increased decoupling!
  • What will we do when everything is automated?
    Just translate the term "productivity of American factories" into the word "automation" and you get the picture. Other workers are not taking jobs away from the gainfully employed, machines are. This is not a new trend. It's been going on since before Eli Whitney invented the cotton gin. Industry creates machines that do the work of humans faster, cheaper, with more accuracy and with less failure. That's the nature of industry—nothing new here. However, what is new is the rate by which the displacement of human beings from the workforce in happening.
  • Want OpenStack benefits? Put your private cloud plan in place first
    The open source software promises hard-to-come-by cloud standards and no vendor lock-in, says Forrester's Lauren Nelson. But there's more to consider -- including containers.
  • Set the Agenda at OpenStack Summit Boston
    The next OpenStack Summit is just three months away now, and as is their custom, the organizers have once again invited you–the OpenStack Community–to vote on which presentations will and will not be featured at the event.
  • What’s new in the world of OpenStack Ambassadors
    Ambassadors act as liaisons between multiple User Groups, the Foundation and the community in their regions. Launched in 2013, the OpenStack Ambassador program aims to create a framework of community leaders to sustainably expand the reach of OpenStack around the world.
  • Boston summit preview, Ambassador program updates, and more OpenStack news

Proprietary Traps and Openwashing

  • Integrate ONLYOFFICE Online Editors with ownCloud [Ed: Proprietary software latches onto FOSS]
    ONLYOFFICE editors and ownCloud is the match made in heaven, wrote once one of our users. Inspired by this idea, we developed an integration app for you to use our online editors in ownCloud web interface.
  • Microsoft India projects itself as open source champion, says AI is the next step [Ed: Microsoft bribes to sabotage FOSS and blackmails it with patents; calls itself "open source"]
  • Open Source WSO2 IoT Server Advances Integration and Analytic Capabilities
    WSO2 has announced a new, fully-open-source WSO2 Internet of Things Server edition that "lowers the barriers to delivering enterprise-grad IoT and mobile solutions."
  • SAP license fees are due even for indirect users, court says
    SAP's named-user licensing fees apply even to related applications that only offer users indirect visibility of SAP data, a U.K. judge ruled Thursday in a case pitting SAP against Diageo, the alcoholic beverage giant behind Smirnoff vodka and Guinness beer. The consequences could be far-reaching for businesses that have integrated their customer-facing systems with an SAP database, potentially leaving them liable for license fees for every customer that accesses their online store. "If any SAP systems are being indirectly triggered, even if incidentally, and from anywhere in the world, then there are uncategorized and unpriced costs stacking up in the background," warned Robin Fry, a director at software licensing consultancy Cerno Professional Services, who has been following the case.
  • “Active Hours” in Windows 10 emphasizes how you are not in control of your own devices
    No edition of Windows 10, except Professional and Enterprise, is expected to function for more than 12 hours of the day. Microsoft most generously lets you set a block of 12 hours where you’re in control of the system, and will reserve the remaining 12 hours for it’s own purposes. How come we’re all fine with this? Windows 10 introduced the concept of “Active Hours”, a period of up to 12 hours when you expect to use the device, meant to reflect your work hours. The settings for changing the device’s active hours is hidden away among Windows Update settings, and it poorly fits with today’s lifestyles. Say you use your PC in the afternoon and into the late evening during the work week, but use it from morning to early afternoon in the weekends. You can’t fit all those hours nor accommodate home office hours in a period of just 12 hours. We’re always connected, and expect our devices to always be there for us when we need them.
  • Chrome 57 Will Permanently Enable DRM
    The next stable version of Chrome (Chrome 57) will not allow users to disable the Widevine DRM plugin anymore, therefore making it an always-on, permanent feature of Chrome. The new version of Chrome will also eliminate the “chrome://plugins” internal URL, which means if you want to disable Flash, you’ll have to do it from the Settings page.

Linux Mint 18.1 Serena - The glass is half full

Linux Mint 18.1 Serena is an okay distro. It has more merit than Sarah, but then, it's also had almost a year to work on polishing some of the issues, and while a few have been ironed out, big quality issues that were never the domain of Mint before still persist. The live session experience is underwhelming, the default theme is not vibrant enough and can lead to ocular exhaustion quickly, there were problems with stability, multimedia playback, and the promise of Spotify never came to be. On the other hand, most of the stuff works out of the box, the repos are rich, the distro can be tamed relatively easily, and at the end of the day, you have a supported, popular system full of goodies and shiny colors with only a slight aftertaste of betrayal in your proverbial mouth. Good, but only if you've just started playing around with Linux. This distro has no flair. It doesn't have the magic and fire of yore. No fire, no nothing. It's not super green. And it must pop pop pop. So I guess, grade wise, 6.5/10 or some such. All in all, 'tis Linux Mint all right, but not the best offering by a long shot. Read more Also: Linux Mint 18.2 Features – What’s Ahead In the Next Release