Language Selection

English French German Italian Portuguese Spanish

Data Theft: How to Fix the Mess

Filed under

IN the early 1970's, Senator William Proxmire, the Wisconsin Democrat who was the scourge of the banking industry, decided something needed to be done about the chaotic state of the credit card business.

Credit cards were still relatively new, and all over the country, banks were peppering Americans with unsolicited cards - sending them not only to the heads of households, but to their children, their dogs and their dead grandmothers. Thieves would follow the postman doing his rounds, steal cards out of mailboxes and use them. People were being billed for things they'd never bought with cards they'd never asked for - and the banks were demanding payment. Even though the banking industry insisted that only a small minority of transactions were fraudulent, the public outcry was enormous.

Here's what Mr. Proxmire did. First, in 1970, he drafted a bill that banned the practice of "dropping" credit cards on people without their consent. Four years later, he pushed through a bill that limited consumer liability to $50 if a credit card was used fraudulently.

The banking industry was apoplectic as these bills became the law of the land, especially the $50 limit. Why, bank lobbyists complained, should the institutions have to take the hit if a customer was so careless as to have his wallet stolen or credit card snitched? Shouldn't people be responsible for their own actions?

But in time, the banks came to see that it owed Senator Proxmire a debt of gratitude. He hadn't hurt the credit card industry. He had saved it. By forcing the industry to solicit customers, instead of simply dropping cards on them, he gave Americans the feeling that the decision to have a credit card was theirs, not some bank's.

And with the $50 liability limit, people no longer had to fear the dire consequences of having their card stolen. They could embrace credit cards instead of fearing them, which for better or worse they've been doing ever since; there are today over a billion credit cards just in the United States. Over the years, banks and consumers learned to deal with credit card fraud, so that it has become little more than an irritant. Banks don't even demand the $50; they cover the entire loss themselves.

The current "identity theft" crisis, in which we're learning, daily it seems, that institutions like Bank of America, ChoicePoint, Citigroup and many others have allowed our personal financial data to be lost or stolen, is fundamentally an outgrowth of our dependence on credit.

Credit cards are the primary means of buying things on the Internet. Credit card information is what is most often stolen in a data breach case, like the recent CardSystems Solutions fiasco, in which as many as 40 million credit cards may have been compromised. Even in the worst case, when data thieves get enough personal information to impersonate someone electronically, the bad guys usually wind up using that information to establish credit in order to buy things in that person's name.
So when I read the stories about data theft, I can't help thinking back on that credit card crisis of the 1970's. Now, as then, the chances of facing that worst outcome are pretty rare. The vast majority of modern cases classified as identity theft are really just old-fashioned credit card fraud, easily dealt with. (In fact, most of the time, the fraud is committed the old-fashioned way: through the lifting of a wallet.) According to TowerGroup, a financial services consulting firm, only about 160,000 people last year had their financial identities - as opposed to their credit card information, which numbers in the millions - stolen by fraudsters.

Many of the data losses are just that: lost data, not stolen data. The problem isn't even that new; the main reason we are learning about all these cases is a 2003 California law that required, for the first time, that consumers be informed when their personal information was compromised. Before 2003, there were plenty of examples of hacked data. But we didn't hear about those, so we weren't as worried about it.

But so what? In the end, it doesn't matter if the problem isn't new or the risk of being hurt by a data theft is small: the fear is palpable. "In the ChoicePoint case," said Robert Richardson, the editorial director of the Computer Security Institute, "people weren't just uncomfortable that their data was stolen."

"They were also upset to discover that this company that had insufficiently protected their data even had their data."

ChoicePoint is one of those murky "data aggregators," which describes itself as being involved in the "identification, retrieval, storage, analysis and delivery of data." Just reading the description is unsettling.

There is an uneasy sense that people simply do not have control of their own financial information. Most victims of identity theft have no idea how it happened. Their data is out there in the ether of the Internet or on the computers of companies they've never heard of. And if, heaven forbid, they should have their financial identity stolen, the prospect of disaster looms. Is it any wonder that, according to recent surveys by both the Gartner Group and Forrester Research, the percentage of people who say they have stopped using the Internet to pay bills, has risen substantially?

And yet so far, what we've mainly heard is that the onus is on us, the consumer, to become more vigilant. We are told to check our accounts online regularly and to sign up for services that will allow us to monitor our credit rating. True, banks are finally trying to do a better job of securing credit card and other personal data, but there is no legal requirement for them to do so, and there are plenty of bankers who think the problem is overstated.

"Ever since we've had credit, we've had fraud," said Jerry Silva, a TowerGroup analyst. "There is a feeling from the institutions that they've had this problem solved. And there is not a lot of ID theft, which is what all the hullabaloo is about."

Which is why I wish William Proxmire were still on the case. What we need right now is someone in power who can put the burden for this problem right where it belongs: on the financial and other institutions who collect this data. Let's face it: by the time even the most vigilant consumer discovers his information has been used fraudulently, it's already too late. "When people ask me what can the average person do to stop identity theft, I say, 'nothing,' " said Bruce Schneier, the chief technology officer of Counterpane Internet Security. "This data is held by third parties and they have no impetus to fix it."

Mr. Schneier, though, has a solution that is positively Proxmirian in its elegance and simplicity. Most of the bills that have been filed in Congress to deal with identity fraud are filled with specific requirements for banks and other institutions: encrypt this; safeguard that; strengthen this firewall.

Mr. Schneier says forget about all that. Instead, do what Congress did in the 1970's - just put the burden on the financial industry. "If we're ever going to manage the risks and effects of electronic impersonation," he wrote recently on CNET (and also in his blog), "we must concentrate on preventing and detecting fraudulent transactions." And the only way to do that, he added, is by making the financial institutions liable for fraudulent transactions.

"I think business ingenuity is top notch," Mr. Schneier said in an interview. "And I think if you make it their problem, they will solve it."

Yes, he acknowledged, letting consumers off the hook might cause them to be less vigilant. But that is exactly what Senator Proxmire did and to great effect. Forcing the financial institutions to bear the entire burden will cause them to tighten up their procedures until the fraud is under control. Maybe they will invest in complex software. But maybe they'll take simpler measures as well, like making it a little less easy than it is today to obtain a credit card. Best of all, once people see these measures take effect - and realize that someone else is responsible for fixing the problems - their fear will abate.

As Senator Proxmire understood a long time ago, fear is the great enemy of commerce. Maybe this time, the banks will finally understand that as well.

The New York Times

More in Tux Machines

Leftovers: Gaming

Leftovers: GNOME Software

  • GNOME Photos 3.18 App Gets Its First Hotfix Release Ahead of GNOME 3.18.1
    Earlier today, October 12, Debarshi Ray was happy to inform us all about the immediate availability of the first point release of his GNOME Photos 3.18 image viewer application for the soon-to-be-released GNOME 3.18.1 desktop environment.
  • View your GTK3 app or VM on the Web
    Ever wondered how to view gedit in a browser? It’s not a secret anymore, broadway is there for some time.
  • The new search for GNOME Files (aka Nautilus)
    As some (most? none? who knows =P) of you already know, last cycle I worked as a Google Summer of Code intern with Gtk+ and Nautilus. We saw the very positive results of it. And the picky eyes out there noticed that I wrote with these exact words: “While the project is over, I won’t stop contributing to Nautilus. Even with the interesting code, even with all the strange things surrounding it. Nautilus is like an ugly puppy: it may hurt your eyes, yet you still warmly love it.”

Linux Devices

  • Linksys WRT1900ACS Router is Ready for Open Source Tinkering
    We still regard the Linksys WRT1900AC as one of the best and fastest routers available, though if you're eyeing that model, there's a new version available with more memory and a faster processor. It's the WRT1900ACS, which is essentially an improved version of the WRT1900AC. The new model boasts a 1.6GHz dual-core processor, an upgrade over its predecessor's 1.2GHz chip; 128MB of flash memory (same as before); 512MB of DDR3 RAM, which is two times as much as the WRT1900AC; and eSATA and USB ports.
  • Linux Foundation Takes on Real-Time Computing for Embedded Apps
    What's the next step for open source in the embedded computing market? Google (GOOG), the Linux Foundation and other inaugural supporters of the Real-Time Linux Collaborative Project, which launched this month with a focus on the robotics, telecom, manufacturing, aviation, medical and similar industries, think kernel-level real-time support is the answer.
  • Your Last Chance To Crowdfund InvizBox Go, A Portable Open Source VPN Router
    A small Irish tech startup is in the last few days of crowdfunding for a small Linux-based router it’s hoping to ship out to supporters in February 2016. If its Kickstarter campaign is successful, InvizBox Go will offer users some protection when connecting to WiFi networks. Whether you’re at home, at a hotel, or working out of a coffee shop, the InvizBox Go will be able to connect your devices and route all of your traffic over Tor or a VPN connection (or even both). And since it can connect all devices simultaneously, it’s a great solution for keeping your housemates secure without requiring them to plug into anything or even download any software. Or, let’s face it, it’s also good for watching blocked content from around the world. Users will also be able to block a known list of ad providers. An optional feature will block Windows 10’s tracking domain. Additionally, the device can acts as a WiFi extender or even be used to charge a mobile phone or tablet if users plug into its USB port.
  • Irish firm’s product to mask online activity

Leftovers: OSS

  • Industry Veterans Partner to Create a School for Software Engineers
    Another interesting angle is that during their first year at school all projects except their own, if they decide otherwise, must be open sourced online on the repository of their choice (such as GitHub). "Open source is a great option for teaching students because it not only helps you in building new skills as as software engineers, but also you know how to communicate with your peers. You have to understand how the team is working among many things. So I think open source is a great way to learn software engineering," added Barbier. Because the Linux Foundation also runs many specialized courses, I asked whether the school had any plans to collaborate with the Foundation. I was told that, although they are in touch with the Linux Foundation, it's too early to comment on it.
  • Eximbank opts for Allevo’s open source application FinTP
    It originates from Allevo’s older offering, qPayintegrator. The open source project has been in the making for a few years.
  • Volkswagen’s Diesel Fraud Makes Critic of Secret Code a Prophet
    A Columbia University law professor stood in a hotel lobby one morning and noticed a sign apologizing for an elevator that was out of order. It had dropped unexpectedly three stories a few days earlier. The professor, Eben Moglen, tried to imagine what the world would be like if elevators were not built so that people could inspect them.
  • Mozilla to Bar Many Legacy Plug-ins in Firefox By End of 2016
    As we've reported several times, Google has been introducing big changes in its Chrome browser, especially when it comes to how the browser handles extensions. If you've regularly used either or both of the most popular open source Internet browsers--Google Chrome and Mozilla Firefox--then you're probably familiar with the performance and security problems that some extensions for them have caused. Mozilla, like the Chrome team, is also focused on the effect that extensions have on performance and reliability. Now, Benjamin Smedberg, a Mozilla senior engineering manager, in a post to a blog, has confirmed that Mozilla will bar almost all plug-ins built using decades-old NPAPI technology by the end of 2016.
  • What you need to know about Astara
    Astara provides OpenStack operators with a vendor-agnostic network orchestration platform that addresses the complex nature and scale of Neutron implementations. Astara features a driver-based orchestrator to manage network functions from different providers on bare metal, in virtual machines (VMs) and containers.
  • Mirantis, NetApp announce joint partnership
    Mirantis, the pure-play OpenStack company, has joined hands with NetApp and announced a joint partnership that combines the Mirantis OpenStack with mission-critical NetApp storage infrastructures.
  • Mirantis and NetApp Partner for Joint Testing, Cloud Reference Architectures
  • Introducing the Astara project, a preview of Liberty and Mitaka, and more OpenStack news
  • Taunton and Somerset trust explores wider open source adoption
    Taunton and Somerset NHS Foundation Trust has commenced "exploratory work" around expanding its use of open source technology to include an e-prescribing solution after going live with a non-proprietary electronic patient record (EPR) system earlier this month. Trust IT director Malcolm Senior said that although work around potentially adopting a new e-prescribing system was at an early stage, Taunton and Somerset was now considering dates for possible implementation. Senior said he was confident the trust would be able to meet a timeline for completing development of an e-prescribing service in line with aims for a 'paperless NHS' by 2018.
  • Nexenta Brings Open Source-driven Software-Defined Storage Solutions to the Dell Solutions Roadshow 2015 in Japan
  • Update Python GNUPG library for GNU Health crypto plugin
    Issues digitally signing and/or verifying GNUHealth documents, using GNUPG version 2.x should be solved by upgrading to the latest python-gnupg library[1], version 0.3.8 . You can check the changelog[2] for the details.
  • Another city swaps in LibreOffice to replace Microsoft Office
    Another city has decided to swap out Microsoft Office for the open source LibreOffice productivity suite. As ZDNet reported, the municipality of Bari in Italy is currently installing the open-source office software on its 1,700 PCs after a successful trial involving 100 PCs.
  • ODS Onsite Training - Onsite Training to the European Commission
    The course aims at enhancing the understanding of linked open data principles and technologies. By the end of the course, participants should have a clear understanding of what linked open data is and how linked data technologies can be applied to improve the availability, understandability and usability of EU data.