Language Selection

English French German Italian Portuguese Spanish

Data Theft: How to Fix the Mess

Filed under

IN the early 1970's, Senator William Proxmire, the Wisconsin Democrat who was the scourge of the banking industry, decided something needed to be done about the chaotic state of the credit card business.

Credit cards were still relatively new, and all over the country, banks were peppering Americans with unsolicited cards - sending them not only to the heads of households, but to their children, their dogs and their dead grandmothers. Thieves would follow the postman doing his rounds, steal cards out of mailboxes and use them. People were being billed for things they'd never bought with cards they'd never asked for - and the banks were demanding payment. Even though the banking industry insisted that only a small minority of transactions were fraudulent, the public outcry was enormous.

Here's what Mr. Proxmire did. First, in 1970, he drafted a bill that banned the practice of "dropping" credit cards on people without their consent. Four years later, he pushed through a bill that limited consumer liability to $50 if a credit card was used fraudulently.

The banking industry was apoplectic as these bills became the law of the land, especially the $50 limit. Why, bank lobbyists complained, should the institutions have to take the hit if a customer was so careless as to have his wallet stolen or credit card snitched? Shouldn't people be responsible for their own actions?

But in time, the banks came to see that it owed Senator Proxmire a debt of gratitude. He hadn't hurt the credit card industry. He had saved it. By forcing the industry to solicit customers, instead of simply dropping cards on them, he gave Americans the feeling that the decision to have a credit card was theirs, not some bank's.

And with the $50 liability limit, people no longer had to fear the dire consequences of having their card stolen. They could embrace credit cards instead of fearing them, which for better or worse they've been doing ever since; there are today over a billion credit cards just in the United States. Over the years, banks and consumers learned to deal with credit card fraud, so that it has become little more than an irritant. Banks don't even demand the $50; they cover the entire loss themselves.

The current "identity theft" crisis, in which we're learning, daily it seems, that institutions like Bank of America, ChoicePoint, Citigroup and many others have allowed our personal financial data to be lost or stolen, is fundamentally an outgrowth of our dependence on credit.

Credit cards are the primary means of buying things on the Internet. Credit card information is what is most often stolen in a data breach case, like the recent CardSystems Solutions fiasco, in which as many as 40 million credit cards may have been compromised. Even in the worst case, when data thieves get enough personal information to impersonate someone electronically, the bad guys usually wind up using that information to establish credit in order to buy things in that person's name.
So when I read the stories about data theft, I can't help thinking back on that credit card crisis of the 1970's. Now, as then, the chances of facing that worst outcome are pretty rare. The vast majority of modern cases classified as identity theft are really just old-fashioned credit card fraud, easily dealt with. (In fact, most of the time, the fraud is committed the old-fashioned way: through the lifting of a wallet.) According to TowerGroup, a financial services consulting firm, only about 160,000 people last year had their financial identities - as opposed to their credit card information, which numbers in the millions - stolen by fraudsters.

Many of the data losses are just that: lost data, not stolen data. The problem isn't even that new; the main reason we are learning about all these cases is a 2003 California law that required, for the first time, that consumers be informed when their personal information was compromised. Before 2003, there were plenty of examples of hacked data. But we didn't hear about those, so we weren't as worried about it.

But so what? In the end, it doesn't matter if the problem isn't new or the risk of being hurt by a data theft is small: the fear is palpable. "In the ChoicePoint case," said Robert Richardson, the editorial director of the Computer Security Institute, "people weren't just uncomfortable that their data was stolen."

"They were also upset to discover that this company that had insufficiently protected their data even had their data."

ChoicePoint is one of those murky "data aggregators," which describes itself as being involved in the "identification, retrieval, storage, analysis and delivery of data." Just reading the description is unsettling.

There is an uneasy sense that people simply do not have control of their own financial information. Most victims of identity theft have no idea how it happened. Their data is out there in the ether of the Internet or on the computers of companies they've never heard of. And if, heaven forbid, they should have their financial identity stolen, the prospect of disaster looms. Is it any wonder that, according to recent surveys by both the Gartner Group and Forrester Research, the percentage of people who say they have stopped using the Internet to pay bills, has risen substantially?

And yet so far, what we've mainly heard is that the onus is on us, the consumer, to become more vigilant. We are told to check our accounts online regularly and to sign up for services that will allow us to monitor our credit rating. True, banks are finally trying to do a better job of securing credit card and other personal data, but there is no legal requirement for them to do so, and there are plenty of bankers who think the problem is overstated.

"Ever since we've had credit, we've had fraud," said Jerry Silva, a TowerGroup analyst. "There is a feeling from the institutions that they've had this problem solved. And there is not a lot of ID theft, which is what all the hullabaloo is about."

Which is why I wish William Proxmire were still on the case. What we need right now is someone in power who can put the burden for this problem right where it belongs: on the financial and other institutions who collect this data. Let's face it: by the time even the most vigilant consumer discovers his information has been used fraudulently, it's already too late. "When people ask me what can the average person do to stop identity theft, I say, 'nothing,' " said Bruce Schneier, the chief technology officer of Counterpane Internet Security. "This data is held by third parties and they have no impetus to fix it."

Mr. Schneier, though, has a solution that is positively Proxmirian in its elegance and simplicity. Most of the bills that have been filed in Congress to deal with identity fraud are filled with specific requirements for banks and other institutions: encrypt this; safeguard that; strengthen this firewall.

Mr. Schneier says forget about all that. Instead, do what Congress did in the 1970's - just put the burden on the financial industry. "If we're ever going to manage the risks and effects of electronic impersonation," he wrote recently on CNET (and also in his blog), "we must concentrate on preventing and detecting fraudulent transactions." And the only way to do that, he added, is by making the financial institutions liable for fraudulent transactions.

"I think business ingenuity is top notch," Mr. Schneier said in an interview. "And I think if you make it their problem, they will solve it."

Yes, he acknowledged, letting consumers off the hook might cause them to be less vigilant. But that is exactly what Senator Proxmire did and to great effect. Forcing the financial institutions to bear the entire burden will cause them to tighten up their procedures until the fraud is under control. Maybe they will invest in complex software. But maybe they'll take simpler measures as well, like making it a little less easy than it is today to obtain a credit card. Best of all, once people see these measures take effect - and realize that someone else is responsible for fixing the problems - their fear will abate.

As Senator Proxmire understood a long time ago, fear is the great enemy of commerce. Maybe this time, the banks will finally understand that as well.

The New York Times

More in Tux Machines

Linux/FOSS Events

  • Gentoo Miniconf 2016
    As I noted when I resurrected the blog, part of the reason why I managed to come back to “active duty” within Gentoo Linux is because Robin and Amy helped me set up my laptop and my staging servers for singing commits with GnuPG remotely. And that happened because this year I finally managed to go to the Gentoo MiniConf hosted as part of LinuxDays in Prague, Czech Republic.
  • Science Hack Day India 2016
    Few months back Praveen called to tell me about the new event he is organizing along with FOSSASIA, Science Hack Day, India. I never even registered for the event as Praveen told me that he just added mine + Anwesha’s name there. Sadly as Py was sick for the last few weeks, Anwesha could not join us in the event. On 20th Hong Phuc came down to Pune, in the evening we had the PyLadies meetup in the Red Hat office.
  • Science Hack Day, Belgaum
    It started quite early with Kushal telling me that Praveen Patil was organizing a Science Hack Day with Hong Phuc’s help and that it might be an interesting place to come to. He mentioned that there were many interesting people coming in and that Nisha and I would have a good time. I wasn’t very keen though because of my usual reluctance to get out and meet people. This was especially an issue for me with Cauldron and Connect happening back to back in September, draining most of my ‘extrovert energy’. So we were definitely not going.
  • FOSDEM 2017 Real-Time Communications Call for Participation
    FOSDEM is one of the world's premier meetings of free software developers, with over five thousand people attending each year. FOSDEM 2017 takes place 4-5 February 2017 in Brussels, Belgium.

Leftovers: Software

  • Desktop Gmail App WMail Scores a Sizeable Update
    There's a new stable release of WMail, the app that describes itself as "the missing desktop client for Gmail".
  • 2 free desktop recording tools to try: SimpleScreenRecorder and Kazam
    A picture might be worth a thousand words, but a video demonstration can save a lot of talking. I'm a visual learner, so seeing how to do something has been very helpful in my education. I've found that students benefit from seeing exactly how an application is configured or how a code snippet is written. Desktop screen recorders are great tools for creating instructional videos. In this article, I'll look at two free, open source desktop screen recorders: SimpleScreenRecorder and Kazam.
  • Nightfall on Linux
    I've looked at general astronomy programs in the past that are helpful for many tasks you might need to do in your stargazing career. But, several specific jobs are more complicated and require specialized software to make relevant calculations, so here, let's take a look at Nightfall. Nightfall is a program that can handle calculations involving binary star systems. It can animate binary star systems, taking into account not only orbital speeds but also rotational motion and the changing shape of stars due to their close positions. You can model what it would look like and what kind of light curves you would register when observing a binary system. You even can take a set of actual observational data and find a best-fit model for the system you are studying.
  • Nmap 7.31 Security Scanner Updates Npcap with Raw 802.11 Wi-Fi Capture Support
    The first point release of the popular, open-source, and cross-platform Nmap 7.30 free security scanner and network mapper arrived, versioned 7.31, adding several important stability improvements, and bug fixes. New features in Nmap 7.31 include Npcap 0.10r9, which has been upgraded from version 0.10r2 bundled in Nmap 7.30 to add raw 802.11 Wi-Fi capture support, updated Zenmap graphical interface to indicate that better display of hostname is attached to Topology page's address, and IPv6 fingerprint submission improvements. "To increase the number of IPv6 fingerprint submissions, a prompt for submission will be shown with some random chance for successful matches of OS classes that are based on only a few submissions. Previously, only unsuccessful matches produced such a prompt," read the release notes for Nmap 7.31.
  • Shotwell 0.25.0 Image Viewer Supports ACDSee Tags, Improves Piwigo Support
    A new stable release of the popular Shotwell open-source image viewer and organizer arrived for users of Linux-based operating systems, version 0.25.0, bringing lots of important changes. As usual, we've managed to get our hands on the internal changelog, which we've also attached at the end of the story for your reading pleasure, and we'd like to tell you that Shotwell 0.25.0 now supports the tags written by the commercial ACDSee photo manipulation software. The application now makes use of Unicode characters, supports recent Vala compiler releases, improves the Piwigo upload support by implementing an option to override the SSL (Secure Sockets Layer) certificate handling, and another one to display the SSL certificate, along with better creation of new albums.
  • xfce4-panel 4.12.1 Released, Xfce 4.14 Still A Long Ways Out
    Xfce4-panel 4.12.1 has been released as a "long overdue maintenance release" while Xfce 4.14 is still in its infancy. Xfce4-panel 4.12.1 has translation updates, support for xfpanel-switch in the preferences, and just some basic fixes. This comes a few weeks after the quiet bug-fix releases of xfce4-settings 4.12.1 and also joined by the xfconf 4.12.1 release this week.
  • Video Call Improvements Land in Skype for Linux Alpha 1.11
  • Dual-GPU integration in GNOME
    Thanks to the work of Hans de Goede and many others, dual-GPU (aka NVidia Optimus or AMD Hybrid Graphics) support works better than ever in Fedora 25. On my side, I picked up some work I originally did for Fedora 24, but ended up being blocked by hardware support. This brings better integration into GNOME.
  • ‘GNOME To Do’ App Picks Up New Features
    GNOME To Do is one of those apps you’ve probably heard of, but do not use. And with a bunch of rivals task managers and to-do list apps available on Linux — from Simplenote to Remember the Milk — and online, the little app that might has its work cutout.

today's howtos

More Games for GNU/Linux

  • Humble Gems Bundle Goes Live, Offers Chroma Squad For Peanuts
    Wallets at the ready as Humble Gems Bundle is now live, a pay-what-you-can-be-bothered-to-palooza offering a selection of hitherto undiscovered indie gaming marvels. Alright, they’re all games that you’ve probably heard of before, certainly if you’re an active fan of the indie gaming scene.
  • Civilization 6 Linux Release Teased By Aspyr?
    Recently, Aspyr Media confirmed that they’ll be doing a Civilization 6 Linux release soon. Currently, Civilization 6 is live on both PC and Mac. Will Aspyr Media release concrete details about the Civilization 6 Linux release in the next few days?
  • Playstation 4 Linux Hack May Show 4.01 Vulnerability
    A new video about a Playstation 4 Linux hack may have shown a vulnerability in the 4.01 firmware update that came out for the Playstation 4 a few weeks ago. The hacking news came from a video at the GeekPwn 2016 convention in Shanghai, China, where the hacking was shown via a live demo. In this demo, a pair of Chinese computer users use a Linux computer and the Webkit browser, which is used to inject a certain exploit into the Playstation 4. One cut later, and a command line prompt appears that is then used to play Super Mario Bros. While the first use for it in the live demo is innocuous, the fact that this is even possible points once again to possible holes in the Playstation’s security.
  • PlayStation 4 hack enables Linux on recent Sony firmware
    A showcase event at this week’s GeekPwn conference in Shanghai suggests that Sony’s PlayStation 4 has been hacked, as a recently released video shows the console running an unsanctioned Linux build courtesy of a web browser exploit. While details regarding the hack are not yet known, a browser-based security issue in PS4 firmware version 4.01 could potentially allow users to root the upcoming PlayStation 4 Pro console in order to run unlicensed applications and games.