Language Selection

English French German Italian Portuguese Spanish

Data Theft: How to Fix the Mess

Filed under
Security

IN the early 1970's, Senator William Proxmire, the Wisconsin Democrat who was the scourge of the banking industry, decided something needed to be done about the chaotic state of the credit card business.

Credit cards were still relatively new, and all over the country, banks were peppering Americans with unsolicited cards - sending them not only to the heads of households, but to their children, their dogs and their dead grandmothers. Thieves would follow the postman doing his rounds, steal cards out of mailboxes and use them. People were being billed for things they'd never bought with cards they'd never asked for - and the banks were demanding payment. Even though the banking industry insisted that only a small minority of transactions were fraudulent, the public outcry was enormous.

Here's what Mr. Proxmire did. First, in 1970, he drafted a bill that banned the practice of "dropping" credit cards on people without their consent. Four years later, he pushed through a bill that limited consumer liability to $50 if a credit card was used fraudulently.

The banking industry was apoplectic as these bills became the law of the land, especially the $50 limit. Why, bank lobbyists complained, should the institutions have to take the hit if a customer was so careless as to have his wallet stolen or credit card snitched? Shouldn't people be responsible for their own actions?

But in time, the banks came to see that it owed Senator Proxmire a debt of gratitude. He hadn't hurt the credit card industry. He had saved it. By forcing the industry to solicit customers, instead of simply dropping cards on them, he gave Americans the feeling that the decision to have a credit card was theirs, not some bank's.

And with the $50 liability limit, people no longer had to fear the dire consequences of having their card stolen. They could embrace credit cards instead of fearing them, which for better or worse they've been doing ever since; there are today over a billion credit cards just in the United States. Over the years, banks and consumers learned to deal with credit card fraud, so that it has become little more than an irritant. Banks don't even demand the $50; they cover the entire loss themselves.

The current "identity theft" crisis, in which we're learning, daily it seems, that institutions like Bank of America, ChoicePoint, Citigroup and many others have allowed our personal financial data to be lost or stolen, is fundamentally an outgrowth of our dependence on credit.

Credit cards are the primary means of buying things on the Internet. Credit card information is what is most often stolen in a data breach case, like the recent CardSystems Solutions fiasco, in which as many as 40 million credit cards may have been compromised. Even in the worst case, when data thieves get enough personal information to impersonate someone electronically, the bad guys usually wind up using that information to establish credit in order to buy things in that person's name.
So when I read the stories about data theft, I can't help thinking back on that credit card crisis of the 1970's. Now, as then, the chances of facing that worst outcome are pretty rare. The vast majority of modern cases classified as identity theft are really just old-fashioned credit card fraud, easily dealt with. (In fact, most of the time, the fraud is committed the old-fashioned way: through the lifting of a wallet.) According to TowerGroup, a financial services consulting firm, only about 160,000 people last year had their financial identities - as opposed to their credit card information, which numbers in the millions - stolen by fraudsters.

Many of the data losses are just that: lost data, not stolen data. The problem isn't even that new; the main reason we are learning about all these cases is a 2003 California law that required, for the first time, that consumers be informed when their personal information was compromised. Before 2003, there were plenty of examples of hacked data. But we didn't hear about those, so we weren't as worried about it.

But so what? In the end, it doesn't matter if the problem isn't new or the risk of being hurt by a data theft is small: the fear is palpable. "In the ChoicePoint case," said Robert Richardson, the editorial director of the Computer Security Institute, "people weren't just uncomfortable that their data was stolen."

"They were also upset to discover that this company that had insufficiently protected their data even had their data."

ChoicePoint is one of those murky "data aggregators," which describes itself as being involved in the "identification, retrieval, storage, analysis and delivery of data." Just reading the description is unsettling.

There is an uneasy sense that people simply do not have control of their own financial information. Most victims of identity theft have no idea how it happened. Their data is out there in the ether of the Internet or on the computers of companies they've never heard of. And if, heaven forbid, they should have their financial identity stolen, the prospect of disaster looms. Is it any wonder that, according to recent surveys by both the Gartner Group and Forrester Research, the percentage of people who say they have stopped using the Internet to pay bills, has risen substantially?

And yet so far, what we've mainly heard is that the onus is on us, the consumer, to become more vigilant. We are told to check our accounts online regularly and to sign up for services that will allow us to monitor our credit rating. True, banks are finally trying to do a better job of securing credit card and other personal data, but there is no legal requirement for them to do so, and there are plenty of bankers who think the problem is overstated.

"Ever since we've had credit, we've had fraud," said Jerry Silva, a TowerGroup analyst. "There is a feeling from the institutions that they've had this problem solved. And there is not a lot of ID theft, which is what all the hullabaloo is about."

Which is why I wish William Proxmire were still on the case. What we need right now is someone in power who can put the burden for this problem right where it belongs: on the financial and other institutions who collect this data. Let's face it: by the time even the most vigilant consumer discovers his information has been used fraudulently, it's already too late. "When people ask me what can the average person do to stop identity theft, I say, 'nothing,' " said Bruce Schneier, the chief technology officer of Counterpane Internet Security. "This data is held by third parties and they have no impetus to fix it."

Mr. Schneier, though, has a solution that is positively Proxmirian in its elegance and simplicity. Most of the bills that have been filed in Congress to deal with identity fraud are filled with specific requirements for banks and other institutions: encrypt this; safeguard that; strengthen this firewall.

Mr. Schneier says forget about all that. Instead, do what Congress did in the 1970's - just put the burden on the financial industry. "If we're ever going to manage the risks and effects of electronic impersonation," he wrote recently on CNET (and also in his blog), "we must concentrate on preventing and detecting fraudulent transactions." And the only way to do that, he added, is by making the financial institutions liable for fraudulent transactions.

"I think business ingenuity is top notch," Mr. Schneier said in an interview. "And I think if you make it their problem, they will solve it."

Yes, he acknowledged, letting consumers off the hook might cause them to be less vigilant. But that is exactly what Senator Proxmire did and to great effect. Forcing the financial institutions to bear the entire burden will cause them to tighten up their procedures until the fraud is under control. Maybe they will invest in complex software. But maybe they'll take simpler measures as well, like making it a little less easy than it is today to obtain a credit card. Best of all, once people see these measures take effect - and realize that someone else is responsible for fixing the problems - their fear will abate.

As Senator Proxmire understood a long time ago, fear is the great enemy of commerce. Maybe this time, the banks will finally understand that as well.

JOSEPH NOCERA
The New York Times

More in Tux Machines

GNOME: WebKit, Fleet Commander, Introducing deviced

  • On Compiling WebKit (now twice as fast!)
    Are you tired of waiting for ages to build large C++ projects like WebKit? Slow headers are generally the problem. Your C++ source code file #includes a few headers, all those headers #include more, and those headers #include more, and more, and more, and since it’s C++ a bunch of these headers contain lots of complex templates to slow down things even more. Not fun.
  • Fleet Commander is looking for a GSoC student to help us take over the world
    Fleet Commander has seen quite a lot of progress recently, of which I should blog about soon. For those unaware, Fleet Commander is an effort to make GNOME great for IT administrators in large deployments, allowing them to deploy desktop and application configuration profiles across hundreds of machines with ease through a web administration UI based on Cockpit. It is mostly implemented in Python.
  • Introducing deviced
    Over the past couple of weeks I’ve been heads down working on a new tool along with Patrick Griffis. The purpose of this tool is to make it easier to integrate IDEs and other tooling with GNU-based gadgets like phones, tablets, infotainment, and IoT devices. Years ago I was working on a GNOME-based home router with davidz which sadly we never finished. One thing that was obvious to me in that moment of time was that I’m not doing another large scale project until I had better tooling. That is Builder’s genesis, and device integration is what will make it truly useful to myself and others who love playing with GNU-friendly gadgets.

KDE: Usability & Productivity, AtCore , Krita

  • This week in Usability & Productivity, part 6
  • AtCore takes to the pi
    The Raspberry Pi3 is a small single board computer that costs around $35 (USD). It comes with a network port, wifi , bt , 4 usb ports , gpio pins , camera port , a display out, hdmi, a TRRS for analog A/V out. 1GB of ran and 4 ~1GHz armv8 cores Inside small SOC. Its storage is a microSd card they are a low cost and low power device. The Touchscreen kit is an 800×480 display that hooks to the Gpio for touch and dsi port for video. To hold our hardware is the standard touch screen enclosure that often comes with the screen if you buy it in a kit.
  • Look, new presets! Another Krita 4 development build!
    We’ve been focusing like crazy on the Krita 4 release. We managed to close some 150 bugs in the past month, and Krita 4 is getting stable enough for many people to use day in, day out. There’s still more to be done, of course! So we’ll continue fixing issues and applying polish for at least another four weeks. One of the things we’re doing as well is redesigning the set of default brush presets and brush tips that come with Krita. Brush tips are the little images one can paint with, and brush presets are the brushes you can select in the brush palette or brush popup. The combination of a tip, some settings and a smart bit of coding! Our old set was fine, but it was based on David Revoy‘s earliest Krita brush bundles, and for Krita 4 we are revamping the entire set. We’ve added many new options to the brushes since then! So, many artists are working together to create a good-looking, useful and interesting brushes for Krita 4.

Software: GIMP, Spyder, SMPlayer

  • Five free photo and video editing tools that could save burning a hole in your pocket and take your creativity to the next level
    GIMP stands for the Gnu Image Manipulation Program and is the first word that people usually think about when it comes to free image editors. It’s a raster graphics editor, available on multiple platforms on PC. It has a similar interface to Photoshop: you have your tools on one side, there’s an option for your tool window and then you have your layers window on another side. Perhaps one of the most useful features of GIMP is the option of plugins. There is a wide database for them and there’s a plugin for almost any task you might need to carry out. GIMP is extremely extensive, and it’s the choice of the FOSS community, thanks to the fact that it’s also open source. However, there are also some disadvantages. For example, GIMP has no direct RAW support yet (you have to install a plugin to enable it, which means a split workflow). It also has quite a bit of a learning curve as compared to Photoshop or Lightroom.
  • Introducing Spyder, the Scientific PYthon Development EnviRonment
    If you want to use Anaconda for science projects, one of the first things to consider is the spyder package, which is included in the basic Anaconda installation. Spyder is short for Scientific PYthon Development EnviRonment. Think of it as an IDE for scientific programming within Python.
  • SMPlayer 18.2.2 Released, Install In Ubuntu/Linux Mint Via PPA
    SMPlayer is a free media player created for Linux and Windows, it was released under GNU General Public License. Unlike other players it doesn't require you to install codecs to play something because it carries its own all required codecs with itself. This is the first release which now support MPV and some other features such as MPRIS v2 Support, new theme, 3D stereo filter and more. It uses the award-winning MPlayer as playback engine which is capable of playing almost all known video and audio formats (avi, mkv, wmv, mp4, mpeg... see list).

Funding: Ethereum and Outreachy

  • How Will a $100 Mln Grant Help Ethereum Scale?
    On Feb. 16, six large-scale Blockchain projects OmiseGo, Cosmos, Golem, Maker and Raiden, that have completed successful multi-million dollar initial coin offerings (ICOs) last year, along with Japanese venture capital firm Global Brain have created the Ethereum Community Fund (ECF), to fund projects and businesses within the Ethereum ecosystem.
  • Outreachy Is Now Accepting Applications For Their Summer 2018 Internships
    This week Google announced the participating organizations for GSoC 2018 for students wishing to get involved with open-source/Linux development. Also happening this week is the application period opened for those wishing to participate in the summer 2018 paid internship program.