Who should be on (and off) the hook for ID theft?

By Anne Saita, News Director 15 Apr 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Data broker LexisNexis admitted it vastly underestimated the impact of recent breaches that now leave some 310,000 people in peril. Meantime, at least 180,000 MasterCard and Visa cardholders learned their confidential information may have been compromised after making purchases at a Ralph Lauren retailer. More than 100,000 Tufts University alumni had their private data swiped from a school server. And San Jose Medical Group Inc. announced the theft of two laptops holding unencrypted info on 185,000 people.

And that's just in the past week.

With such announcements almost commonplace, information security leaders wonder what it will take to stanch the steady stream of stolen data pouring from public and private institutions. A panel of technologists will convene this morning in the nation's capitol to discuss solutions to the rise of identity theft. They'll also hash out a particularly prickly subject: Just who's problem is it to solve?

Adding to the debate is today's publication of an essay by influential cryptographer Bruce Schneier, who calls for financial institutions to carry the economic burden of what he sees as a modern twist on an ancient crime: impersonation.

Related Information Column: Customer vs. Bank of America: Who's to blame? Security Bytes: LexisNexis victims now number 310,000

"If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions," he writes. That hones in on the biggest breaches to recently hit the headlines. Both Ohio-based LexisNexis and ChoicePoint of Georgia, another data company that put 185,000 individuals at risk of ID theft, quickly noted they were conned by criminals, not compromised by computer hackers.

Schneier says holding financial institutions -- and not account holders -- liable for fraudulent transactions must be part of any solution. Banks and other financial businesses "can't claim that the user must keep his password secure or his machine virus-free," he writes. "They can't require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards. Those aren't responsible requirements for most users. The bank must be made responsible, regardless of what the user does."

Though Bank of America is mentioned only in passing, Schneier's comments come a couple of months after a Miami businessman sued the financial giant for failing to protect his online banking from thieves, who apparently installed malicious code on the man's PC and then drained his account. That case has sparked heated debate about where a customers' safeguards end and the bank's begin.

The bank must be made responsible, regardless of what the user does. Bruce Schneier CTO, Counterpane Internet Security

In an interview yesterday, Schneier said that court case could prove his point. "I think it's a great case because I think the man's right," he said.

Not everyone agrees that users should be let off the hook. "Everyone has to do their part, (most) people have learned how to lock their houses and cars and not to leave keys under the mat or in the ignition," former national cybersecurity czar Howard Schmidt said. "The same thing needs to occur on PCs. If you leave your keys in the car and it gets stolen, how is that not your fault? It's the same with personal data."

Al Berg, director of information security for a New York-based electronic institutional broker, believes there's some merit to making financial institutions pay for fraudulent claims. "I think placing liability with financial institutions is going to be the most effective tool in making change happen….Nobody likes taking on more liability."

Tell Us What You Think Join our SoundOff discussion on whether users should be included in solutions to prevent electronic fraud. Just click the SoundOff button at the top of the story.

Schneier, CTO of California-based Counterpane Internet Security, says sound solutions to combat online fraud won't happen until financial institutions have incentives to put them in place. "Right now, the economic incentives result in financial institutions that are so eager to allow transactions -- new credit cards, cash transfers, whatever -- that they're not paying enough attention to fraudulent transactions. They've pushed the costs for fraud onto the merchants. But if they're liable for losses and damages to legitimate users, they'll pay more attention."

Berg and other security professionals in the financial field believe it all comes down to the bottom line. "A lot of costs of not properly protecting data come down to money -- there's always a link back to that. The reason companies like ChoicePoint get into the news is because of the link to finances," Berg said. "It always goes back to the money."

That's also one reason banks have been slow to consider the shift in responsibility. As Schneier tells it, such solutions are expensive. But, he added in the interview, they're necessary. "Right now we have an administration that's very business-friendly and anti-consumer. But if enough grandmas lose their money, something is going to happen. You can't continue to shove this off on the consumer."

Tags: Identity Theft and Data Security Breaches,  Information Security Laws, Investigations and Ethics,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary