Organizations that hold personal data should be made liable for fraudulent transactions, say British Telecommunications (BT) security experts.
The company commented following the
case in which 11 people were charged with what is thought to be the
biggest case of credit card identity theft in the United States – with an
estimated 41 million credit and debit card details stolen.
The alleged culprits used a technique
known as ‘wardriving' – they drove around the suburbs of Miami and San
Diego with laptops, scanning for security holes in wireless internet
networks of banks and shops.
Authorities said they used sniffer
programs to obtain card numbers, personal information and passwords,
which were either allegedly used by the accused to furnish blank cards
and withdraw cash, or sold on the black market.
Bruce Schneier, BT's chief security
technology officer, said it is easier for criminals to get hold of data
that could be used for fraud, as the amount of personal information
collected, sold and collated increases. Our current culture where identity is verified “simply and sloppily” makes it easier for
criminals to commit identity fraud crimes, he added.
“We need to make the entity that is in
the best position to mitigate the risk to be responsible for that risk," he said. "And that means making the financial institutions and companies who hold
the data liable for fraudulent transactions – this will result in a lot
more prosecutions and a much safer environment. These prosecutions in
the U.S. are just the tip of the iceberg and more needs to be done.”
Ray Stanton, BT's global head of
business continuity, security and governance practice, said: “The
charging of the individuals involved with the retail ID theft is
great news for business. However, it is also bad news. Why? Because,
this basic problem should not have happened. It is irrelevant
whether the charged individuals gained access via the wireless network
or any other method. It was a failure of the organizations involved to implement basic controls and then maintain and monitor them.”
The thefts are said to have begun in
2003, but remained undiscovered until February 2007, when retailer TJX reported that the data on 45.7 million
debit and credit cards from the United States, U.K. and Canada had been breached.
The retailers affected are TJX, BJ's Wholesale Club, Barnes
and Noble, Sports Authority, Boston Market, Office Max, Dave and
Busters, DSW shoe stores and Forever 21.