Breach, Cybercrime, Data security, Incident response, TDR

Sloppy identity verification ‘must make firms liable for fraud’

Organizations that hold personal data should be made liable for fraudulent transactions, say British Telecommunications (BT) security experts.

 

The company commented following thecase in which 11 people were charged with what is thought to be thebiggest case of credit card identity theft in the United States – with anestimated 41 million credit and debit card details stolen.

 

The alleged culprits used a techniqueknown as ‘wardriving' – they drove around the suburbs of Miami and SanDiego with laptops, scanning for security holes in wireless internetnetworks of banks and shops.

Authorities said they used snifferprograms to obtain card numbers, personal information and passwords,which were either allegedly used by the accused to furnish blank cardsand withdraw cash, or sold on the black market.

 

Bruce Schneier, BT's chief securitytechnology officer, said it is easier for criminals to get hold of datathat could be used for fraud, as the amount of personal informationcollected, sold and collated increases. Our current culture where identity is verified “simply and sloppily” makes it easier forcriminals to commit identity fraud crimes, he added.

 

“We need to make the entity that is inthe best position to mitigate the risk to be responsible for that risk," he said. "And that means making the financial institutions and companies who holdthe data liable for fraudulent transactions – this will result in a lotmore prosecutions and a much safer environment. These prosecutions inthe U.S. are just the tip of the iceberg and more needs to be done.”

 

Ray Stanton, BT's global head ofbusiness continuity, security and governance practice, said: “Thecharging of the individuals involved with the retail ID theft isgreat news for business. However, it is also bad news. Why? Because,this basic problem should not have happened. It is irrelevantwhether the charged individuals gained access via the wireless networkor any other method. It was a failure of the organizations involved to implement basic controls and then maintain and monitor them.”

 

The thefts are said to have begun in2003, but remained undiscovered until February 2007, when retailer TJX reported that the data on 45.7 milliondebit and credit cards from the United States, U.K. and Canada had been breached.The retailers affected are TJX, BJ's Wholesale Club, Barnesand Noble, Sports Authority, Boston Market, Office Max, Dave andBusters, DSW shoe stores and Forever 21.

prestitial ad