Organizations that hold personal data should be made liable for fraudulent transactions, say British Telecommunications (BT) security experts.
The company commented following the case in which 11 people were charged with what is thought to be the biggest case of credit card identity theft in the United States – with an estimated 41 million credit and debit card details stolen.
The alleged culprits used a technique known as ‘wardriving' – they drove around the suburbs of Miami and San Diego with laptops, scanning for security holes in wireless internet networks of banks and shops.
Authorities said they used sniffer programs to obtain card numbers, personal information and passwords, which were either allegedly used by the accused to furnish blank cards and withdraw cash, or sold on the black market.
Bruce Schneier, BT's chief security technology officer, said it is easier for criminals to get hold of data that could be used for fraud, as the amount of personal information collected, sold and collated increases. Our current culture where identity is verified “simply and sloppily” makes it easier for criminals to commit identity fraud crimes, he added.
“We need to make the entity that is in the best position to mitigate the risk to be responsible for that risk," he said. "And that means making the financial institutions and companies who hold the data liable for fraudulent transactions – this will result in a lot more prosecutions and a much safer environment. These prosecutions in the U.S. are just the tip of the iceberg and more needs to be done.”
Ray Stanton, BT's global head of business continuity, security and governance practice, said: “The charging of the individuals involved with the retail ID theft is great news for business. However, it is also bad news. Why? Because, this basic problem should not have happened. It is irrelevant whether the charged individuals gained access via the wireless network or any other method. It was a failure of the organizations involved to implement basic controls and then maintain and monitor them.”
The thefts are said to have begun in 2003, but remained undiscovered until February 2007, when retailer TJX reported that the data on 45.7 million debit and credit cards from the United States, U.K. and Canada had been breached. The retailers affected are TJX, BJ's Wholesale Club, Barnes and Noble, Sports Authority, Boston Market, Office Max, Dave and Busters, DSW shoe stores and Forever 21.