Not if they won’t pay for that service.
Plenty do pay. It sometimes goes something like this:
Consultant: Here is the list of 172 high risk problems
Bank IT: How many of these have known fixes?
Consultant: 100
Bank IT: Looks like we can fix 70 of those without breaking other things. OK we’ll add those to the fix schedule. At current available downtime windows, we should be done this time next year if we can get approval.
Any idea what it cost Target to get hacked? They’ll pay, one way or the other.
It’s the law of the land in the US right now for credit card transactions. It doesn’t matter how or why your credit card info got into unauthorized hands, you are not liable beyond $50. Before that law was put in place (long before the internet), the card holder was on the hook for credit card fraud, and the banks and merchants had no incentive to keep fraud under control because it wasn’t their problem. Once the law was passed, it became their problem, and lo, they implemented policies to prevent fraud. The exact same system needs to be applied all forms of hacking, social engineering, and other kinds of modern fraud, from ATM skimming to to “identity theft” and so forth. Make the banks reimburse the victims and they will suddenly discover that, gee, maybe there actually are things they can do to prevent people from being victimized.
Since we have seen that corporations from Yahoo to your neighbourhood bank can’t be bothered to implement even the most basic best practices for securing their customer databases from hackers (as in, they can’t be bothered to encrypt your passwords so they can’t be cracked if hackers get a copy of the password file off their servers), they need to be incentivized to get off their asses and upgrade their systems and procedures. Being forced to pay out a per-customer penalty for each and every data breach might do the trick.
I think you are confused on a very key point here. Credit card transactions are subject to a $50 maximum in the US for fraudulent activity. This law does not apply to retail banking. What we are discussing here is retail banking where fraud profile models are extremely different. FWIW ATM skimming works so well because most often it looks exactly like a normal transaction when local regional ATMS are used for the actual fraud.
This is also a matter of scale. VISA/Master Card/Amex/Discover have the scale to do this sort of anti fraud profiling whereas only the mega banks might be able to do it. Local, regional retail banks and credit unions? Forgeddaboudit.
I’m finding this true in many BBS threads.
Does this extend to you being personally responsible for the damages that your computer or router might do when it is hacked by someone and used for DDOSing or spam attacks? How about the damage your car is involved in when it hits someone after it’s stolen?
I believe you can totally be sued for damages by your stolen car. In the US at least you can be sued for more or less anything.
As per the above-linked Mitchell & Webb sketch:
“Well, I don’t know, because I seem to have my identity, whereas you seem to have lost several thousands of pounds. In the light of that, I’m not clear as to why you think it’s my identity that was stolen rather than your money.”
Contemplating this while doing mindless work I believe that there is a market failure involved. Somehow there’s no incentive for a competitor to bring down their costs by increasing security and thus gaining market share by offering better interest rates.
One conclusion is inertia because security has historically been just more expensive than the losses. This can clearly be seen in retail banking where the incremental cost of utterly eliminating armed bank robbery is just not worth it given the relatively low losses.
When will we reach a point where covering losses with profits no longer makes business sense? How many of us have actually chosen a Financial Service Company based on their security?
I think you’ve put your finger on it. And to be honest, that’s one indication that security just isn’t all that valuable to us. And I don’t think that’s necessarily a bad thing.
Take physical security. I could be killed because of my bad physical security. No bars on the door, no perimeter security systems, no panic rooms, armed security guards, etc., etc. Why? Because the decreased risk is not worth the cost.
Now, I do take more precautions than I used to because of increased perception of risk. For example, I lock my doors at night or when I leave the house. Likewise, banks and merchants take cyber-security a lot more seriously than they used to.
But realistically, serious security incidents like Target et al aren’t all that common and the cost for such losses simply aren’t (yet) high enough to justify customers paying a lot extra for security or doing without all those productivity enhancing tools like working remotely and access to the Internet.
Of course, if we really want to see security, wait until we’ve had our first incident that starts destroying thousands of lives. (I’m thinking something along the lines of a cyber-attack seriously damaging the electrical generation network - imagine leaving NE US and Canada without power for 2-3 months while repairs take place.) Unfortunately, it’ll probably mean the end of the Internet as we know it.
Until that happens, we’ll see what we always see. Each merchant/bank spending just enough (= hiking their prices) not to be the weakest link.
This topic was automatically closed after 5 days. New replies are no longer allowed.