Data Breaches: Target, Neiman Marcus
Let's be really clear about what most identity theft is about: it's about payments data. Identity theft is first and foremost a payments fraud problem. We don't know all of the details about what happened at Target and Neiman Marcus, but there's a really obvious weakspot in the US payments infrastructure that should be corrected, irrespective of whether it would have prevented the Target and Neiman Marcus breaches: the use of two-factor authentication, namely chip-and-PIN cards, which are standard outside the US and have been effective in reducing fraud.
Why don't we have chip & PIN here? Because the banks don't want to pay for it because they don't bear most of the fraud costs. The banks/payment networks are the least cost avoider of identity theft, but because merchants are eating most of the fraud costs, the banks have instead have opted for a complex set of security standards for merchants (PCI Security Standards) that are of dubious effectiveness.
The whole nature of identity theft is a Willie Sutton economy. Sutton robbed banks because "that's where the money is." To reduce identity theft, there's a pretty easy recipe: harden targets so that theft is more difficult. And in particular, try to make sure that you are a less inviting target (no pun intended) than the next guy.
Maybe there'll be an upside from these recent data security breaches--enough consumers will be perturbed to demand that things change. Unfortunately, the way the stories are being shown in the media, it's the merchants who look like the problem. I don't know if the merchants were in fact being unusually careless, but we have technology that could really reduce identity theft, just that banks don't want to incur the cost of using it.
The second factor is the PIN. Thus, even if my card is stolen, the card isn't useful without the PIN
At least in the UK, this is only partly true. Most online purchases can be made with just the card. There is two factor authentication for online as well, but it's only sometimes engaged.
Posted by: Ginger Yellow | January 13, 2014 at 11:14 AM
At the minimum, I am taken aback by the fallacy of your statements regarding banks not wanting to pay for the payment system upgrades and that they don’t bear the cost of fraud. I have a feeling this is the root of what people do not understand about financial crimes.
Merchants do not eat the cost of fraud committed via payment systems, the financial institutions do. Not only do the financial institution refund the money to the consumer and replace any cards at a cost that is chalked up to "the cost of doing business", but they also get to deal with the irate consumer who doesn’t understand that the store they frequent doesn’t comply with the Payment Card Industry standard of data security.
Due to the most recent regulations regarding payment cards and fraud responsibility, merchants will need to start updating their equipment and software programs to accept the “Chip” cards. If they do not, they will finally have some financial responsibility when dealing with fraud losses.
Posted by: Danielle Arthur | January 17, 2014 at 01:08 PM
Danielle,
I've been in payments fraud prevention for about 20 years. For most online fraud, the merchants eat the straight fraud losses. The game is rigged against them, heavily. I won't get into details unless asked.
However, if the fraudsters who got the Target/NM data included magstripe data, they will be able to create counterfeit cards and use those, which will more likely directly hit the banks, unless they can confirm that the card used was counterfeit, in which case they can chargeback even a card present transaction. This leaves the merchant out their goods and money.
Posted by: Fraud Guy | January 25, 2014 at 06:43 AM