Friday, April 15, 2005

Protecting Customer Data

Click here for AmazonThe Internet age's security guru, Bruce Schneier, has weighed in with his take on the recent spate of identity theft debacles (think ChoicePoint, LexisNexis, Bank of America). These high-profile incidents have resulted in Congressional rumblings for new legislation to protect privacy. In Mitigating identity theft, Schneier's take is that simply protecting identity data won't work.

The problem is not identity theft per se -- since you can't really steal someone's identity -- it is the proliferation of transactions that allow one person to impersonate another.

Proposed fixes tend to concentrate on... making personal data harder to steal--whereas the real problem is [the ease with which a criminal can use personal data to commit fraud]. If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.

...Financial intuitions [sic] need to be liable for fraudulent transactions... Credit card companies simply don't worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction. ...once financial institutions are liable for losses due to these types of fraud, they will find solutions.

Right now, the economic incentives result in financial institutions that are so eager to allow transactions--new credit cards, cash transfers, whatever--that they're not paying enough attention to fraudulent transactions. They've pushed the costs for fraud onto the merchants. But if they're liable for losses and damages to legitimate users, they'll pay more attention. And they'll mitigate the risks.

As usual, Schneier is spot on. But I'll attach a caveat: companies must do more to protect critical customer data. Until the time comes that institutions are responsible for the financial consequences of impersonation (and don't hold your breath, given their lobbyists), you'll still want to protect your SSN.

I'll post some thoughts about what companies can do to better protect customer data and to validate the transactions that use that information. Until then, suckle at the teat of wisdom and read the whole thing: Mitigating identity theft

No comments: