Think firewalls and encryption safeguard your most intimate financial information? Get real. Many of our nation’s biggest financial institutions have your account numbers spread out on the kitchen table behind the security equivalent of an unlocked screen door.
Except screen doors do a better job fending off thieves.
Thanks to the improper retention of credit card records by CardSystems Solutions Inc., there are 40 million account numbers out there in cyberspace with names and security codes attached. Improper because, as company Chief Executive Officer John Perry acknowledged to The New York Times, “We should not have been doing that.”
The Tucson, Ariz.-based company processes credit card transactions for thousands of small- and mid-sized retail and financial institutions. Once processed, the data is supposed to be discarded. CardSystems kept some information for “research purposes.”
The breakdown in compliance at the company is the latest in a series involving corporate giants like Citigroup, Bank of America and Time Warner. Even Boston College was victimized by a hacker who swiped the records of 120,000 alumni. Friday’s online Wall Street Journal contained a breakdown of 12 incidents since Feb. 15 that compromised consumer financial information.
Theoretically, if you are a former BC student now employed by MCI who banks at Bank of America, buys shoes at a DSW Shoe Warehouse and trades securities online at Ameritrade, your Social Security number, bank account numbers and driver’s license identification — all of them — could be for sale on the Internet. Maybe even your shoe size.
With the financial services industry seemingly unable to enforce its own protocols for handling consumer information, Congress is ready to assert its own brand of discipline. It should clean up the federal government’s act first. In February, Bank of America lost computer tapes containing the Social Security numbers of 1.2 million employees who use government charge cards. Better yet, take away the credit cards held by Congress and President Bush, who has yet to find a federal expenditure he does not like.
But enough digression. Maybe we’re taking the wrong approach here. Why not just bare our financial souls before some hacker in Romania does it first? You might consider:
•Printing flyers with your account numbers and distributing them in your neighborhood. You’ll make new friends, and how.
•Getting a piece of worn cardboard and standing on a corner with the message “Will trade account numbers for condo in Cabo.”
•Sending it to a journalist. Many of us have no clue how to handle numbers responsibly.
•Posting it on the Internet, if it’s not already there.
In fact, says John Shovic, there are Web sites where hackers auction stolen account information. The professor of computer security at Eastern Washington University chuckles over the latest incident, but says occasional breakdowns in cybersecurity are inevitable given software’s complexity.
“You can’t know if a given piece of software is secure or not,” he says, noting that Microsoft’s Windows program, for example, contains 50 million lines of code. There’s no way to cross-check all the potential interrelationships.
“It’s every bit as difficult as testing DNA,” Shovic says.
Although each reported security breach seems larger than the last, he predicted the size would level off. And he notes an FBI report that found incidents declined in 2004 compared with 2003. “The problem isn’t spiraling out of control,” Shovic says.
Consumers will have to accept a certain amount of risk, just as they do when they drive. But they can protect themselves by dealing only with responsible merchants, especially online, where shabby-looking sites with no customer-service information are best avoided.
Still, Shovic does not minimize the cost of a breach that exposes millions to financial loss, even if it’s only the cost of their time and the maximum $50 in illicit charges for which they may be held responsible. If a bank robber made off with $25 million, his rough estimate of losses due to the latest breach, Shovic asks “Do you think that would make headlines across the country? Heck yes.”
The credit card companies absorb charges due to fraud only up to a point. Eventually, they are passed on to consumers in higher rates or higher charges.
That’s your screen door swinging open.
Local journalism is essential.
Give directly to The Spokesman-Review's Northwest Passages community forums series -- which helps to offset the costs of several reporter and editor positions at the newspaper -- by using the easy options below. Gifts processed in this system are not tax deductible, but are predominately used to help meet the local financial requirements needed to receive national matching-grant funds.
Subscribe now to get breaking news alerts in your email inbox
Get breaking news delivered to your inbox as it happens.