Organisations that hold personal data should be made liable for fraudulent transactions, say BT security experts.
The company commented following the case whereby 11 people were charged with what is thought to be the biggest case of credit card identity theft in the US – with an estimated 41 million credit and debit card details stolen.
The alleged culprits used a technique known a ‘wardriving' – they drove around the suburbs of Miami and San Diego with laptops, scanning for security holes in wireless internet networks of banks and shops. It is claimed that they used sniffer programmes to obtain card numbers, personal information and passwords, which were either allegedly used by the accused to furnish blank cards and withdraw cash, or sold on the black market.
Bruce Schneier, BT's chief security technology officer, said it is easier for criminals to get hold of data that could be used for fraud, as the amount of personal information collected, sold and collated increases. Our current culture, he added, where identity is verified “simply and sloppily” makes it easier for criminals to commit identity fraud crimes.
“We need to make the entity that is in the best position to mitigate the risk to be responsible for that risk. And that means making the financial institutions and companies who hold the data liable for fraudulent transactions – this will result in a lot more prosecutions and a much safer environment. These prosecutions in the US are just the tip of the iceberg and more needs to be done.”
Ray Stanton, BT's global head of business continuity, security and governance practice, said: “The charging of the individuals involved with the US retail ID theft is great news for business. However, it is also bad news. Why? Because, this basic problem should not have happened. It is irrelevant of whether the charged individuals gained access via the wireless network or any other method.
“It was a failure of the organisations involved to implement its basic controls and then maintain and monitor them.”
The US thefts are said to have begun in 2003 but remained undiscovered until February 2007, when TJX, which trades in the UK as TK Maxx, reported that the data on 45.7 million debit and credit cards from the UK, US and Canada had been breached. The retailers affected are TJX Corporation, BJ's Wholesale Club, Barnes and Noble, Sports Authority, Boston Market, Office Max, Dave and Busters, DSW shoe stores and Forever 21.