When companies suffer security breaches, it is how they handle them - and the customer - that counts.
It all started innocently enough, at the local shop when first the cashpoint and then the chip and PIN terminal unceremoniously rejected my card. Given that the card in question was well worn this wasn't that surprising. I paid with a different card and checked my account online, finding nothing to worry about. A quick if inconvenient trip to the bank on the following day elicited a sympathetic smile and a promise of a replacement card in a few days.
I returned home the following day to find a letter from a company I'd never heard of asking for confirmation of my identity regarding an order I hadn't placed. One phone call later I'd found out that my card had been used to order £306 worth of shirts.
Then I noticed a Post Office “you were out” card to a name I'd never heard of at my address. Yep, someone, somewhere had decided to treat themselves to some new gear courtesy of my bank card details.
Fortunately, this didn't worry me that much. “Cardholder not present” transactions such as mail or internet orders are, quite rightly, the merchant's risk. A call to the bank's fraud department confirmed that there had been two suspicious transactions on my card and that this had triggered the fraud detection software and blocked the card. (I'm not sure whether to be reassured or insulted that the bank considers me spending £300 on clothes to be a suspicious transaction).
Over the next few days I was taught an interesting if frustrating lesson in just how convoluted the process can be for people caught up in this sort of fraud. The arcane process you go through to get the transactions cancelled has to be seen to be believed. Even though the bank knew the transactions were fraudulent, they still had to be debited from my account, then refunded a few days later. Not a major issue for me, but for other less-fortunate victims this could be a financial disaster. So much for the banking system's high technology.
You might ask – like I did –why, when they blocked the card my bank didn't bother to tell me (or, it appears, my local branch or bank manager). While the staff I dealt with were all very pleasant, the whole process had a bit of a “not my department” feel from start to finish.
Fortunately it all ended sensibly enough. Indeed, it was an interesting research exercise for me, but it did leave me wondering how stressful it could be for less well-informed victims.
Fast-forward a few weeks, and I find an email from eBay saying they've detected “suspicious transactions” on my account. I reset the password, check for any signs of malicious activity, and find nothing untoward.
So, naively, I ask eBay to tell me why they suspect suspicious transactions. Suffice to say my personal PC security is somewhat more paranoid than most and, although not impregnable, would certainly be beyond the scope of the average eBay crook or phisher, so I was genuinely curious.
Cue a frustrating tirade of form letter replies to my queries like some sort of e-commerce Turing test. Of particular interest was the suggestion I should use a firewall (just the one? I have two, thanks, eBay), and read the trade press for details of how to protect my computer (sure, I said, would that be the same trade press I've written for every month over the past decade?).
When I finally got a reply from a human (or close approximation thereof), they claimed everything short of national security prevented them from giving me details of why they suspected abuse. Hardly a satisfying conclusion and, again, a less-confident “victim” might be busy wiping their PC to be safe.
So, after two cases of online fraud, one real and one apparently imagined, I'm left with a thoroughly disappointing view of the way such things are handled by major players.
No security is perfect and breaches will always occur. But how you deal with them says as much about your company as what you do to prevent them.
Nick Barron is a security consultant. He can be contacted at firstname.lastname@example.org