Another “Gotcha!” Security Study

Every now and then, we get a story telling us how gullible people are when it comes to security practices. We’ve been told that people will give away their passwords (or pretend to) for chocolate or cheap pens, and that they’ll use thumb drives they find lying in the streets. But how much do we actually learn from these studies?

The latest is a survey out of the UK, in which most respondents disclosed their income brackets even though they said they protect their income details. Aha! People say they care about privacy, but they really don’t! Gotcha!

But wait a moment. The survey asked if people protect income details, then asked for an income bracket. The former is specific, the latter is general. We could as easily make another “Gotcha!” survey that claimed people don’t really want their unlisted numbers protected because they give out their area codes.

Even ignoring the bracket/details distinction, we shouldn’t read too much into this survey. It’s easy to lie on an income bracket question. Internet users have become accustomed to web forms that require all fields to be filled out. Because not filling out a required field means seeing the page again—and sometimes having to re-enter all the fields on the page—it’s easier just to pretend to answer everything on the page. After a while, that sort of behavior can train us to fill out all fields by default. A proper study would need to check whether the reported salary bracket information is within a certain error margin of an expected salary distribution; that could help discover whether people are really divulging their salary brackets, or just making them up.

It would be a fundamental misunderstanding of privacy to draw a conclusion from this study that people don’t care as much about privacy as they claim. Daniel Solove’s privacy taxonomy shows that defining what privacy is is a slippery task, but it’s easier to say what privacy is not. Privacy is not keeping the world from knowing anything about me. It’s about my ability to decide for myself what to disclose and to whom.

It’s time to move past “Gotcha!” studies. If people trade their passwords for candy, or use strange thumb drives, or click through multiple warnings that they’re about to do something really bad, it’s not because the users are stupid. It’s because they’re people, and people have this odd habit of acting like people. The fault lies with those of us in the security and privacy world who haven’t figured out a way to make computer security adapt to people instead of the other way around.

Published in:  on August 27, 2008 at 8:16 pm Leave a Comment

Should Credit Card Issuers Reissue Cards Immediately After a Breach?

What do you do when you lose a credit card? Hopefully, you call the issuing bank right after the card is lost. The bank cancels the old card and issues you a new one. In return for calling the bank right away, you’re not responsible for fraudulent credit card charges over $50 (at most). But what if someone loses 45 million credit cards? Should an issuing bank use the same process when millions of cards are lost as it does when only one is lost?

There are reasons to think they shouldn’t. Consider the TJX breach. TJX paid $65 million to card issuers as settlement for the issuers’ costs canceling and reissuing credit cards. The first TXJ credit card ring, caught last year, is believed to have run up at least $8 million in fraudulent charges. Last week’s new indictments seek $20 million in forfeiture from Maksym Yastremskiy. The $20 million figure is not directly related to fraudulent charges (Yastremskiy made most of his money selling card numbers to others), and is not all directly traceable to TJX. But even if it were, compare the numbers: at least $65 million spent reissuing credit cards that were only used for about $28 million or so in fraudulent charges.

Would the issuers have been better off absorbing the fraud instead of reissuing cards?

When a single credit card is stolen, chances are high that the thief will try to use the card. But when millions of cards are stolen, the odds of any particular card being used fraudulently are lower. The TJX numbers suggest that instead of reissuing all the stolen cards, banks would have been better off by paying closer fraud monitoring attention to those cards, then canceling them when the banks see actual attempted misuse.

But I think it’s still a good idea for banks to cancel and reissue cards, at least in cases like TJX where obvious mischief was involved.

First, more money may have been lost than these numbers account for. If Yastremskiy made $20 selling credit card numbers, the purchasers probably made more than that by using them (why spend money on a card number if you don’t think you can make more than that much back?).

Second, the losses may be “only” $28 million because the banks spent $65 million to cancel the cards. How many newly-invalid cards did the thieves try to use? Knowing that $28 million was lost doesn’t tell us how much would have been lost had the issuers not canceled cards.

But even if these numbers do show the whole picture, banks should still reissue credit cards stolen en masse. As Adam Shostack points out, data breaches aren’t all about identity theft. Nor are credit card breaches all about unauthorized charges. A credit card relies on trust. I trust that by using a piece of plastic with a number on it, the merchant and issuer will protect me from fraudulent charges that aren’t my fault. We as credit card users should be able to trust the system, and know with reasonable certainty that someone isn’t running around Estonia with our credit card numbers.

Reissuing credit cards lost in massive breaches may end up costing more than the resulting fraud, but that’s not entirely the point. The point is that when companies mishandle data, they should make things right.

Published in:  on August 12, 2008 at 2:00 pm Comments (2)

International Cooperation (Cybercrime Division)

The Department of Justice today announced indictments of eleven people in connection with the TJX breach.

These aren’t the first people charged in connection with the TJX breach. Last year, six people pled guilty to using stolen TJX data in a counterfeit credit card ring. None of those people had any part in the TJX breach itself, though—they just created credit cards with the stolen data, which they had purchased from others. The people who stole the data from TJX in the first place hadn’t yet been caught.

It looks like that started to change last August, when Ukranian Maksym Yastremskiy, described as “the largest individual seller of card data” from the TJX breach, was arrested in Turkey. Yastremskiy is named in today’s indictments. The charges in the indictment include hacking into TJX and seven other retailers—the first time anyone has been charged with the intrusion itself.

The list of retailers these people are charged with hacking reads like a who’s who of major retail credit card breaches: “TJX Cos, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.” If this one group of people was involved in all those breaches, this is a very big deal.

Why is this remarkable, aside from being the latest news about almost every big credit card breach we know about? For starters, it highlights the international nature of Internet crime. The indictment names people from China, Ukraine, Estonia, Belarus, and the U.S. That’s why it’s so hard to find the sources of data breaches; the trail leads across oceans, possibly many times.

It also reinforces what security people have been saying for a while: the big security threats are no longer people writing worms and viruses. They’re organized crime rings making money, and trying to do so as quietly as possible. The number of countries all these people are from suggests an organized multi-national group, not just a few people happening on a security hole.

Finally, one other thing stands out in the AP article:

In May, TJX said it won support from Mastercard-issuing banks for a settlement that will pay them as much as $24 million to cover costs from the data breach. A similar agreement reached last November with Visa-card issuing banks also was overwhelmingly approved. That agreement set aside as much as $40.9 million to help banks cover costs including replacing customers payment cards and covering fraudulent charges.

Issuing banks have had a hard time trying to get courts to award damages for the cost of reissuing credit cards after a breach. Pennsylvania State Employees Credit Union tried it after the BJ’s Wholesale Club breach with no success. This may be the first public example of a breached merchant paying issuing banks for the cost of reissuing credit cards.

Published in:  on August 5, 2008 at 4:57 pm Comments (3)