What do you do when you lose a credit card? Hopefully, you call the issuing bank right after the card is lost. The bank cancels the old card and issues you a new one. In return for calling the bank right away, you’re not responsible for fraudulent credit card charges over $50 (at most). But what if someone loses 45 million credit cards? Should an issuing bank use the same process when millions of cards are lost as it does when only one is lost?
There are reasons to think they shouldn’t. Consider the TJX breach. TJX paid $65 million to card issuers as settlement for the issuers’ costs canceling and reissuing credit cards. The first TXJ credit card ring, caught last year, is believed to have run up at least $8 million in fraudulent charges. Last week’s new indictments seek $20 million in forfeiture from Maksym Yastremskiy. The $20 million figure is not directly related to fraudulent charges (Yastremskiy made most of his money selling card numbers to others), and is not all directly traceable to TJX. But even if it were, compare the numbers: at least $65 million spent reissuing credit cards that were only used for about $28 million or so in fraudulent charges.
Would the issuers have been better off absorbing the fraud instead of reissuing cards?
When a single credit card is stolen, chances are high that the thief will try to use the card. But when millions of cards are stolen, the odds of any particular card being used fraudulently are lower. The TJX numbers suggest that instead of reissuing all the stolen cards, banks would have been better off by paying closer fraud monitoring attention to those cards, then canceling them when the banks see actual attempted misuse.
But I think it’s still a good idea for banks to cancel and reissue cards, at least in cases like TJX where obvious mischief was involved.
First, more money may have been lost than these numbers account for. If Yastremskiy made $20 selling credit card numbers, the purchasers probably made more than that by using them (why spend money on a card number if you don’t think you can make more than that much back?).
Second, the losses may be “only” $28 million because the banks spent $65 million to cancel the cards. How many newly-invalid cards did the thieves try to use? Knowing that $28 million was lost doesn’t tell us how much would have been lost had the issuers not canceled cards.
But even if these numbers do show the whole picture, banks should still reissue credit cards stolen en masse. As Adam Shostack points out, data breaches aren’t all about identity theft. Nor are credit card breaches all about unauthorized charges. A credit card relies on trust. I trust that by using a piece of plastic with a number on it, the merchant and issuer will protect me from fraudulent charges that aren’t my fault. We as credit card users should be able to trust the system, and know with reasonable certainty that someone isn’t running around Estonia with our credit card numbers.
Reissuing credit cards lost in massive breaches may end up costing more than the resulting fraud, but that’s not entirely the point. The point is that when companies mishandle data, they should make things right.
Jim: I argue players like banks (drafters of the Payment Card Industry Data Security Standard, or PCI) and the Federal Trade Commission have attempted to foist too much responsibility on credit card merchants. By their nature, merchants are not qualified to maintain the level of security expected of them under the PCI or by the FTC. What do you think? –Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html
I disagree. The history of data breaches shows that many were the result of easily-fixed problems. For example, the original point of entry in the TJX breach was a wireless network using WEP. Anyone who’s been paying attention to wireless networking has known since 2002 that WEP is useless. That TJX was still using WEP in 2006 was…well, let’s just say I’m trying hard to avoid words like “negligent” (but obviously failing).
Moreover, taking proper care of data should be part of the bargain when one accumulates information about others. To claim the alternative—that it’s just too much to expect merchants to protect theft of credit cards from their information systems—is to say that data loss is a fact of life, that it happens to everyone, and that nothing merchants can do will change that. Maybe there’s a background level of data loss that’s unavoidable, but I don’t think we’ve seen the level of due care necessary to prove that. In the meantime, I think PCI and the FTC are on the right track.