Consumers Fed Up With Data Breaches

Discussion in 'privacy general' started by Minimalist, Oct 11, 2014.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,061
    http://www.technewsworld.com/story/81124.html
     
  2. wtsinnc

    wtsinnc Registered Member

    Joined:
    Oct 3, 2008
    Posts:
    943
    Bolt to where ?

    What we have is a system exploitable from either end.

    Financial institutions and other businesses with an online presence all suffer from the same security-related shortcomings because they must deal with customers who are either Technophobes or just totally careless. To accommodate the lazy and clueless at the expense of everyone else, security and overall website management is dumbed down so to maintain accessibility for all. Having said that, the business concerns- even the most conscientious of them- can do nothing to combat the careless behavior by some (click on any e-mail promising a free game or mp3 download), poor or non-existent security software on their device, weak passwords, and the sharing of personal data on social websites present to hackers a veritable playground with almost limitless targets of opportunity. Add to all of the above the known refusal of many corporations to upgrade and properly maintain their own internet infrastructure because of cost concerns. Even government agencies are at fault and have betrayed the trust.

    So where do you bolt to when you are looking for a bank or brokerage employing top notch and properly maintained security ?
    Which retailer do you really trust with your bank account and/or credit card numbers ?

    Don't look to the business concerns to protect you. They are too busy dumbing down as they track your online activities and preferences.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Maybe IBM will come to the rescue ;)

    As far as I know, they're still working on homomorphic encryption. With that, everything in the cloud would be encrypted, and could be manipulated without being decrypted, so all keys could be on users' devices. They could still be hacked, but at least we wouldn't see such large-scale breaches (except for zero days, of course).
     
  4. Countryboy15

    Countryboy15 Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    82
    I think the bigger issue is that the companies themselves are lazy and do not really pay attention to what they are doing. As long as they consider the cost of security instead of the effectiveness of it, there will not be an end to all of these breaches.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Well, if enough victims sue them and win, better security will be worth the cost.
     
  6. Countryboy15

    Countryboy15 Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    82
    Well, it is awful hard to win against these companies. But I agree that if being sued costs them a lot more, they will eventually get around to shoring up their defenses..we hope.
     
  7. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    It's not hard at all if enough people would start suing.
     
  8. brians08

    brians08 Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    40
    Companies will argue that they used state of the art systems and were still compromised. The criminals are more motivated and persistent than ever. We need a quantum leap in security technology but part of the solution will be more vigilance from the end users. Currently the end user has no accountability. If I leave my wallet in a public place and someone takes it and charges up my account, all I have to do is call within 30 days and they will "forgive" me. Why should I be careful with my wallet let alone be careful when I pay at a self check out at Home Depot? If I were responsible I would be more careful. I would only use a credit card with the 2 factor option enabled. If all transactions required me to enter a code sent to my phone I would be protected. People who decided 2 factor authentication was too much hassle would be SOL when their account number was captured by a hacked card reader.
    Politicians also play a part in this. "Champions of the little guy" get elected and then make laws saying companies must take responsibility for customer stupidity. More people become lazy and careless and everyone ends up paying when organized crime hacks a server.
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,061
    Retailers accuse credit unions of talking smack about card breaches
    http://arstechnica.com/security/201...-unions-of-talking-smack-about-card-breaches/
     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    I think this is "simple" and actually very much to the point of how security might be improved. That is, the regulatory and legal position (as well as taxation!) is pathetically liberal towards internet businesses and software suppliers. They are pretty much able to put anything in their EULA's, Tos etc. and from what I understand, it's mostly binding whether you're read it or not. There's certainly no equivalent to the unfair contracts legislation and other consumer protection legislation that applied to physical goods way back.

    Existing legislation has a rather obvious problem, which is that so many services are "free", so it's hard to sue for any damages, consequential or otherwise (and it's also indicative that you are the product).

    The consequence of this is that the companies are not really too fussed, particularly as the people suffering from it are not really their customers, they're the product (as in, being mined for advertising). Nor are they prone to get any significant fines, there is no proper liability for this.

    Nor is it particularly a big deal reputationally - people are punch drunk about security, do not have easy alternatives, and know that the alternatives are just as bad.

    What needs to happen is that providers of internet goods, services and software are made properly legally liable for security holes and breaches - not the pathetic slaps on the wrist. They would be allowed to mitigate this by showing they had had independent audits of their security which they had properly actioned by board-level plans. Take an example with Heartbleed - open source software with a glaring bug, widely used for commerce - but how many of them had put money and attention on the security of openssl? We need to have a drastic restriction on what can and can't be put in EULA and Tos. Rather obviously, our governments have to start focussing our security services on actually protecting us. Government procurement of IT could also set a decent example - where I am, it's disastrous in so many ways.

    What will happen is precisely more of the same. The politicians are weak, ignorant and colluding. The security services are attacking us, not defending us. The companies are interested in us as products, and do not bear the costs, and although they might be concerned that the market is being degraded and losing trust, there's no particular merit in any one of them doing anything about it.

    Sorry.
     
    Last edited: Oct 31, 2014
  11. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    I'm not sure what any of this has to do with the subject of the thread, which is retailer data breaches. How exactly is "customer vigilance" going to make a difference? Are you just suggesting that people just altogether stop transacting with companies that get breached? A total and complete boycott of Walmart, Home Depot, Target, Apple, Neiman Marcus, and every single one of the 43% of businesses that had a breach in the last year? That just doesn't sound plausible, prudent, or practical to me.

    You make it sound like credit and banking companies not holding customers liable for fraudulent activity on their accounts is a bad thing for the end users. On the contrary, this is the only thing that's keeping everything together. The economy would be hugely inconvenienced (to an incredible degree) if the consumers were held liable for fraudulent charges, particularly with their data being so poorly protected by merchants. Why would anyone take the risk of having to pay hundreds or thousands of dollars (which they probably don't have) simply because their information was compromised through no fault of their own (i.e. some company (a 3rd party) didn't secure it properly)?

    This is one area where the consumer can't really do a whole lot. It's between the banking/credit companies and the merchants. They're the ones screwing it up, so they should be the ones figuring out how to deal with it (and shouldering the cost in the meantime). Sure it's an inconvenience for the end user when they have to be issued a new card out of nowhere (which personally I think they should be compensated for in some way, and perhaps you can be if you call in and demand it), but other than that, I don't really see how it's a consumer's issue.

    It's the merchants and the banks who are making (and losing) the money, so it's up to them to decide how they want to handle it.

    If we're talking about someone's personal information (e.g. SS number, DL number, or even address, etc.), then yes I would say the consumer has a stake in it and the neglectful/incompetent parties should be held accountable and redress is in order. But if all we're talking about is someone's credit card or bank account info being compromised, and the consumer is not held liable for any fraudulent activity, I'm not sure what the big deal is.
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Sounds like you've never been subject to ID theft? Loads of work and possible credit damage even if you don't suffer direct financial loss.

    And I'm dubious about the proposition that the banks and cc companies necessarily bear the whole costs (I think they'll be increasingly claiming that you're liable in future) - but in any case, obviously those additional costs get passed straight back onto us. They obviously aren't that fussed because their attempts at account security are embarrassing and catering for the lowest-common ability.
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    When the entire system is vulnerable by design at almost every point, the ones who built that system should pay the cost. Any device that can scan a card can either be compromised directly or via the OS it runs on. Plastic is just a means for those companies to insert themselves into your financial activities, monitoring your activities in real time while charging fees and interest at every opportunity.

    A while ago, I was forced to choose between having my checks direct deposited or put on a debit card. I'd been repeatedly screwed over by the banks so I chose the card. It was used at local stores and to pay 2 bills over the phone. It was never used online. Through one or the other, someone got access to it and set up a monthly "payment". It took several months to get the money back, leaving us in a bind in the meantime. Now I withdraw all of the money from a new card on the day it's deposited. AFAIC, the convenience isn't worth the risk. Any coward behind a keyboard can hack an account or card. It takes more guts to physically take the money from you, putting them at much more risk.
    IMO cash is safer, doesn't carry fees and interest charges, is impossible to overdraw, makes tracking your financial activities much more difficult, and takes the banks and card companies out of the picture.
     
  14. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    I'm not sure how someone simply getting your credit card number enables them to cause much "identity theft" damage. Seems like they would need more information. If you're suggesting they could use one piece to get another and another, like the Twitter @N account, then I suppose. But that still isn't what we're talking about. There's a difference between social engineering to obtain access to a target account and a data breach of an entire retailer database.

    As for the the banks/cc companies not holding customers liable for fraudulent charges, I've seen no evidence of that going anywhere, and considering how breaches like this seem to happen every other week, it would seem virtually impossible for them to institute a new policy placing liability with the customer.

    That would certainly not fly with the customers, as, just as I mentioned before, it's not as if the customer had anything to do with their account being compromised...it was literally normal/intended use of the credit card and the merchant negligently or incompetently let that info get out. Trying to hold the customer responsible for fraudulent activity would more than likely not just alienate the end users, but also garner political attention/legislative action. There would surely be plenty of politicians on Capitol Hill just salivating at the chance to "stand up for the consumer" and push legislation to force those companies to take responsibility by law.

    In fact, that might be why they are so happy to do it currently: they want to avoid driving away customers, and they anticipate any legal restrictions would probably be worse than what they're currently doing. Better to do things voluntarily than face the bad PR and the potential legal headaches of Congressmen going after your industry for yet one more regulation.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    It's harder for customers to avoid liability for debit cards, I think. Credit cards, no problem. And then for bank accounts, that's very hard. No bank account for PayPal, thank you ;)
     
  16. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    At Bank of America, we take your security seriously. That's why our credit and debit cards come with security features that help protect your information.
    $0 Liability Guarantee. Should your card be lost or stolen, Bank of America will credit fraudulent charges made with your card back to your account as soon as the next business day
    https://www.bankofamerica.com/privacy/accounts-cards/credit-debit-card-security.go

    The Chase Debit Card offers control, security and convenience—you may never write another check again!
    Zero-Liability Protection:
    You don't pay for any unauthorized debit card transactions when you notify us promptly
    https://www.chase.com/checking/debit-cards

    Your Wells Fargo Debit Card comes with Zero Liability protection at no extra cost, so you won’t be held liable for any unauthorized transactions, as long as they are reported promptly.
    https://www.wellsfargo.com/help/faqs/debit-card/

    Sounds pretty standard to me.

    And then there's this:
    http://www.nolo.com/legal-encyclopedia/unauthorized-credit-debit-card-charges-29654.html

    So not only do there seem to be laws already in place limiting the customer's liability, but also that's if the customer is "at fault" (i.e. lost their card or had it stolen). This is the "customer vigilance" @brians08 was talking about...if the customer himself is negligent. But again, that's not even what we're talking about (so I'm still not clear on why it was even brought up). The title/subject of the thread is "data breaches" of the merchants...which as I said has absolutely nothing to do with customer's leaving their wallet somewhere. The customer could be as "vigilant" and careful with their info as you want and it isn't going to do anything with regard to what we're talking about in this thread...which is the info getting stolen or leaked from authorized third parties. The only way the customer can guard against that is to simply not use the card, in which case, there's obviously no point in having it.

    Even the basic Federal law says you are only liable for $50 in fraudulent charges if you tell your bank within two business days of learning about them (but as you can see, it's pretty standard for the banks to offer $0 liability.)
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Maybe it was gift cards, then.
     
  18. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,061
    Cyber attacks impact purchasing behavior
    http://www.net-security.org/secworld.php?id=17704
     
  19. firedupjackson

    firedupjackson Registered Member

    Joined:
    Dec 2, 2014
    Posts:
    1
    Hello all,

    If my personal information was compromised dueto a company security breach, can I sue the company? A fradulent account was opened using my personal information due to the company security breach.
     
  20. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I wonder when or if people will get "fed up" enough with data breaches, card fraud, stolen identities, etc, to stop using a system that's designed to make all of that possible. I agree that retailers should share some of the blame. OTOH, they didn't create this system. The companies that created a system that ties personal info, financial accounts, and purchase records onto vulnerable and easily exploited devices should bear the bulk of the blame and cost.
     
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Let your money do the talking. Use providers, makers, retailers, etc that respect you. Boycott those that don't. Share your thoughts with others. The market will do its magic :)
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Exactly. The ones who care the least about you are the credit/debit card companies. They're the ones that need to be boycotted.
     
Loading...