Is An Ounce Of Damage Limitation Worth A Pound Of Prevention?
from the nothing-to-lose dept
It should come as little surprise to anybody with an email address that home computer users are still being targeted by hackers, but they're increasingly going after financial-services companies too. The steady pace of phishing and other attempts to steal users' personal information, coupled with similar attacks on employees of banks and other companies designed to give hackers access to corporate networks, could help serve to undermine consumer confidence in online financial transactions and services -- a worrying possibility for banks and online retailers. Given the proliferation of data leaks as well as the growth in phishing, it's understandable why some consumers would think that companies don't take security very seriously. There seems to be growing resignation that everybody will, at some point, be affected by identity theft -- a feeling reinforced by the news that nearly 94 million personal records have been lost in the US over the last couple of years. Many measures, like identity theft insurance, now look to limit the damage caused by identity theft, rather than prevent it. Since many companies appear unable to stop or uninterested in stopping the loss of consumers' data, and many people apparently can't or won't do much to protect themselves from phishing and other attacks, perhaps working to minimize the damage caused by identity theft is a good strategy to pursue alongside trying to prevent it. Instead of keeping identity theft as such a worthwhile crime, make it a pointless activity that doesn't pay off for criminals. This isn't a perfect solution, as it will likely just make the criminals move on to some other lucrative activity, but if prevention continues to prove ineffective, it could be worthwhile.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Insurance lessens criminal's cut?
On a slightly different topic, I still don't get how this "identity theft insurance" works. As I understand it, a consumer isn't financially liable for damages due to identity theft. The burden of having your identity stolen is having your credit history thrashed. Does the insurance company just have an inside person at the big 3 credit companies and can get negative information expunged from your record? This is technically possible for an indivual consumer to do, but realisitcally the options are hidden behind so much bureaucracy that they might as well not even exist.
[ link to this | view in thread ]
3 approaches
1. Companies need to be more responsible with consumer's personal data. If they cannot hold themselves responsible, they should be made accountable in U.S. courts and the penalties should be significant.
2. Consumers need to be more aware of risks. They should learn how to protect themselves with encryption and common sense.
3. The bad guys that obtain and use stolen identities should be prosecuted vigorously.
It's not going to be easy, but I think after these three things are executed better then insurance to fill in the gaps would be appropriate.
P.S. I write about these things from time to time on my blog.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
An obvious solution
[ link to this | view in thread ]
Re: An obvious solution
Securing RSS defeats the whole point of RSS, which is the simple syndication of content. You cant syndicate that which you cant access.
Security != Syndication. Any attempt to add one disrupts the other. They are more like the exact opposites of each other.
[ link to this | view in thread ]
http://mybank.com/client/83i23273948729384293/messages.xml
For notifications that do not themselves contain sensitive information that would be enough. It's also possible to require password authentication and to deliver the feed over SSL for more sensitive communications.
If an attacker was able to subvert the feed they'd be equally able to subvert the bank's website - in which case phisihing is the last of anyone's worries.
In the case of emails that are currently sent as unencrypted text to mailboxes that may not be at all secure no additional security is lost by switching to RSS.
It should be noted that gmail - among others - already provide password authenticated access to a private mail feed - you can subscribe to your gmail inbox using RSS.
[ link to this | view in thread ]
Pointess
How do you make it pointless? Seems like it's really lucrative.
[ link to this | view in thread ]
Re: Insurance lessens criminal's cut?
[ link to this | view in thread ]
Re: Insurance lessens criminal's cut?
You raise some good points. Actually, it is important that companies do something about protecting their employees and consumers information because of FACTA and various other laws that have recently been passed. Companies can be fined federally up to $2500 per incident, fined by the state (depending on their varying laws), and also personally sued by employee or consumer (which is not limited). Considering that for any company, this could be a very high loss. Especially for very large companies. Not only that, but if you own a company and this happen, laws are being passed that they now have to notify every person who could have been affected. When this happens, they will lose approximately 30% of their customers, 20% more will consider leaving and another 5% will sue. There is also another law passed stating that all desks need to be cleared of personal information of customers and employees so no one can just walk by and pick up information or copy it. Audits are now happening with companies to ensure that they are offering the appropriate ID Theft precautions for these reasons and some that I haven not already mentioned.
Also, ID Theft isn't just financial. It is multi faceted. There is credit theft, financial theft, criminal ID Theft (criminal activities in your name), medical ID Theft, DMV ID Theft, Utility bills.... There are so many aspects to it and it is truly an affliction. For people who feel that they are protected by their credit cards and are not willing to actually find out what is all involved, I really feel for them and hope the best for them. It has happened to us last year and this year as well. If it happens on your credit card, there are clauses which negates the company from reimbursing the consumer back. AND, if it isn't reported within 60 to 90 days of purchases, you are COMPLETELY liable. That would be hard to explain if someone picked up a junk mailer from your mail box and changed the address, opened account and went to town on the card and you had no idea at all this was happening until you find it later (between 12 and 14 months avg.) on your credit reports. Usually when ID Theft happens, the individual needs to get attorneys involved. What if someone came to work in the states illegally and used your information to get a job and when tax time came, they disappeared and you were the one to get the audit envelope from the IRS. You will need some legal assistance to defend from gvmnt.
The average person will spend 600 hours of their own PERSONAL time (not just time at home with family, but work time - which is something employers aren't appreciative of) and and average of $1500 and up (not including attorney fees) restoring their own identity. This is an upcoming "Pandemic" and their isn't anything that you can do to prevent it. All you can do is know that the average person's information is in 50 different data bases nation wide and it will eventually happen to you. Have something worth paying for as an insurance BEFORE this happens. People who work at restaurants, DMV, past employers, etc... generally aren't very highly paid, so their incentives are to get paid higher by selling other people's information for a profit bigger than employer is paying them. If you've ever had a job, had medical insurance, drivers license, if you have social security number, you will eventually be a victim.
When looking for ID Theft services, you DO want an insurance and you want one that has COMPLETE ID THEFT RESTORATION. Make sure that it isn't REIMBURSEMENT. Reimbursement means that you are paying a monthly fee so that when it happens, you still have to take care of it yourself and spend money to fix it yourself and the insurance company you went through will go through and determine what they will pay back to you. REIMBURSEMENT means the RISK MANAGEMENT company will actually take care of all the leg work for you. And as far as I know, there is ONLY 1 COMPANY that does that. If you want more information, please respond to this entrance.
I hope that I cleared things up for you and anyone else who is reading this. You should do something to protect yourselves and your family. It truly is an awful thing to go through. It WILL turn your lives upside down.
[ link to this | view in thread ]