Is An Ounce Of Damage Limitation Worth A Pound Of Prevention?
from the nothing-to-lose dept
It should come as little surprise to anybody with an email address that home computer users are still being targeted by hackers, but they’re increasingly going after financial-services companies too. The steady pace of phishing and other attempts to steal users’ personal information, coupled with similar attacks on employees of banks and other companies designed to give hackers access to corporate networks, could help serve to undermine consumer confidence in online financial transactions and services — a worrying possibility for banks and online retailers. Given the proliferation of data leaks as well as the growth in phishing, it’s understandable why some consumers would think that companies don’t take security very seriously. There seems to be growing resignation that everybody will, at some point, be affected by identity theft — a feeling reinforced by the news that nearly 94 million personal records have been lost in the US over the last couple of years. Many measures, like identity theft insurance, now look to limit the damage caused by identity theft, rather than prevent it. Since many companies appear unable to stop or uninterested in stopping the loss of consumers’ data, and many people apparently can’t or won’t do much to protect themselves from phishing and other attacks, perhaps working to minimize the damage caused by identity theft is a good strategy to pursue alongside trying to prevent it. Instead of keeping identity theft as such a worthwhile crime, make it a pointless activity that doesn’t pay off for criminals. This isn’t a perfect solution, as it will likely just make the criminals move on to some other lucrative activity, but if prevention continues to prove ineffective, it could be worthwhile.
Comments on “Is An Ounce Of Damage Limitation Worth A Pound Of Prevention?”
Insurance lessens criminal's cut?
Perhaps there’s something I’m missing in the article. I don’t see the connection between an increase in people paying for identity theft insurance and causing the activity to become less lucritave for criminals. It seems that increasing insurance would actually have the opposite effect. If it’s less of an impact on the person who had their identity stolen they will be less likely to care how a company deals with their personal information. This would lower a companies incentive to protect the information (is that even possible??). However, a criminal opening a credit card in your name still gets everything they manage to buy with it (assuming they’re not caught).
On a slightly different topic, I still don’t get how this “identity theft insurance” works. As I understand it, a consumer isn’t financially liable for damages due to identity theft. The burden of having your identity stolen is having your credit history thrashed. Does the insurance company just have an inside person at the big 3 credit companies and can get negative information expunged from your record? This is technically possible for an indivual consumer to do, but realisitcally the options are hidden behind so much bureaucracy that they might as well not even exist.
Re: Insurance lessens criminal's cut?
” As I understand it, a consumer isn’t financially liable for damages due to identity theft.” That depends on the agreement you have with your financial institution or credit card company. If there is no agreement you are stuck. Read the fine print if you’re not protected change banks or credit cards.
Re: Insurance lessens criminal's cut?
Egat,
You raise some good points. Actually, it is important that companies do something about protecting their employees and consumers information because of FACTA and various other laws that have recently been passed. Companies can be fined federally up to $2500 per incident, fined by the state (depending on their varying laws), and also personally sued by employee or consumer (which is not limited). Considering that for any company, this could be a very high loss. Especially for very large companies. Not only that, but if you own a company and this happen, laws are being passed that they now have to notify every person who could have been affected. When this happens, they will lose approximately 30% of their customers, 20% more will consider leaving and another 5% will sue. There is also another law passed stating that all desks need to be cleared of personal information of customers and employees so no one can just walk by and pick up information or copy it. Audits are now happening with companies to ensure that they are offering the appropriate ID Theft precautions for these reasons and some that I haven not already mentioned.
Also, ID Theft isn’t just financial. It is multi faceted. There is credit theft, financial theft, criminal ID Theft (criminal activities in your name), medical ID Theft, DMV ID Theft, Utility bills…. There are so many aspects to it and it is truly an affliction. For people who feel that they are protected by their credit cards and are not willing to actually find out what is all involved, I really feel for them and hope the best for them. It has happened to us last year and this year as well. If it happens on your credit card, there are clauses which negates the company from reimbursing the consumer back. AND, if it isn’t reported within 60 to 90 days of purchases, you are COMPLETELY liable. That would be hard to explain if someone picked up a junk mailer from your mail box and changed the address, opened account and went to town on the card and you had no idea at all this was happening until you find it later (between 12 and 14 months avg.) on your credit reports. Usually when ID Theft happens, the individual needs to get attorneys involved. What if someone came to work in the states illegally and used your information to get a job and when tax time came, they disappeared and you were the one to get the audit envelope from the IRS. You will need some legal assistance to defend from gvmnt.
The average person will spend 600 hours of their own PERSONAL time (not just time at home with family, but work time – which is something employers aren’t appreciative of) and and average of $1500 and up (not including attorney fees) restoring their own identity. This is an upcoming “Pandemic” and their isn’t anything that you can do to prevent it. All you can do is know that the average person’s information is in 50 different data bases nation wide and it will eventually happen to you. Have something worth paying for as an insurance BEFORE this happens. People who work at restaurants, DMV, past employers, etc… generally aren’t very highly paid, so their incentives are to get paid higher by selling other people’s information for a profit bigger than employer is paying them. If you’ve ever had a job, had medical insurance, drivers license, if you have social security number, you will eventually be a victim.
When looking for ID Theft services, you DO want an insurance and you want one that has COMPLETE ID THEFT RESTORATION. Make sure that it isn’t REIMBURSEMENT. Reimbursement means that you are paying a monthly fee so that when it happens, you still have to take care of it yourself and spend money to fix it yourself and the insurance company you went through will go through and determine what they will pay back to you. REIMBURSEMENT means the RISK MANAGEMENT company will actually take care of all the leg work for you. And as far as I know, there is ONLY 1 COMPANY that does that. If you want more information, please respond to this entrance.
I hope that I cleared things up for you and anyone else who is reading this. You should do something to protect yourselves and your family. It truly is an awful thing to go through. It WILL turn your lives upside down.
3 approaches
Egat- I think you bring up a good point. Insurance shouldn’t be the first solution we try. I think we need a 3 pronged approach to this problem:
1. Companies need to be more responsible with consumer’s personal data. If they cannot hold themselves responsible, they should be made accountable in U.S. courts and the penalties should be significant.
2. Consumers need to be more aware of risks. They should learn how to protect themselves with encryption and common sense.
3. The bad guys that obtain and use stolen identities should be prosecuted vigorously.
It’s not going to be easy, but I think after these three things are executed better then insurance to fill in the gaps would be appropriate.
P.S. I write about these things from time to time on my blog.
The biggest enabler of identity theft is the US Government. Every month the govt. receives money into its coffers paid by workers through social security and medicare. Money paid under the same social security number from multiple locations. The govt. knows these are bogus numbers because they put it into a special fund. The govt. knows that it will never have to pay benefits to these people, they know the payer is an illegal, and will never be able to claim the benefits. Why don’t they do something about it? Because last year the amount “given” to the govt. as a free gift was north of $6 billion dollars. The govt. will never stop this form of identity theft because they don’t want to give up this free money. A tax on people without representation
Limiting the damage caused to consumers doesn’t limit the financial reward to the criminal. As long as industry does not pay the cost of identity theft, industry will not spend money to prevent it.
An obvious solution
An obvious solution would be to move towards secure RSS feeds instead of email. You only receive RSS syndicated content from feeds you’ve explicitly subscribed to.
More on that approach here.
Re: An obvious solution
The Obvious problem to your “obvious” solution is security.
Securing RSS defeats the whole point of RSS, which is the simple syndication of content. You cant syndicate that which you cant access.
Security != Syndication. Any attempt to add one disrupts the other. They are more like the exact opposites of each other.
A one time generated feed URL could be at least as secure as the email channels that are currently used. The main problems with phishing emails is not a lack of securty (there is little with email in any case) but with the difficulty in verifying the authenticity of the source of the mail. That problem would disappear if instead of providing the bank with my email address they provided me with a feed something like this
http://mybank.com/client/83i23273948729384293/messages.xml
For notifications that do not themselves contain sensitive information that would be enough. It’s also possible to require password authentication and to deliver the feed over SSL for more sensitive communications.
If an attacker was able to subvert the feed they’d be equally able to subvert the bank’s website – in which case phisihing is the last of anyone’s worries.
In the case of emails that are currently sent as unencrypted text to mailboxes that may not be at all secure no additional security is lost by switching to RSS.
It should be noted that gmail – among others – already provide password authenticated access to a private mail feed – you can subscribe to your gmail inbox using RSS.
Pointess
re: “Instead of keeping identity theft as such a worthwhile crime, make it a pointless activity that doesn’t pay off for criminals”
How do you make it pointless? Seems like it’s really lucrative.