Schneier on Security
A blog covering security and security technology.
« Titan Rain |
| Weakest Link Security »
December 14, 2005
Korea Solves the Identity Theft Problem
South Korea gets it:
The South Korean government is introducing legislation that will make it mandatory for financial institutions to compensate customers who have fallen victim to online fraud and identity theft.
The new laws will require financial firms in the country to compensate customers for virtually all financial losses resulting from online identity theft and account hacking, even if the banks are not directly responsible.
Of course, by itself this action doesn't solve identity theft. But in a vibrant capitalist economic market, this action is going to pave the way for technical security improvements that will effectively deal with identity theft.
The good news for the rest of us is that we can watch what happens now.
Posted on December 14, 2005 at 7:14 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Under the new legislation customers will still be required to implement safety measures and won't be compensated for losses incurred from online scams if they are careless with card details, PINS and passwords."
Sounds like they only partially 'get it'. While this makes sense, the institution could claim that the scammee was 'careless' for going to a phishing site and inputting their account creds. Same if someone shoulder-surfed their PIN at an ATM. And, in the USA, I suspect that is exactly what would happen.
But, at least it is a start.
"Korea Solves..." is a bit strong. What they've done is allocate responsibility. Whether the institutions can solve the problem remains to be seen. My guess is that they'll see this in purely monetary terms, and the success of the solution will depend on a formula which takes into account detection rate, reporting rate, claims acceptance rates, compensation ratios, and implementation costs.
If the compensation paid includes a financial penalty on top of the amount of loss, that would balance low reporting rates.
Where do I get a Korean bank account and MasterCard?
I second that! I'm moving my money to South Korea.. hehe
Haven't had a chance to read the full text yet, but it just reminds me that Korea has been reported to lead the world in several areas of digital-living (ah, the information age):
"The Bandwidth Capital of the World...The government has even set up a certification program to rate buildings based on the quality of their data lines."
"The future is South Korea...Tech firms try out latest in world's most wired society...South Korea is the most wired country on the planet. Some South Koreans can get up to 20 megabits of data per second -- breakneck speed by today's standards. Americans are lucky if they get 4 Mbps."
So perhaps it makes sense that they would also lead the world in passing modern information security regulations.
One of the nice things about having someone else do this first is that we get to see the solutions put into place and how well each works before they're adopted in our marketplace.
South Korea -> Beta Testers for the World.
Levity aside, this is a great first step.
I hope it works well for them. responsibility for ones own actions has been forgotten in the US. Maybe the collective us will learn something good from this.
First person plural meaning US? Pun intended.
On the topic; yes indeed. Hats off to legislators who understand how economics drives security and technology.
How is the result of this not going to be either a standard defense of "customer was careless" or the discontinuance of all online banking facilities? The vibrant corrective properties of the free market are one thing, but ultimately, if the problem is phishing, the bank can't solve it without their customers' help.
Making phishing loses external to customers removes whatever incentive they have to protect their own information, the same way that letting the banks shrug off other data security losses lets them off the hook for secure the data they're responsible for. And unlike the clients of a bank, the bank has the option to withhold services that are too expensive to maintain. While service consumers are forced to absorb the external costs of the service providers, the reverse is not true. Making banks responsible for phishing losses puts them in the position of paying for a carelessness on the part of their clients over which they have no control, and which their clients have no incentive to correct. It's a losing game, and one from which a rational player would withdraw.
The argument that the banks should be responsible for losses resulting from failures of their practices is an excellent one, but I don't think that it survives the transition to losses resulting from any failure of security.
I don't buy that.
You argue that no matter how careful a bank is with security, customers' carelessness will still allow fraud, for which banks/institutions should not be responsible.
But the banks have much more control than you pretend. They get to define all the protocols that authorize transactions. They get to define the framework within which people can be careless.
If phishing is the problem du jour, then the institutions need to define a protocol that is acceptably resistant to phishing attacks. We can talk about multi-factor authentication and other specifics - but that's not the point.
The point is that the party who can fix the problem needs to be incentivized to fix the problem. They'll find a way.
That's why Bruce can state that Korea has 'solved' the identity theft problem.
All this does is allocate costs that were formerly placed on the specific victims of fraud to all customers. Given that the banks can, will and should simply pass the increased costs onto consumers in the form of fees and interest rates, it changes nothing.
I disagree. This is where the market comes in.
If institution A just passes on the costs, but institution B fixes the problem and keeps its costs lower, who will you end up banking with?
"If institution A just passes on the costs, but institution B fixes the problem and keeps its costs lower, who will you end up banking with?"
Or even, if institution A just passes on the costs, but instution B fixes the problem and keeps the rest of the money as profit, institution B does better as a corporation.
In either case, B wins and A loses.
@ Dave M: You've elided over the fact that B will incur costs in fixing the problem and that there are other (non-monetary) costs involved in changing banking relationships. If it were cheaper to fix it than to pass it along, someone would have done that already without the government intervention.
Your argument should apply to the current situation. If the costs of fraud are so high (because remember the individual consumer CAN shit the costs back to the bank and, in fact, most of the time does) the banks would already have fixed the problem. Adding the new cost doesn't seem to change that calculus at all (before it cost X, now it costs X+Y) the instances of serious fraud are so rare that there simply is no incentive to change.
"Your argument should apply to the current situation. If the costs of fraud are so high (because remember the individual consumer CAN shit the costs back to the bank and, in fact, most of the time does) the banks would already have fixed the problem. Adding the new cost doesn't seem to change that calculus at all (before it cost X, now it costs X+Y) the instances of serious fraud are so rare that there simply is no incentive to change."
It doesn't apply, because most of the costs are externalities to the banks: they don't have to pay them. So they are fixing the problem to the extent of their own costs, but not to the true costs to society. The point of making the banks liable is to fix the externality. Then your argument works.
No one is arguing that there will be costs, and that these costs have to come out of someones bottom line.
You seem to be radically over complicating the scenario; what the Korean government has done is simply taken a situation that was a burden on a consumer, who has little power to change, and made it the burden of the business, who has alot of power to change.
Now, extending this into a free market, the quality of the fraud prevention measures targeting individual customers becomes a key competitive issue. Fraud prevention will always remain a risk management issue, but what has happened here is that Banks now have ownership of the issue.
They can adopt the passive role and simply pay out fraud costs, and raise prices, or they can take an active role and tweak the bottom line to amortize the short term costs of the fraud prevention investment over the long term business relationship with each customer.
Now, it is correct that if the cost of fraud was this high, it would have happened already, but to counter this, S. Korea has implemented the following:
"The new laws will require financial firms in the country to compensate customers for virtually all financial losses resulting from online identity theft and account hacking, even if the banks are not directly responsible."
In other words, it doesn't matter if the person provided pin number, card information, or whatever information blindly, the bank still absorbs the cost. This is not purely penalizing fraud and abuse. It is penalizing banks for not adaquately educating its customers (in this regards, I agree with Marcus Ranum), and it is penalizing banks for not *forcing* a culture change which places security above ease of use.
Will this hurt online banking functionality? No. Banks save more money by offering services online (servers are cheaper than tellers); the money earned and saved through online banking will (likely) cover the short term impacts of these changes.
In the long term, since almost anyone with internet access will have business with banks, it is extremely likely that the culture changes that banks are now being burdened with in S. Korea are going to have fairly broad social impacts.
But then again, it can also go horribly, horribly wrong, like so many other attempts to improve security, and then at least someone else tried it first :)
It does not go far enough. One way that the korean gov. can help is that they should publish stats on what systems were broken into and why. This would allow IT folks to decide what systems to run and what the true cost of them are.
In fact, back in the 90's, all the info about who was cracked in America was available. Now, it is hidden which makes it all that more difficult. Hiding stats solves nothing.
"If institution A just passes on the costs, but institution B fixes the problem and keeps its costs lower, who will you end up banking with?"
In an ideal world, this might happen. But in my experience, bank A passes on the costs, bank B passes on the costs, so bank C passes on the costs .... and the fact that you have a choice of who to bank with becomes largely irrelevant.
Never mind the fact that it's not easy to switch banks and bank account numbers - the benefit has to be large to override the hassle.
I do work in the banking industry, CJ, and I can tell you that the bankers I've met, usually CTOs in small- to mid-size banks, do *not* have the attitude that they'll just "pass the cost on to the customer". They actually tend to be very cost conscious, and will do a lot of work to modernize to save money. In other words, if you're bank C, and you see that you can save costs by investing in this or that fraud prevent tech, you'll do it no matter what banks A and B are doing, because it's the rational decision for your bank.
Taking your two points in reverse order:
"Never mind the fact that it's not easy to switch banks and bank account numbers - the benefit has to be large to override the hassle."
Agree. But I guess the overall benefit available from reducing identity theft (and similar fraud) is enough to motivate quite a lot of action.
"In an ideal world, this might happen. But in my experience, bank A passes on the costs, bank B passes on the costs, so bank C passes on the costs .... and the fact that you have a choice of who to bank with becomes largely irrelevant."
You're right that markets aren't always effective at seeing and solving problems. It takes good legislators to get the incentive pattern right, then bright executives to play the game.
pdf23ds' comment says there are bright executives. And South Korea sounds to have good legislators.
"I do work in the banking industry, CJ, and I can tell you that the bankers I've met, usually CTOs in small- to mid-size banks, do *not* have the attitude that they'll just "pass the cost on to the customer". They actually tend to be very cost conscious, and will do a lot of work to modernize to save money. In other words, if you're bank C, and you see that you can save costs by investing in this or that fraud prevent tech, you'll do it no matter what banks A and B are doing, because it's the rational decision for your bank."
I tend to agree with this. If the costs are real and not ignorable externalities, then the banks will do their best to minimize them -- and then offer their services more cheaply as a result.
Yes "Korea Solves..." is a bit strong but it is also an extremely huge step in the right direction becasue now the survival of the corporation is directly linked to the protection of their customers. The only true responsibility of a corporation is to insure and increase the profits of it's shareholders not to be socially responsible. To keep up appearances, especially in the US, they try to do the social minium.
While it is not the 'Say All- End All', "Korea Solves..." is a definate stepping stone especially if the US and other larger nations follow suit. The protection of customer's identities is now directly linked to profit and will prompt these companies to pour their resourses into a solution.
Good luck signing up for anything in South Korea. Pretty much every website, even if they are a free bulletin board or Flash-based games site, requires a South Korean citizenship number (I suppose similar to SSN). Imagine if you needed to provide your SSN to use IM...
"If the costs are real and not ignorable externalities, then the banks will do their best to minimize them -- and then offer their services more cheaply as a result."
ROFL. Bruce, I didn't know you could play naive like that. Banks reduce their service fees?!? You kill me!!!
"I tend to agree with this. If the costs are real and not ignorable externalities, then the banks will do their best to minimize them -- and then offer their services more cheaply as a result."
Interinstitutional ATM fees in the US are a strong counterexample to this argument, and there are more.
My, my. Can't remember when I've so enjoyed a lively board discussion.
There are numerous truths and few misconceptions in the comments.
1. The pocketbook is always the best point of attack.
2. Not only the bank but in many situations, bank law assigns blame and financial responsibility to the account holder. See UCC Code, Articles 3 & 4.
3. According to Javelin Strategy and Research, 2005 ID Theft losses amounted to some $56.6 billion. Yes, that's a "B" with Carl Sagan emphasis.
4. According to the FTC's Consumer Sentinel statistics based on complaints made to its web site, ID Theft complaints only comprise 37% of all frauds reported in 2005.
5. In speaking with different bank fraud departments, we've been unable to discern just how, if at all, different banks keep a record of fraud losses that are considered the account holder's responsibility. On the contrary, such people are merrily sent off to the Collections Department or shuffled off to an outside collection agency to repay any loss incurred by their bank.
6. Branch bank personnel is woefully undertrained or, in most instances, not trained at all to recognize questionable transactions. Additionally, very little effort is made to educate customers. Rare is the bank that takes an aggressive stand on customer fraud prevention education.
7. Branch personnel have little or no regard for a customer in trouble due to fraud perpetrated on that specific customer. This is a cold, hard fact that we deal with on a daily basis at Fraud Aid. Account holders who have stepped over the line from good customer to one who owes the bank due to fraud are threatened, berated (sometimes publicly - within hearing of other customers), and frequently treated as criminals. Fortunately, this attitude does not prevail once we get the account holder in to the Collections Department.
8. We have seen very little concern on the part of banks in general with protecting the customer or the community. Concern stops on the lobby side of the teller counter and is relegated to funds already deposited. A bank's responsibility is to protect what is already contained in the vault, not to protect the individual customer from fraudster / identity thieves. It's just not in the charter.
9. Assigning responsibility to US banks as the Korean government has assigned to its banks would require such an upheaval of our current banking system that I don't ever see it happening; however, hope springs eternal because it's the only way that the powerful banking lobbies would force stronger laws with steeper penalties to be enacted and enforced to curb the lax environment in which our personal information is currently stored and maintained. After all, banks are accountable to their stockholders. There are ways of making information available to enforcement and private investigators without compromising accessibility measures that keep out hackers and reapers.
9. I am far, far from all-knowing when it comes to ID Theft and fraud even though it is our corporate responsibility to know as much as possible. All of us in the fraud-fighting community are only too aware that there is always much to learn. What I do know is that we find ourselves in a "tail wagging the dog" world. We are not winning this fight and the bad guys are definitely not losing it. Regardless of logistics and jurisdictional issues, drastic and unfortunately exigent solutions are required. For right now, I'm voting for Korea.
Fraud Aid, Inc. is a California Public Benefit Corporation dedicated to free Fraud Victim Advocacy, fraud recognition and prevention education, and law enforcement support. www.fraudaid.org
I have a business concept that will stop ID theft (new account activation). Everything on the market today does not work, fraud alerts, credit monitoring, ID theft insurance(A RIP OFF). I am in the process of putting together a business plan and will seek angel/VC funding.
I live in Korea and know how hard it is to get things moving. The Korean government is great at making policy changes but very lazy in enforcing them. I recommend you don't leave your money in Korea. They love to grandstand that they are the first or best or fastest at something. Take it from someone who is IN Korea -the security of financial information is low. Officials accept bribes regularly and legal process is not upheld. Recent leaked information and irresponsibility of the Korean tax department led to the indictment of Guss Hiddink and Wesley Snipes. Many more unknowns are being steamrolled daily.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.