Make Businesses Pay in Credit Card Scam

By Bruce Schneier
New York Daily News
June 23, 2005

The epidemic of personal data thefts and losses - most recently 40 million individuals by Visa and MasterCard - should concern us for two reasons: personal privacy and identity theft.

Real reform is required to solve these problems. We need to reduce the amount of personal information collected, limit how it can be used and resold, and require companies that mishandle our data to be liable for that mishandling. And, most importantly, we need to make financial institutions liable for fraudulent transactions.

Whether it is the books we take out of the library, the Web sites we visit, our medical information or the contents of our E-mails and text messages, most of us have personal data that we don't want made public. Legislation that securely keeps this data out of the hands of criminals won't affect the privacy invasions committed by reputable companies in the name of price discrimination, marketing or customer service.

Legislation won't reduce identity theft, either. The real crime here is fraud; more specifically, impersonation leading to fraud. Yes, the fact that personal information is vulnerable to theft makes this crime easier. But the fact that personal information is so valuable once stolen is much more important.

It doesn't take much personal information to apply for a credit card, withdraw money from an account or put an address change through in someone's name. Personal privacy and identity theft are security problems, but they're problems of motivation, not security technology. The companies that have our data aren't motivated to protect us better because they aren't bearing the costs of not securing that data. Privacy violations make us the victims, not them. Identity theft costs us much more money than it costs them. Right now, the business incentives are for companies to collect as much personal info as they can.

And the information is valuable; companies can use it for marketing. Similarly, the business incentives for financial institutions to allow transactions - new credit cards, cash transfers - are so strong that they're not paying enough attention to fraudulent transactions.

This is an externality, a consequence not borne by the decision maker. Fix the externality, and our capitalist system will take care of the problem. Ignore the externality, and no amount of technology will fix the problem.

If you think this won't work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They're not hurting for business - and they're not drowning in fraud, either. They've developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions.

Personal data thefts are not new. They're in the news because of a recent California law mandating public disclosure. That's how capitalism works; we establish the playing field and then companies compete for profitability. Until we have laws controlling the collection and use of personal data, and laws enforcing liability on companies that allow fraudulent transactions, the problems won't go away.

earlier essay: Attack Trends: 2004 and 2005
later essay: Terrorists Don't Do Movie Plots
categories: Business of Security, Identity Theft, Laws and Regulations, Privacy and Surveillance
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..