Target CIO, CEO resignations. The credit card hack may have something to do with it (although I suspect for the CEO there were other things in play as well – like earnings). And my colleague Anton Chuvakin mentions some data from Krebs. Median price of a black market stolen card around $35, with $54M made by the people that stole the card numbers from Target. Those numbers are suspect, but what worries me more is the societal impact of such a breach – and society’s view of credit card fraud.
As the social contract breaks down, what could be perceived as criminal breaks down too. After all, a $35 credit card (less than most annual fees) and money out of the pockets – ostensibly – of banks and insurers (who is more hated?). In 4000 years of human history, pawn shops for stolen goods have always existed…now they have gone viral.
Which reminded me of this personal connection to credit card fraud (pre Target and pre chip-and-pin). It’s worth re-reading. And it puts a face on the crime – at least the retail aspect of it…
Well, this post is about the time I met a Hacker Mom.
It was still in the embryonic phase of the internet’s development – and I had just started to use my credit card for online purchases.
One day, paper mail arrived (no ebills available yet) with a credit card charge for a computer to Dell. While I was a Dell customer, I hadn’t made any recent purchases. Calling Dell, I found it was delivered to an address in the suburbs of New York City (I live in New Hampshire).
OK. Dell, the credit card company, and I got on the phone together to sort this out. Dell issued a fraud alert, the card company credits my account and cancels the card. Note to self: set aside a separate and single card for internet purchases, with a liberal fraud policy. So far, out of pocket: $0.
With the shipping address information from Dell, I started doing my own snooping. Even though the matter was now out of my hands, I resolved to dig into this further – how did the thief get my card number? where? and why? Did I know him/her?
I setup up an appointment with my local police to report the incident; they were happy to help.
Before that meeting, I did an internet search using the address. Low and behold, I not only get a legit address, but also a name, and a phone number!
I dial the phone number and a women answers. I introduce myself, explain I have some questions – and she acknowledges in broken English. My next question: “have you received a shipment from Dell?”. Suddenly her English takes a turn for the worse (“no speak no speak”) and the phone is on its way to the cradle. Recognizing her last name is of Portuguese origin (of which I am a fluent speaker) I yell into the phone (in Portuguese) “Senora <name>, I just want to know what happened. Are you Portuguese?”
A pause, and then the reply in Portuguese: “You are Portuguese?”. I made a human, cultural connection – a fast and accurate hook – we now shared a common heritage, and I was not just a nameless, anonymous voice. The hour phone call that ensued (in Portuguese) was a story of a teenage daughter, in with the wrong crowd. A mother whose marriage had fallen apart. A daughter’s boyfriend that was untrustworthy, and an awful influence. The mom never knows where her 15 year old daughter is, or what she and her boyfriend are up to. The school is always calling and, in the past few months, dozens of packages begin to arrive at the house. At first she accepted the packages, but once she realized that these were goods purchased with stolen card numbers, she started to refuse them. Where did he get the card numbers and names? He bought a list on the internet. The boy knows where and how. It is quite a black market, these lists of valid card numbers.
Of course, I had no way of knowing whether her story was true, and whether the crying and wailing I heard over the phone was sincere. I suspect it was, but I also suspect she was more than happy with some of the purchases coming from nowhere. For forty five minutes of the hour long conversation I was in the role of priest, counselor, and therapist. Then we hung up, both saying we’re sorry.
My meeting with the police was simple. It was a low priority case, and they were already working on a case in town where someone was out $10,000 for Bears tickets purchased over the internet. My $1000 computer (and $0 loss) didn’t match that. But the officer used his contacts, spoke to two departments in other states, and got a commitment to dispatch a squad car to the address; to shake them up at a minimum.
As banks know, the credit card fraud issue has only ballooned since those early days – whether the numbers came from dumpsters, or from insecure online databases (like TJX) is only half the story; the distribution opportunities online is the other half. But what really is significant is the human story behind it all: dysfunctional families, broken homes, and teenage hooliganism. That isn’t going away anytime soon, no matter how secure we try to make our systems.
Poor cyber-security, internet-smart thieves, complicit buyers are just a part of the fraud problem. And although the Internet is not part of the root cause of these fraud problems, it has a huge amplifier effect.
Buyer beware; and companies? prepare. It’s not getting better anytime soon.
original post from Jan 6 2011 at http://blogs.gartner.com/jack-santos/2011/01/06/part-0-hacker-dad-meets-hacker-mom/
Read Complimentary Relevant Research
Five Golden Rules for Creating Effective Security Policy
Policy writing is a risk communication exercise that is frequently performed by people who lack the skills needed to create good security...
View Relevant Webinars
How to Live Without Mobile Device Management
This webinar addresses the growing trend of users refusing to have enterprise management of their mobile devices due to privacy concerns....
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.