Cyber Heist Could Cost Consumers

[David Farber <dave () farber net>]

Begin forwarded message:

From: Dewayne Hendricks <dewayne () warpspeed com>
Date: April 22, 2006 7:30:31 PM EDT
To: Dewayne-Net Technology List <dewayne-net () warpspeed com>
Subject: [Dewayne-Net] Cyber Heist Could Cost Consumers
Reply-To: dewayne () warpspeed com

[Note:  This item comes from reader Randall.  DLH]

From: Randall <rvh40 () insightbb com>
Date: April 22, 2006 2:50:52 PM PDT
To: cyberia <CYBERIA-L () LISTSERV AOL COM>, Dave Farber  
<farber () cis upenn edu>,  Dewayne Hendricks <dewayne () warpspeed com>
Subject: Cyber Heist Could Cost Consumers

<http://htdaw.blogsource.com/post.mhtml?post_id=315043>

Sunday, April 23, 2006 at 12:04 AM EDT
Consumer Groups Say Victims Need More Information About the Heist
April 21, 2006 — - After their banks quietly informed them their debit
card and bank information may have been stolen, thousands of Americans
could lose as much as $500 in money taken from their accounts.

In possibly the biggest incident of debit card hacking theft, thousands
of U.S. consumers have been told that their bank accounts may have been
compromised by computer hackers who stole debit information and personal
identification numbers (PINs) from their bank accounts.

"This is the worse debit-PIN breach that has been reported to date,"
said Avivah Litan, analyst and digital banking expert at Gartner.

During the past few weeks, banks across the country quietly informed
consumers who may have been victimized by the breach, which occurred
more than a month ago.

Litan said that 200,000 to 300,000 consumers may have had new debit
cards issued, and the banks reportedly monitored account activity for
the consumers at risk. But some consumer groups questioned why the
notification letters were not more specific about the details of the
breach, such as whether it was a specific merchant whose security was
compromised.

"The letters seem to be pretty vague. They're not being told where the
breach occurred. The notices tell them that something happened, but it
won't tell them where or how," said Gail Hillebrand of the nonprofit
group Consumers Union. "If you're a consumer, it would help to know
which retailer made your information available, because maybe you
wouldn't want to shop there again."

One privacy expert said that banks and retailers often wrangle over the
particulars of notifying consumers when a security breach occurs.

"No one wants to send out a security breach notice," said Chris
Hoofnagle of the Electronic Privacy Information Center. "You instantly
become a pariah, and the fear is that you'll start to lose customers."

Responsible for Money Lost?

Unlike credit cards, which by law hold consumers responsible for only
$50 in the case of theft, card issuers can hold debit card holders
responsible for up to $500 when their money is stolen. Electronic money
transfers, including debit card transactions, are governed by a Federal
Reserve Board regulation known as Regulation E. One of its stipulations
puts the onus on consumers to report irregularities with electronic
transfers. If consumers fail to notify card issuers about breaches in a
"timely fashion," the card issuer could hold the consumer responsible
for up to $500.

But Hoofnagle said it was doubtful that banks and merchants would hold
consumers liable for such a large amount of money.

"I can't imagine when you have a breach like this, where the consumer is
not at fault in any way, that banks would hold them responsible for that
$500," Hoofnagle said.

At least one bank said the breach compromised an outside merchant, not
the bank. Wachovia Bank released a statement saying that Visa notified
the bank that "security breaches occurred at merchants or what are
called third-party vendors."

The bank notified customers, issued new debit cards and monitored
account activity. The Wachovia statement also made it clear that
customers would not be held responsible, saying, "it's important for
customers to know that if fraud is detected they are fully protected by
Visa's zero liability policy, which means they will pay nothing in the
event of a fraudulent purchase."

But if you're hacked, you'll still face difficulties.

"Even though you almost always get your money back, it's not a simple
wrap," Litan said. "You have to go through all kinds of phone calls and
forms, and it's a hassle."

In many cases, there is little justice for cyber thieves. Often
authorities have little evidence to track the crimes, and hackers are
known to respond to new cyber security measures with even better hacking
technology.

"These crooks get away with it, and that's why they keep doing it.
They've got about a one in a thousand chance of getting arrested," Litan
said.

<http://abcnews.go.com/Business/print?id=1872428>
Weblog at: <http://weblog.warpspeed.com>



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/