By James B. Kelleher
The top security experts at the world's two biggest credit-card
associations said on Monday that the battle against Internet-based
thieves had reached a stalemate and the industry would have to spend
millions of dollars over the next decade just to keep up with the
criminals.
Speaking at an conference here, John Shaughnessy, senior vice
president for fraud prevention at Visa USA and Suzanne Lynch, vice
president for security and risk services at MasterCard International,
said that organized crime rings -- with the help, in many cases, of
former Soviet KGB cryptographers -- were successfully using the
Internet and "crimeware" software programs to circumvent the defenses
credit-card issuers erected against them.
The picture they presented of an escalatinq struggle between commerce
and criminality offered little hope of quick relief for consumers
worried about identity theft or for investors in card-issuing banks
concerned about security's escalating costs.
The credit-card companies were battling loosely knit, elusive criminal
networks responsible for much of the fraud, they said.
"They're very, very good at what they're doing," Shaughnessy told
attendees at the Bank Card Conference, "and they're a few steps ahead
of us in a couple of areas. They've done their homework about the
payments system and because of (them) we all have a chance to lose
some sleep at night."
The sobering assessment came one day after Symantec Corp., the world's
biggest security software maker, released a report that showed hacking
was no longer just the pass-time of precocious teenagers, but now was
the province of organized criminals looking to gain access to personal
information of computer users -- and their assets.
Symantec said that viruses designed to capture confidential
information made up three-quarters of the top 50 viruses, worms and
Trojans during the first six months of 2005, up from 54 percent in the
last six months of 2004.
Visa's Shaughnessy said FBI data showed the number of Internet-related
credit-card crime reports rose 66 percent in 2004 and the average
reported loss associated with the online scams tripled to $2,400 from
$800 in 2003.
Part of that jump reflects the rise of business done on the Internet,
Lynch and Shaughnessy said. But part of it also reflects the
increasing sophistication of the criminals.
"We build a 10-foot wall," Lynch said, "and the bad guys build an
11-foot ladder."
While the criminals are increasingly savvy, Shaughnessy and Lynch said
that in many cases they were inadvertently helped by sloppy security
policies within the payment chain itself -- and by slip-ups by
merchants, third-party processors or the credit-card companies
themselves.
"I will say that of all the hacks we've seen -- and we've seen
hundreds and hundreds of these -- had the third-party been in
compliance (with association rules), they probably wouldn't have been
hacked," he said.
Shaughnessy said Visa and others were looking at ways of protecting
data so that even if a consumer's credit card information was
compromised, it would be useless to the criminal. But he warned it
would take many years, and lots of money, to set up such a system.
"This is going to take big investments over a number of years and
we're talking hundreds of millions of dollars to come up with a secure
system," he said. "Maybe 10 years from now we'll have it solved
... It's a tough situation."
Made tougher by the speed with which the criminals exploit even the
most harmless information breaches, Lynch said.
Lynch said that as the Red Cross began issuing MasterCard debit cards
to victims of Hurricane Katrina earlier this month, a newspaper
photographer working on a story about the program took a picture of
one recipient holding a card. The photo was quickly posted on the
Internet web. "Within eight hours," Lynch said, "there was fraud on
the card."
"Somebody had seen the picture -- and unfortunately they hadn't blocked the
number -- and so somebody used the card fraudulently."
Copyright 2005 Reuters Limited.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.
USA Today news reports on line at:
http://telecom-digest.org/td-extra/othernews.html
[TELECOM Digest Editor's Note: Re-read the last two paragraphs of the
story again. Diner's Club used to have a television commercial which
included a blown-up, expanded in-close picture of one of their credit
cards, and it was issued to 'John Q. Customer', and that card number
was used many times in mail order fraud back in the 1960's. Also, you
have probably heard of the Brinks Home Security system, where one's
house is protected by beams of light which cannot be broken by
intruders walking through them (or the alarm goes off, etc.) A
television commercial showed a typical installation, with a control
panel on the wall. When the occupants entered or left a house, they
had to punch in a five digit 'security code' to activate or disarm the
system. The commercial showed the homeowner going to bed for the
evening and punching in the default code number, '12345' to protect
his house and family all night. Although the code number to arm or
disarm the system could (and was expected to be) changed from the
default, factory-set code of '12345' it turns out most people did
not bother to change it from the default (just like many people do not
bother to change/eliminate the default 'users' installed at the
factory for Unix accounts). Then the people got their houses ripped
off when intruders walked in, and used the 20 second grace period to
enter the default code. Later versions of the Brink's commercial (just
like later commercials for credit cards) don't get into quite that
much detail. I understand Red Cross and the FEMA people have gotten
good ripoffs from misuse of their cards, also. PAT]