Analysis: Squabbling over fraud liability is not making the public any wiser.
As far as the average hacker is concerned, payment details are the holy grail of data. Infrastructure information and intellectual property might be interesting for employees of the Chinese government, but credit card numbers come with less baggage, and can be easily sold in black markets on the internet.
Given this it is unsurprising that payment card fraud is an increasing problem for finance. "We’re hearing anecdotal evidence from some organisations that fraud has gone up over the past few years," said Richard Hurley, communications manager at the Credit Industry Fraud Avoidance Service (CIFAS), which advises on fraud prevention.
But instead of the danger uniting consumers and corporations, the crime spree has created a division. As evinced by the response to the recent attack on iCloud, customers are eager to point the finger at companies for not providing good enough security, while companies cringe at customers’ poor security practices. So who is to blame?
Companies and customers are failing to defend themselves
Most firms would admit their cybersecurity practices could use some work. A survey commissioned by the security firm Kaspersky revealed last week that only half of ecommerce firms claimed they "make every effort to keep anti-fraud measures up to date", with two-thirds of financial groups agreeing.
These figures are alarming given both sectors regularly handle the sorts of payment data that criminals are anxious to get their hands on. Even though the same survey indicated half of those in both sectors wanted to upgrade their tech, many departments report difficulties convincing boards to take their concerns seriously.
Marco Gercke, director of the Cybercrime Research Institute, told a recent Gartner summit that management can maintain a level of detachment from cybersecurity because of a lack of personal experience with it. "We need to bring the management into a situation where they are confronted with cyber attacks," he said.
The banks cannot always be to blame
Right now if an unauthorised transaction takes place on a person’s bank account the onus lies with the firm to sort it out. A spokesman for the Financial Conduct Authority (FCA), the body that regulates UK finance, explained to CBR that: "As long as the consumer hasn’t been negligent then banks should reimburse them for that transaction."
Negligence in this case has to involve some act that puts some of the blame on the victim. An extreme example would be someone who leaves a note with their PIN number on in their wallet. One might think that customer negligence accounts for a great deal of fraud, but the FCA say that a lot of banks are quick to pay up.
There is an obvious ambiguity to the word "negligence" as far as cybersecurity goes. Hurley said there is as yet no agreed definition on what constitutes a reasonable amount of security. Two-factor authentication is undoubtedly better than passwords, but one is unlikely to be punished for using the latter.
A shift in liability is also likely to face fierce opposition. "I think it’s a pretty dangerous road to go down, to shift a lot of emphasis on to the consumer without educating the consumer to be more digitally aware," a leading cybersecurity academic told CBR, adding that the public had been sold the upside of cashless payments and other advances without necessarily being alerted to the dangers.
Hurley added that many laymen see fraud as a victimless crime, even though businesses have to spend money fixing it, and these costs are often passed to consumers. Perhaps if they were more aware of this they would be more inclined to take action. Until they do both sides will suffer, and the hackers will continue to profit.
None of this means that companies feel they are entirely to blame. At an Financial Times event well attended by those responsible for making security decisions on behalf of big firms several people told CBR the blame for the recent iCloud hack which led to celebrity photos being distributed must partly fall on those who were foolish enough to store intimate photos on such a service.
Apple’s chief executive Tim Cook said after the attack that much of it was an education issue. People have been able to survive largely in ignorance about how to defend themselves online. But companies resent having to pick up the bill for every customers’ folly, and are quietly raising the possibility that more liability should fall on the consumer.