Monday, October 17, 2005

Stop net fraud - make the banks pay for the externalities

I said this in the mid-90s, when I was peripherally involved in exposing one of the early international credit card frauds (today's operators are much more clever than those guys were). Bruce Schneier has been saying it for years.

The only way to reduce net fraud (phishing, identity theft, etc) is to make the banks and financial intermediaries pay more of the real cost of these frauds (the 'externalities' of victim suffering). The banks have known for over 10 years what they need to do, but the costs are substantial. Even if a bank wanted to put better security in place, they can't. If they tried they'd be forced out of business by any competitor who didn't introduce the same procedures. The only way the banks can do this is if they're all forced to move together. That takes governmental action.

Here's Schneier:
Crypto-Gram: October 15, 2005

Earlier this month, California became the first state to enact a law specifically addressing phishing. Phishing, for those of you who have been away from the Internet for the past few years, is when an attacker sends you an e-mail falsely claiming to be a legitimate business in order to trick you into giving away your account info -- passwords, mostly. When this is done by hacking DNS, it's called pharming.

Financial companies have until now avoided taking on phishers in a serious way, because it's cheaper and simpler to pay the costs of fraud. That's unacceptable, however, because consumers who fall prey to these scams pay a price that goes beyond financial losses, in inconvenience, stress and, in some cases, blots on their credit reports that are hard to eradicate. As a result, lawmakers need to do more than create new punishments for wrongdoers -- they need to create tough new incentives that will effectively force financial companies to change the status quo and improve the way they protect their customers' assets. Unfortunately, the California law does nothing to address this.

... The actual problem to be solved is that of fraudulent transactions. Financial institutions make it too easy for a criminal to commit fraudulent transactions, and too difficult for the victims to clear their names. The institutions make a lot of money because it's easy to make a transaction, open an account, get a credit card and so on. For years I've written about how economic considerations affect security problems. They can put security countermeasures in place to prevent fraud, detect it quickly and allow victims to clear themselves. But all of that's expensive. And it's not worth it to them.

It's not that financial institutions suffer no losses. Because of something called Regulation E, they already pay most of the direct costs of identity theft. But the costs in time, stress, and hassle are entirely borne by the victims. And in one in four cases, the victims have not been able to completely restore their good name.

In economics, this is known as an externality: It's an effect of a business decision that is not borne by the person or organization making the decision. Financial institutions have no incentive to reduce those costs of identity theft because they don't bear them.

Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away...

If there's one general precept of security policy that is universally true, it is that security works best when the entity that is in the best position to mitigate the risk is responsible for that risk. Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem. And not just the direct financial losses -- they need to make it less painful to resolve identity theft issues, enabling people to truly clear their names and credit histories. Money to reimburse losses is cheap compared with the expense of redesigning their systems, but anything less won't work.
Since this will take governmental action, if you don't like identity theft, vote against Bush.

No comments: