Banks have failed customers over credit card fraud; why should they do any better over phishing?
Further to my piece on how banks had failed customers over phishing by continuing to communicate with them by email and failing to warn customers about possible breaches of security, here’s an example from the world of credit card fraud, which still remains the avenue of choice for most scammers.
Gartner reports in a recent ‘FirstTake’ briefing (no URL available) of the recent arrest of 28 members of an alleged cybercrime ring from seven countries. Gartner’s authors, Avivah Litan and Richard Hunter, reckon that the stated activities of the gang — 1.7 million credit card numbers stolen, with financial losses estimated at $4.3 million — doesn’t “give the entire picture”. The reason: Those figures translate to little more than $2.50 of fraud per stolen card. Much more likely, the two say, is that the gang used a small number of them to perpetrate big frauds, and the rest of the cards weren’t used, or were protected in some way by fraud detection software.
This, Gartner says, begs a question: If your credit card number is stolen, but no one successfully buys something with it, are you informed? No, Gartner says. Issuers “reason that they don’t know whether the card theft will ever result in fraud, and that it costs too much (about $10) and poses too much inconvenience to close an account and issue a new card.” This, sadly, is the same sort of fuzzy logic the bank in yesterday’s piece was using: ‘Our customers’ security has just been compromised but until something bad happens, let’s not worry them about it.’ As Gartner says: “The stolen card information will likely be used one day to commit either new account fraud or card fraud. Consumers would be better protected if they knew their card number had been stolen.”
My suspicion is that banks don’t want to inform customers of the problem, not just because of expense, but because they don’t want to scare them. Credit card fraud is a massive industry, processing, or attempting to process, millions of stolen card numbers a day. Most of those transactions don’t go through, for one reason or another. But how would you feel if your bank was not telling you that your credit card was out there, circulating on the darker corners of the Internet? My guess is you’d rather know about it, just as you’d rather know whether your account is vulnerable to phishers. Ignorance is not bliss.