Wednesday, December 7, 2011

Convenience + Efficiency = Vulnerability?

In the spirit of “news of fresh disasters” from the Beyond the Fringe mock history of World War II, Don Reisinger’s latest post to his The Digital Home blog on the CNET Blog Network offers the following title:

Lucky Supermarkets credit card scam getting worse

Here is how he elaborates his claim:

The company announced the scam in November, saying customers and employees who used the self-checkout kiosks in more than 20 of its 234 stores might have fallen victim to tampered credit card readers. The hackers reportedly used devices called "sniffers" that recorded credit card numbers.

Soon after the information was made public, Lucky Supermarkets, as well as its parent company, Save Mart Supermarkets, said it was unsure how many people might have been affected but urged customers to monitor their accounts.

"We recommend our customers who used a self-checkout lane in the affected stores verify and monitor all credit/debit accounts with their financial institution to ensure everything is in order," the company said in a statement at the time. In subsequent announcements, the company has advised customers who used self-checkout lanes to close their accounts "and seek further advice."

Earlier this week, Save Mart said it had recorded "80 employee and customer reports of either compromised account data or attempts to access account data, with the majority coming over this past weekend." The company said, however, that its checks were not complete and that the number of recorded incidents could rise.

Reisinger then provided background on what sniffers do and what hackers can do with them:

Although Lucky's outbreak is major, it's by no means the biggest credit card scam consumers have faced. Earlier this year, Albert Gonzalez was sentenced to 20 years in federal prison after confessing to stealing millions of credit card and debit card numbers in attacks on customers at T.J. Maxx, BJ's Wholesale Club, Barnes & Noble, and other retailers.

Gonzalez was accused of using a laptop to find unsecured wireless networks in stores and then installing sniffer programs to collect data. That information was then placed on clone cards and used to withdraw cash from ATMs.

Once again, it is time to revive what I have previously called “the Neustadt-May thinking-in-time approach to dealing with crisis situations,” which begins by asking “How did we get into this mess?”  Probably the most significant cause has been a prevalence of head-in-the-sand thinking about data security, particularly where wireless networks are concerned.  However, there is also the thinking that justifies this negligent position, which appears to based on two premises:

1.    It is inconvenient.
2.    It is inefficient.

Both of these have justified deploying self-checkout in the first place.  Machines are more efficient than human clerks;  and their cost can be recovered by saving on the salaries paid to those clerks (by removing them from the payroll).  Furthermore, the machine can be designed with a simple enough interface to make it as convenient as dealing with a human, if not more so.  The problem is that introducing security measures that have any “real” teeth will almost certainly lead to less efficiency (since time must now be taken for validity-checking) and probably less convenience (since the user will have to participate in some form of identity-establishment).

This is just another whirlwind that we have now been forced to reap as a result of our eagerness to consume what I like to call “innovation Kool-Aid.”  Put another way, the most impressive bright idea may also turn out to be toxic.  (There is nothing new about this insight.  Those my age are likely to remember that nuclear reactors would solve our needs for electrical power to such a degree that it would be “too cheap to meter.”  That slogan is probably not playing very well in Fukushima these days.)  The problem is that we either cannot or will not try to assess that bright idea in terms of its consequences;  or, as I have generalized this predicament, our capacity for time-consciousness has become so fixated on the present that we either lack the ability or the will to reason about the future.

The current situation at Lucky’s is unlikely to change matters.  After all, the people who make the decisions are not the ones most likely to suffer the consequences of poor judgment.  Those consequences will be visited upon Lucky’s customers, who were never given a say in the matter.  In other words once again we have an instance of 99% of a population suffering from the failure of the 1% at the top to think about what they are doing before doing it.

1 comment:

DigitalDan said...

I continue to believe that the problem lies in the technology, not in the fact that sellers want to deploy technology. Financial instruments should be protected at their source -- that is, by replacing simple swipe cards with devices that require onboard authentication prior to each use and that then behave in well-understand, reasonably secure ways thereafter. As long as we have dumb cards, we'll have dumb crimes like this.