Behind The Firewall: A week or so after the news broke about the data theft at TJX Cos. I was standing in line at a Marshall's store in Massachusetts and the woman ahead of me was about to swipe her credit card when she paused and looked at the cashier.
"Are credit cards safe to use here now?" she asked.
"Oh yes. They've taken care of all of that," the cashier assured her. "Everything is fine now." And so the woman swiped her card and went on her way.
Fast forward a month and we get the news that someone—no one seems to know whether it was employees, customers or a roaming band of bored crackers—managed to remove the pinpad devices from a number of Stop & Shop grocery stores in Rhode Island and Massachusetts, modified them in some as-yet-unknown way and then returned them to the stores. Thousands of customers are now at risk for financial loss and identity theft because the folks at Stop & Shop decided to save 35 cents and not bolt the pinpads down. Of course they've rectified that now, but the horse, as they say, is definitely out of the barn.
These incidents are so common now that they've become a steady drumbeat, a kind of white noise in the background to which most people pay almost no attention. Each new breach or data theft gets 30 seconds on the evening news and then it's on to the next story. Even people who discover that their information has been stolen tend to shrug and move on, knowing that their bank or credit card company will have a new card to them within a couple of days and they won't be liable for any fraudulent charges. All of which means that the well-intentioned efforts of lawmakers to force more frequent and more detailed disclosures likely will be for naught; no one is paying attention.
Actually, some people are paying very close attention, namely the senior management of major corporations around the country. And what they're seeing is that the outcry over these incidents is getting progressively less intense and shorter with each successive incident. They're taking that as a signal that consumers see these breaches and thefts as somewhat of an inevitability. That leads to a lax attitude toward information security and so we end up with massive thefts like the TJX incident and the almost comical ineptitude at Stop & Shop.
The one thing that is clear from all of this is that it's time to stop entrusting these companies with our private information. They're clearly not up to the task and are showing no signs that they regard these incidents as anything more than minor annoyances to be handled by their crisis PR teams.
Enough already. It's now up to each individual to take control of his personally identifiable information and stop handing it out to every Web site, retailer and restaurant that asks for it. There are a number of practical steps you can take right now to reduce the amount of sensitive information you expose to potential theft. Discover Card has a small applet that generates one-time-use account numbers for online shopping , allowing users to shop without revealing their actual credit card numbers. Citibank offers something similar, called Virtual Account Numbers . And IBM researchers are working on a system called Identity Mixer that will let users generate artificial identities for online use.
A key piece of this puzzle is the huge databases of customer data that companies—particularly retailers—maintain for marketing purposes. In many cases customers voluntarily give up their personal information in return for a customer loyalty card, which entitles them to some small discounts or other benefits. Most consumers see this as an acceptable trade-off, but in the current climate it's worth reconsidering whether a five percent discount on Lucky Charms is worth the potential problems down the road if that store's database is attacked. Many people have said no, and some have started projects that game these systems by swapping loyalty card numbers among members .
I'm not naïve enough to think that these measures will bend giant corporations to the will of their customers. But I do know that without customers none of these companies would be in business, so if enough customers shout long enough and loud enough, eventually they'll have to listen. Won't they?
This was first published in February 2007