Suppose that the laws were changed so that breaching personal data meant the CEO had to personally visit each affected customer and apologize face to face. Would it really be the case that “we can’t do it” because everyone is being popped by elite Chinese military operations, or would it instead magically turn out that companies could cut into the executive bonus fund by 10% to resolve understaffing for boring O&M work, and maybe reconsider collecting so much data in the first place? As the post notes, breaches of the data where they have real penalties are much rarer.
Can’t in this context mostly means aren’t willing to do something with current incentives.
Remove the ability to do online or offline credit card transactions without dedicated hardware for chip and pin, thus eliminating the value of stolen credit card numbers. Are you crazy we can’t do that customers would use a different credit card!
Change the incentives so credit card companies would be personally liable for any fraudulent transaction and suddenly everything changes.
The article is talking about retailer data breaches not credit card companies.
If someone steals your CC and buys a bunch of stuff there’s 4 people who could be stuck with the bill. You, the merchant, Visa, and the bank who issues the card. Right now Visa is never paying though they still have a little hassle from such transactions. If you don’t notice you might get the bill and under special circumstances the bank might get stuck with it, but mostly it falls to the merchant. https://www.nerdwallet.com/article/credit-cards/merchants-vi...
However, if Visa/Master Card etc had some actual liability you bet they would be some real changes.
Are you sure about that? People commit financial crimes with possible jail time all the time. Even putting the CEOs life directly in the line of danger does not work, see OceanGate.
I still agree that the punishment for these crimes is too soft, but even ramping it up to insane levels isn't going to make everything perfect.
I am sure yea… Put Musk and Zuck and the rest of them to mandatory prison sentence of no less than 5 years per breach - all problems will be solved by lunch
Like, I'm in favor of personal liability for execs who willfully sacrifice everything and everyone else for their own increased profit as much as the next guy. But there are at least two major problems with your statement:
1) The kinds of infrastructural improvements needed to genuinely increase security are likely to take significant time and money to put in place—and the money, in many cases, will also mean more time. We're talking years in some cases, even if people are moving at the fastest pace they can while still being responsible.
2) Security is a genuinely hard problem. No matter how good your procedures, your hardware, and your software, humans still have to interact with the data, and humans will always be fallible. Social engineering, blackmail, revenge, and just plain carelessness will always put data at risk, even if the company as a whole is fully and wholeheartedly committed to security.
So are you going to put the heads of your local credit union in prison if someone in their IT department is disgruntled about not getting a promotion they think they're entitled to, and decides to stick it to the man by stealing the DB of social security numbers and selling it on the dark web? (Or whatever other scenario you can think of)
I think many humans are bad at it. A smaller group, may be 10 percent,
have the "security mindset".
For the ninety percent who use technology or run businesses it's a
schlep and imposition. They just want to forget about it. And there
are many psychological and cultural devices to help them ignore
security.
Around 8 of remaining 10 percent are on what I see as the "dark side".
They are guards for the castles, and primarily concerned with
_helping_ technological abusers take advantage of the majority's
weakness.
I agree that it's mostly around mindset. Most people don't really care about physical security either. Sure, many people say they care about it, but many don't follow basic safety patterns because they don't know them, they find them burdensome, etc. Just basic stuff like placing valuables out of site and locking car doors, closing blinds or curtains at night, having a halfway decent deadbolt and using it, or having protective film on your windows (depending on the area), etc.
Same thing with tech. Most people only run backups of thier system after they lost data and felt pain at one point. I would guess most people have Maybe 3 password and just reuse them across evertlything on the internet. The only people who might be more security minded are the ones who do related stuff for a living or if they had a security incident happen to them. Nobody else cares.
Companies can do it, but they refuse to, because noone knows what entity is really behind a specific corporation. So when a breach occurs it's basically a we handed over your information to whomever we collected it originally, but in a way that is untraceable.
If what you mean is that we find ourselves unable to do perfect security, then that's clearly true but it's missing the point.
The point of the article is that we do better security for credit card numbers than we do for other information which is more sensitive to our customers. Why do we do better with these? The author's claim is that it is because of the incentives (although, working in the industry, I would say it is also because the credit card industry wrote policies mandating specific, detailed security practices).
Humans are very bad at security.