Readers had a plethora of responses to the question in my recent story about whether banks should disclose which accounts were exposed in the CardSystems' debacle. And while they offered a number of interesting answers, I think some of the additional questions that were raised are even more intriguing.
Several readers with knowledge of the financial industry said the calls for full disclosure were overblown. "You publish your credit card number every time you use it," said one reader. "Do you really trust the guy at Starbucks with his pants hanging to his knees? Think that pimply 17-year-old kid working at McDonalds won't copy your number when you're gone so he can call a 1-900 line because he can't get a date? Every single time you use your credit card number, you are giving it to someone new ... Do you really think that just by knowing the status of your card number, you'll be able to prevent fraud? No. If you didn't get the notice, will you be as diligent with your statements as you should? It's unlikely. While the issuers appreciate your diligence, you're going overboard. Yes, be careful with your number, but don't be afraid. The decision to notify should rest with the issuers. They need to evaluate the costs associated with issuing new plastics versus uploading the list of compromised cards from the Associations and marking them as high-risk for mail order/telephone order fraud."
Even those who agreed the banks shouldn't be required to notify all customers, however, thought there were still unanswered questions. "I actually agree with the banks on the notification issue," another reader wrote me. "It would cost these banks anywhere from $40 to $80 million to send the notices to customers, most of which would simply round-file it. The fact that banks are using outside processing companies should come as no surprise to anyone familiar with current business practices. Banks are in the business of extending credit, not processing transactions. So we all actually benefit by the outsourcing of this function to specialist firms. Where the banks have severely fallen down is not performing proper due diligence on their suppliers of critical services. CardSystems stated it normally purges this information upon processing completion. So what happened this time? Was it dumb chance? A disgruntled employee? An inside job? These and many other questions will have to be answered."
While the big banks mostly feel that disclosure is too expensive a proposition, quite a few readers told me that credit unions seem to have a different attitude. "I'm IS Director at a midsized credit union -- 50,000 members -- and we had 4000 cards compromised," wrote one reader. "We ordered replacements for all of them immediately and sent letters to the affected members. Our primary focus is always on the member's situation. All of us employees are members too and we know how we would like to be treated were we on the other side of the counter."
Banks have little incentive to reform the system as long as merchants are the ones who really foot the bill for credit card fraud. "One thing you don't mention and the public is not aware of is that the reason the card companies aren't notifying consumers -- unless fraud occurs -- is that as long as those cards are in circulation the card companies are making a fortune," an online merchant wrote me. "If the card is used fraudulently the one that pays for it is the merchant who accepts the card. He has the money yanked out of his bank account along with a chargeback fee of anywhere between $25 to $40. Plus he has lost his merchandise, shipping fees and the percentage he pays to the card company for the sale. So they do not have any incentive to do anything about it. If the card companies had to eat these costs themselves, they would move pretty quickly to rectify the situation. Remember, when the merchant accepts the card he has been informed that the card and the sale are good. We need for the government to step in and get some kind of control over them. The merchant should not be penalized when he has been told that the card is good when all the time the card company already knows the information has been stolen."
With it still not exactly clear what CardSystems was doing with the data they had retained for "research" purposes, readers weren't so sure they can believe the assurances that the security breach won't lead to many kinds of identity theft. "Isn't there other info like the merchant's name, address, transaction amount, etc.?" wrote one reader. "These could be used to build a profile against the card number. Combine that data with another database that lets you look up a person, like a phone book database or the one behind Googling your name, and you can get a pretty high certainty of who the card user is and where they live. You've got to consider what can be done to extend and merge the data with other databases that can be bought/stolen/used free. The value of any bit of data may not be much, but the aggregate that can achieved by merging with other databases can be quite powerful."
And several readers who had recently found bogus charges on their credit cards also wondered if they had been exposed by CardSystems. "My bank did not hold me responsible for the charges and they've issued me a new card number, but they were quite stern in suggesting it was all my fault that bad guys had acquired my information," wrote one card fraud victim. "Now I'm trying to find out if my card number was involved (in the CardSystems breach), but my bank won't tell me. They say they can't reveal anything about their fraud investigations, not even to those who have been victimized. A likely story ... they are just afraid I'll sue them along with CardSystems if I find out who was actually responsible."
Read and post comments about this story here.
12:18:19 AM 
|
