Friday, February 23, 2007

Root Cause (or, punishing the innocent)

An article in the Wall Street Journal yesterday reminded me of how easy it is to fire people up to solve the wrong problem. For those of you with an online WSJ account, you can view the story here. There is also this article in Information Week which anyone can read. The articles talk about a bill that republican Michael A Costello is sponsoring, Massachusetts House Bill 213, which would punish retailers for leaking personal data. Now, don't get me wrong, we do want to provide incentives for protecting personal data. But the issue here is stolen credit cards. The root of the problem isn't security practices at retailers. It is not possible to completely secure a complex system from hackers. There will always be ways to get such data. Holding the retailer accountable is just wrong. Similarly, holding the software, system, and database vendors accountable is also fundamentally flawed.

What is the core problem here? The main problem is that credit cards are embarrassingly insecure. The banks don't deal with the problem because it has been less expensive for them to pay the price of failure than it is to fix the problem. What this bill would do, if passed, is completely let the credit card companies off the hook. That is just so wrong it is offensive, and I hope people see this for what it really is: an attempt to remove the increasing risk of credit card theft away from the group who is really responsible, by taking advantage of the current emotional response to recent TJ Maxx theft headlines.

The credit card companies can solve this. If you've used a SecurID card from RSA, you know that a credit card sized object can provide a unique temporary number based on a secret PIN you provide. You must have the card and supply the secret to get a one-time authentication. Instead of the inane little three digit code credit card companies have us copy from the back of the card, you could use a dynamic generated code which is based on at least two factor authentication.

Using such a system, it does a thief no good to have the card in their possession unless they have also obtained the magic number. If that did happen, the person who lost the card simply reports it stolen and it is disabled. No break in to any system would divulge the personal secret, and the TJ Maxx problem would simply go away. Not only does this virtually eradicate the most prevalent forms of theft, but it provides the bank with non-repudiation and replay protection. In other words, customers can't claim the charge was made without their authorization, and someone can't later use the numbers to create another charge. This means the consumer and the retailer win, at some cost to the credit card companies relative to the current system; but how much more expensive is it, if most of the theft goes away?

There are other ways to do this as well, probably equally effective, and some which are easier to use (hosted on a cell phone for example). But the banks don't want to invest in the infrastructure, and now they are trying to legislate passing the buck to the retailer, which ultimately will end up being paid by either the consumer or the systems providers, while the credit card companies continue to make record profits with inferior technology.

So let's quit punishing the innocent and solve the right problem. The retailer and the consumer pay the 3% transaction fee - shouldn't we demand that they earn their money and fix this abomination?

Do the same in your business. When someone is pushing costs around, take a look at what the real problem could be. It's probably the one that saves the most cost for most stakeholders, and in particular respects your customer's costs.

No comments: