Twitter
Facebook
Reddit
Digg
Tell us what you think!Send a letter to the editor about this or any other article in The Maine Campus.
I’d like to take a look at consumer privacy from a deeper point of view, especially regarding the recent credit card info leak – more like flood – at Hannaford.
If you’ve been living under a rock for the past few days, here’s what happened: In the period from December 7 to March 10, a breach occurred somewhere between when credit card information was taken from the point-of-sale terminals to the authorization server. During the three month period, 4.2 million credit card numbers and expiration dates were leaked, leading to 1,800 reported cases of fraud. The situation has been thoroughly covered, and I won’t elaborate on it except for the following point: It was completely preventable, yet they are going to get away with their lack of security.
The Payment Card Industry has a Data Security Standard – intuitively called “PCI DSS” – the fourth requirement of which is “Encrypt[ing] transmission of cardholder data across open, public networks.” Legalese, being the tricky language it is, is pretty vague when it comes to specifying what ‘accessible’ and ‘public’ are when it comes to networks. Even a cat5 cable extended solely between two points can be compromised without physical modifications to the cable itself, via a device called a passive tab, which operates on the principle of electromagnetic induction.
In legalese, you can easily convince the court that such a wire isn’t open or public. You can also say that this is Chewbacca, he lives on the planet Endor and that this makes no sense. Both are equally logical arguments, give or take.
Now what does that mean for your privacy, aside from the obvious “Oh my God they got my credit card” situation? If they’re that lazy about securing credit card info, what about other information perceived to be less critical? What about all those stores that keep track of your purchasing history when you opt for the store card?
The information isn’t discarded and doesn’t go away. It’s used to track your market habits and, aggregated over thousands and maybe even millions of users, generate useful data about buying trends. This is why stores offer you discounts: They make more money out of the information collected, either via first-party use or by selling it to third parties. It’s likely that this information is even easier to steal than credit card numbers.
On the surface this seems like a superficial argument – what harm is there when someone knows I usually buy a certain brand of milk or shampoo? Not much, but some of the information divulged could be more useful for a malicious person – they could call you, pretending to be from any service you recently subscribed to, such as a phone or cable provider, and pretend there’s an error in your credit card information and ask you to enter it again.
Consider the more far-fetched situation where a malicious person knows you’ll be receiving your brand new shiny laptop via FedEx today. They might go as far as hanging around your house, waiting for the delivery truck to come by, then pretending to stand idly on your front lawn and sign for the pickup – and in some cases you don’t even need to sign, and no photo ID is checked. Unlikely, but God came up with Murphy’s Law so he could enforce it.
I’m not a tinfoil hat-wearing individual, and I actually like how they collect and use my data in certain ways, like Amazon.com’s recommendations. Unless the users – not the businesses – start showing interest in their privacy and steer away from businesses who don’t take the matter serioausly, customers’ information is out there, it’s unprotected, and it’s waiting for the scammer with the right plan to put it to use. If you watch Futurama, you’ll know just how bad scammers can be. If you don’t, it’s “Pret-ty bad.”
Sherief Farouk is a fourth-year computer science major.
