Begin forwarded message:
From: "Bob Frankston" <Bob19-0501@bobf.frankston.com>
Date: March 2, 2009 10:39:53 AM EST
To: <dave@farber.net>, "'ip'" <ip@v2.listbox.com>
Subject: RE: [IP] Credit card #s plucked out of air at FL Best Buy
What does “plucked out of the air mean” if the data is encrypted? Having a number of “networks you can hop on” is antithetical to the idea of the Internet as a large commons. Shouldn’t the data protection techniques be independent of the “network” and rely less on protecting the perimeter than protecting the information?
Of course we also have this misframing of the issue as “identity” vs “authorization heuristics”. Given the large numbers we’ve seen with these thefts I have to wonder about the lack of reports of consequences. But then the credit card companies still do things like give all cards on an account the same number which makes tracing events unnecessarily difficult. If they couldn’t foist the cost of their sloppiness on the users then we might see some better practices – if there really is a deep problem.
Part of my Master’s thesis was about mechanisms for dealing with lots of small transactions – even if the credit card companies honor suspect transactions they should help the users detect anomalies by flagging them in the statement and that statement should be emailed. Of course all the statements should be provided in a simple machine readable format such as XML with full information plus heuristics to flag suspicious transactions so one can focus attention instead of growing numb reading through each $1.39 purchase.
Don’t be surprised that these companies are interested in money and the gaming of rates and rules is probably far more consequential than these events.
From: David Farber [mailto:dave@farber.net]
Sent: Monday, March 02, 2009 09:19
To: ip
Subject: [IP] Credit card #s plucked out of air at FL Best Buy
Sent: Monday, March 02, 2009 09:19
To: ip
Subject: [IP] Credit card #s plucked out of air at FL Best Buy
Begin forwarded message:
Date: March 2, 2009 9:09:03 AM EST
Subject: Credit card #s plucked out of air at FL Best Buy
For IP:
Clever. Try walking into your local Best Buy with an iPhone, and see what networks you can hop on...
-----------------
The following advisory applies to customers who shopped at the Best Buy located at 1880
Palm Beach Lakes Blvd in West Palm Beach, FL in November and December 2008.
An employee at Best Buy's 1880 Palm Beach Lakes Blvd in West Palm Beach, FL allegedly
stole credit card information during November and December 2008 using an unauthorized
personal device. Best Buy learned of the theft on Jan. 5, 2009. With the cooperation and
assistance of store management, the employee was identified and taken into federal custody by
the Secret Service on Jan. 7, 2009. That person is no longer employed by Best Buy.
Although none of Best Buy's electronic systems were compromised by this former employee's
actions, Best Buy believes that approximately 4,000 people could have been affected by this
law enforcement authorities and all relevant payment card brands have been notified of the
incident and Best Buy is fully cooperating with all investigations.
In addition, Best Buy is sending letters to customers who may have been affected by this
fraudulent activity, notifying them of the situation and encouraging them to review their account
statements and monitor their credit reports.
...
