Last week brought news of
two robberies that happened five decades apart: the Great Train Robbery of 1963 and the Great Target Data
Breach of 2013. A comparison of the
two tells us something about how the business of thievery has changed over the
years, and how likely it is that criminals who execute large-scale thefts like
these today will be punished for their misdeeds.
But first, the tale of
Ronald Biggs. On his 34th
birthday, August 8, 1963, he assisted a dozen or so partners in crime in an
elaborate scheme to divert a British mail train carrying some $7 million in
banknotes (equivalent to about $50 million today). Back then, the Bank of England had the bad habit of shipping
large amounts of physical currency from one bank to another, and the thieves
caught wind of a shipment and successfully heisted it all. Biggs' fingerprints were found and he
was captured quickly and sentenced to a long jail term. But less than two years later, he
staged a daring escape and made his way first to Australia, then to Brazil,
living a life of debauched indolence and occasionally taunting the British
authorities by consenting to interviews with visiting newspeople. However, as he became aged and sick,
home looked better than ever, and he returned to England in 2001, expecting a
pardon. What he got instead was a jail
sentence, which he served until 2009 when he was released on account of poor
health. He died Dec. 18, a hero to
rebels everywhere but a convicted criminal nonetheless.
Only three days earlier, the
giant U. S. retailer Target announced that from Nov. 27 to Dec. 15, an
elaborately planned hack of their point-of-sale terminals acccomplished the
theft of as many as 40 million credit and debit card numbers, names, and one of
the two types of card security codes (the one embedded in the magnetic stripe,
not the one printed on back of the card).
The potential value of this data on the black market is comparable to
the $50 million or so that Biggs and his cohorts nabbed. This particular piece of information
came uncomfortably close to home when I discovered that my wife had used our
debit card at Target for Christmas shopping recently. Fortunately, she used it after Target said they had stopped
the breach, but some 40 million people weren't so fortunate.
Catching Ronald Biggs was a
matter of examining physical evidence such as fingerprints. The digital fingerprints left by the
Target thieves are much harder to trace.
Late word is that security experts have localized the source of the hack
to Southeast Asia, but they may well encounter a brick (or bamboo) wall in
their investigation at that point.
The global village metaphor is overused, but from a digital point of
view, we really do live practically in each others' laps, with millisecond
access to any of millions of computers around the world possible from my lowly
laptop here on my desk in Texas.
But the uniformity of jurisdiction that allowed English detectives to
move freely and quickly to investigate the Great Train Robbery does not exist
across international boundaries, and it's hard to imagine how this situation would
change.
There is some precedent in
the way that international technical standards are worked out by so-called
"working groups" that gather voluntarily to decide on a given
technical problem. But such groups
have an automatic unity of purpose that the law-enforcement agencies of
different countries do not share.
In some parts of the world, the criminal element is almost
indistinguishable from the legitimate government. Somalia comes to mind, and North Korea, where counterfeiting
is regarded as a legitimate act of war.
The only way you could catch cyber-criminals who are harbored by such
governments is to go to war with the government, and that measure is a little
extreme even for the most dedicated law-and-order types.
Fortunately for the millions
of Target shoppers who were caught with their numbers down, so to speak, the
big losers in such thefts are not the individual credit-card holders (whose
liability is usually limited to $50) but the retailer whose system was
breached, and the credit-card companies and banks themselves. There will be lawsuits, surely, but the
chances of recovering either the data or the money stolen by means of the data
are small, if the history of similar breaches is any guide.
In many European countries,
a more complex type of credit card is used, one which has a microchip embedded
in it that generates a different security code every time it is used. It's much harder to hack the microchip
type of card than it is to hack the old-fashioned magnetic-stripe variety that
dominates the U. S. market. But
because the microchip card will require massive retooling at retailer
point-of-sale systems and in the systems of credit-card issuers, the industry
has resisted it so far. According
to the president of the Connecticut Bankers Association, MasterCard and Visa
have promised to roll out the microchip cards by 2015, but this assumes that
retailers won't block it by protesting it will cost them too much. However, if the banks tell the
retailers that they will be liable for fraudulent charges unless they switch to
the new system, that may persuade reluctant retailers to get with the program.
As long as there is money
and other valuables, there will be people who want to steal. And the Target data breach is just the
latest in a long series of cops-and-robbers escapades that goes all the way
back to cavemen filching another tribe's giant-mastodon meat, no doubt. But let's hope that the credit
companies, banks, and retailers get their act together sufficiently to give us
a well-tried microchip technology soon, one that at least makes it harder for
thieves to break in and steal your credit-card number.
Sources: I referred to articles on
Ronald Biggs in the Washington Post
at
http://www.washingtonpost.com/world/europe/ronnie-biggs-notorious-participant-in-great-train-robbery-dies-at-84/2013/12/18/3f142a38-c5da-11df-94e1-c5afa35a9e59_story.html
and the New York Times at http://www.nytimes.com/2013/12/19/world/europe/ronnie-biggs-great-train-robber-dies-at-84.html. I used information on the Target data
breach from NBC News at
http://www.nbcnews.com/technology/massive-target-credit-card-breach-new-step-security-war-hackers-2D11778083,
from Forbes at http://www.forbes.com/sites/anthonykosner/2013/12/20/targets-biggest-pr-mistake-with-credit-card-security-breach/,
and from an AP report carried by the Boston
Globe at
http://www.boston.com/2013/12/20/fury-and-frustration-over-target-data-breach/LAEw7wmAeKBl0MJk0lBRDL/story.html
as well as a Fox News report at
http://www.myfoxtwincities.com/story/24274470/target-victims-not-financially-responsible-for-credit-fraud. The Connecticut banker was quoted by
the Connecticut Post at http://www.ctpost.com/local/article/New-credit-card-features-may-prevent-breaches-5083388.php,
and I referred to the Wikipedia article on card security codes.
No comments:
Post a Comment