Should we fight…

Chris at Emergent Chaos illustrates his reason for "going to war" against corporations that are (presumably, but not really) complicit in allowing credit card numbers to be stolen – because it doesn’t hit their bottom line hard enough. The real problem is that it doesn’t hit our (individual) bottom line hard enough. To wit:

"…TJX executives said that store traffic through the end of January hasn’t suffered since its Jan. 17 announcement of the security breach."

Chris’ flawed assertion simply assumes that everyone cares as much as he does that some entity’s credit instrument which was issued to him would be compromised. But the quote above is evidence that this isn’t the case; people are willing to accept the risk, even in the face of multiple shopping and payment alternatives. (There is an entire body of literature around the notion of risk vs. reward that applies here. See, for example, Slovic, et. al. "How Safe is Safe Enough?").

Chris’ fight is really against the establishment. For credit cards specifically and many debit cards generally, the burden of cost is the bank and/or card issuer. (It may be interesting to note that today there was a WSJ article talking about a bill in Massachusetts to assign the costs to the retailers that get hacked). Sure, we all pay a little, and those who get compromised pay even more (in the form of personal overhead), but it all appears to be reasonable for many (most?) folks.

To the extent that any of this information can be leveraged into more significant attacks against identities, again Chris’ target is misplaced. In this case, the folks who accept this type of information for identity validation – information that is routinely shared to the tune of four billion transactions in a year – should be the real target.

I have great news, Chris – you don’t have to fight. If the risk is too high from your perspective, you can simply opt out – credit cards are not a requirement in our society, they are a luxury.

1 comment for “Should we fight…

  1. February 22, 2007 at 9:25 pm

    Pete-this is not a comment to your post, but I don’t have your email. I would like to invite you to the security bloggers network but never seem to get your address. let me know

Comments are closed.