TJX - over reaction?

Submitted by Kai on Mon, 2008-08-18 14:15.
Benjamin Wright posted a comment about TJX case been an over reaction. He has also posted on this on his own blog.

First things first: let me welcome you to the blogosphere! Taking your expertise as a laywer, I probably should just shut up and not start to argue, but then again, what is the point of a discussion if we cannot share our opinions?

To you comment, I do not agree that there has been an over reaction. I think this depends on your point of view. If you consider only the known theft of money, you might be right.

However, if you consider the theft of privacy, the costs related to renewing CCs and the potential threat to the CC holder, I think the reactions so far has been anything but over reaction. I also think it is necessary to consider the time frame of the attack - this went on for quite a while, and I think it is important to consider that this was an important "wake-up" call to many shops.

You say that the Credit card issuers over reacted. I disagree. Their alternatives where:
  • say nothing (and wait for the press to find out...ticking, expensive bomb)
  • say "your credit card info is just lost, but hey, who cares? It is way too expensive to issue a new card" (and wait for customer to yell, call the press and cancel their cards manually; adding potential expensive law suits to the cost)
  • do as they did - cancel all cards, issue new ones. High initial cost, but low cost & risk in the long run. Just imagine the cost of loosing the trust of the credit card user...

Monitoring

Submitted by Kai on Tue, 2008-09-16 08:56.
Hi Ben,

thank you for popping by and commenting! I agree that monitoring and increased attention might be a viable solution. I am not sure those measures where in place at the time of TJX, but I think those tools should be implemented for the future.

A few questions pops in my mind: There might be privacy issues re such monitoring? What exactly should be monitored? How to identify a fraudulent transaction vs. a legal one? What would be the implications for the card holder (the owner, not the crook) if the card did not function while shopping?

4th Alternative

Submitted by Benjamin Wright (not verified) on Fri, 2008-09-12 19:33.
Kai: Card issuers had a 4th alternative, now discussed toward the end of my post at http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html. They could have put the card numbers in question under a tight watch and monitored them especially carefully for irregular activity. What do you think? --Ben

Post new comment

The content of this field is kept private and will not be shown publicly.

Navigation

Recent comments

Recent blog posts

more


The blogger is Kai Roer, a European Information security professional.

View Kai Roer's profile on LinkedIn

Lijit

Lijit Search

Resources

www.isc2.org


Kai's training blog

Archive

more

Explore Security Bloggers Network (a FeedBurner Network)

Blog Network:
Blog Networks