It is Fraud alright

by Colin Berkshire

Colin here. I’ve recently written about how the phone company made a conscious decision to not stop Blue Box phone Phreaks because they were profitable, and I’ve written how the Banks make billions of dollars on facilitated credit card fraud.

We read a lot about Internet security hackers. ObamaCare had such poor security when it was introduced that anybody could access personnel records simply by altering portions of the URL.

I know of one commercial website where the customer number is in plain text in the URLs and where the account numbers are sequentially assigned. Yes, you can access any customer’s confidential information simply by manually editing the “&account=” number in the URL.

A major retailer had millions of credit card numbers stolen simply because the WiFi access points had no password. Another major retailer used Windows based POS systems that had no malware detection and prevention.

We love to villify these Internet hackers. In fact, it is entirely analogous to how we vilified the phone company Blue Box phone Phreaks. We write them up in newspapers and we talk about how these devious minded individuals are out to take advantage of you and I. We eat this stuff up.

Behind the scenes there is something more sinister. Blue boxers are profitable. Banks make billions of dollars by intentionally making credit card fraud easy. And corporations care so little about security that they don’t bother to set passwords or to use the most basic common sense in building systems.

I agree that hackers that use NSA-like techniques to break into systems are bad. Hackers who ruin companies with denial of service attacks are just plain mean.

But shouldn’t there be some minimum level of security required? Shouldn’t it be equally criminal to implement a system to irresponsibly that personal information can be stolen by a sixth grader with a below average IQ?

What if a hacker could wage the defense that the hack was so simple that it could be done by a sixth grader? If the code was that poorly written then perhaps the corporate programmer and their Vice President should to to jail instead of the hacker.

The defense might go like this: “Your honor, I did break into this computer system and I did steal 100,000 customer’s confidential information and they all had to change their credit cards and spend a lot of time. But you see, all you had to do to get this information was to increment the account number on the URL to get tot he next customer’s information. This is so simple that a sixth grader could have done it. Therefore, I assert as my defense that the negligent and malicious individual was actually the corporate programmer and their Vice President who didn’t give a dang and wouldn’t spend one dime on security. They should go to jail in my place.”

I know this sounds silly. But what would happen is that corporations would start to worry about security and they would start to protect their customers. When you start talking about putting inept, uncaring corporate types into jail because they wouldn’t take the most basic steps to protect their customers privacy then companies would start taking privacy seriously.

The Bell System could have trivially fixed their network to prevent Blue Boxing and they actually chose not to because that was more profitable. The banks could have implemented PIN numbers and chips on credit cards (like is done in the whole rest of the world) but they don’t because it is more profitable not to. This sort if behavior is contrary to good public policy.

The problem in most cases is not genius hackers. In most cases it is corporations who can’t be bothered to spend $100 to protect their customers privacy.

If you dump toxic waste on an empty lot and get caught you go to jail. When a company does the same, they need to designate somebody to go to jail in their place.