Monday, March 5, 2007

Privacy and Security Lessons from Criminal Enterprises: The Corner & PCI

Either you have heard the stories, or encountered first hand the difficulty in convincing an organization's leaders to take adequate precautions to insure the privacy of identity related data, and maintain the integrity, confidentiality and availability of their information assets. Privacy and security have to be marketed to management since privacy and security are "non-functional" without a "ROI." As a last ditch effort, privacy and security can be pitched as a compliance effort; these activities must be performed to satisfy the requirements of an
independent, potentially hostile third party.

Nonetheless, criminal organizations, which by definition care not one whit about compliance, and have a vigorous appreciation of the bottom line, focus significant efforts on the privacy of personal data and the security of transactions and communications. For example the following story of touts, runners, ground stashes* and the electronic processing of credit cards.

The typical drug transaction occurs thusly:

  • Junkie finds slinger. Junkie's selection may be based on the Slinger's reputation, effectiveness of the Touts, past business practices or location.
  • Slinger takes order, collects cash from Junkie.
  • Slinger signals the order to a Runner.
  • Runner distributes product to Junkie, either from minimum amount on person, or collected from ground stash.
  • Junkie moves on to consume product.
So the slinger is the payment processor, and the merchant is the runner. Both will be held accountable for inventory, and separation of duties not only minimizes the compliance risk (i.e., being observed by law enforcement), but also provides an accounting control. The corner boy who put out the package knows that even if the slinger and the runner collude, the collusion will result in a wrong count at the end of the day.

So what part of this transaction is so hard for folks like TJX to understand? A couple items to consider:
  • Although the merchant may mitigate risk by gaining distance from the transaction (Verified by Visa, PayPal), the merchant is more interested in the customers than the Slinger is in the Junkies. The merchant and the processor want to keep all that secondary data and compile it, and convert it into cash. The Slinger wants only not to get burned by a counterfeit bill.
  • No one is responsible for the "count" on credit card transactions. Unlike the corner, the matching of goods, customer and payment is out of order in electronic commerce, with each party shirking responsibility for the transaction.
  • Each has to deal with impostors, though. The seller of baking soda is the "phisher" of the drug trade.

Next, yelling "5-0" as an intrusion detection mechanism.

*taken largely from Simon & Burns terrific book The Corner
or on most episodes of Simon's The Wire.

No comments: