Re: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?
On Wed, 28 Sep 2005, Kenneth F. Belva wrote: > If the US population is 296 million and 40 million cardholders were > affected, that means that 13.51 percent of the population would be > affected (on the assumption that is only US citizens that hold a > Visa/Mastercard). Roughly one in every seven-point-four listmates ... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Is the Bottom Line Impacted by Security Breaches?
>> In the paper I ask: "If 40 million customer credit card numbers are >> exposed in a security breach at the credit card processor CardSystems, why >> do a significant number of people not cancel their Visa and/or >> Mastercard?" >Simple .. because Mastercard/Visa got to avoid having to notify their >customers of the breach : >http://www.consumeraffairs.com/news04/2005/cardsystems_court.html >~Mike. Mike, I'm not so sure it's that simple... People were aware of it. It certainly was all over the press at the time: http://money.cnn.com/2005/06/17/news/master_card/ http://www.consumeraffairs.com/news04/2005/cardsystems_suit.html If the US population is 296 million and 40 million cardholders were affected, that means that 13.51 percent of the population would be affected (on the assumption that is only US citizens that hold a Visa/Mastercard). Not everyone in the US has a Mastercard/Visa so the percentage of those cardholders affected by the breach is in fact higher. It's hard to keep that quiet by just not issuing letters to those affected by the breach. What I wonder about is the applicability of the White and Case study. When I hear figures of 20%, it really represents a serious financial impact. One would hear about such loss from publicly traded companies, similar to the 4% loss in Q2/2005 due to the Wendy's chili case. Ken ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?
Frank Knobbe wrote: > Perhaps you should ask: > "If 40 million customer social security numbers are exposed in a > security breach at the credit card processor CardSystems, why do a > significant number of people not request new social security numbers?" > > After all, there is no limit on liability with fraud on those > > Regards, > Frank Easy - you can't get one, so asking won't help. Unless, of course, you're under the protection of the Federal Witness Relocation program. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?
On Wed, 28 Sep 2005 14:46:38 CDT, Todd Towles said: > Plus, it was shown recently that personal credit card fraud via ID theft > is smaller than victimless credit card fraud. > > http://www.theregister.co.uk/2005/09/16/gartner_phantom_fraud/ The Google-provided ad at the top says: Official Check Fraud Our Solution Software Will Help Prevent Check Fraud-Free Whitepaper www.sourcetech.com Try as I might, I keep wanting to parse that as "Our software will guarantee that all of your whitepapers do in fact contain check frauds" :) pgp7Py4MwjK8P.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?
Plus, it was shown recently that personal credit card fraud via ID theft is smaller than victimless credit card fraud. http://www.theregister.co.uk/2005/09/16/gartner_phantom_fraud/ It is a very good rundown on why the banks just really don't have a reason to chase after them and stop them. -Todd > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Frank Knobbe > Sent: Wednesday, September 28, 2005 1:54 PM > To: [EMAIL PROTECTED] > Cc: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Is the Bottom Line Impacted by > Security Breaches? > > On Wed, 2005-09-28 at 10:22 -0400, Kenneth F. Belva wrote: > > In the paper I ask: "If 40 million customer credit card numbers are > > exposed in a security breach at the credit card processor > CardSystems, > > why do a significant number of people not cancel their Visa and/or > > Mastercard?" > > Simple. The credit card numbers are exposed every time they > make a purchase as well. Now, it someone commits fraud with > your name and card number (which a convenience store clerk > can do himself... no high-profile server breach needed), then > the customer is only liable for minimal damages. The risk and > liability lies with the credit card company. > > Perhaps you should ask: > "If 40 million customer social security numbers are exposed > in a security breach at the credit card processor > CardSystems, why do a significant number of people not > request new social security numbers?" > > After all, there is no limit on liability with fraud on those > > Regards, > Frank > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?
On Wed, 2005-09-28 at 10:22 -0400, Kenneth F. Belva wrote: > In the paper I ask: "If 40 million customer credit card numbers are > exposed in a security breach at the credit card processor CardSystems, why > do a significant number of people not cancel their Visa and/or > Mastercard?" Simple. The credit card numbers are exposed every time they make a purchase as well. Now, it someone commits fraud with your name and card number (which a convenience store clerk can do himself... no high-profile server breach needed), then the customer is only liable for minimal damages. The risk and liability lies with the credit card company. Perhaps you should ask: "If 40 million customer social security numbers are exposed in a security breach at the credit card processor CardSystems, why do a significant number of people not request new social security numbers?" After all, there is no limit on liability with fraud on those Regards, Frank signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Is the Bottom Line Impacted by Security Breaches?
In the paper I ask: "If 40 million customer credit card numbers are exposed in a security breach at the credit card processor CardSystems, why do a significant number of people not cancel their Visa and/or Mastercard?" Simple .. because Mastercard/Visa got to avoid having to notify their customers of the breach : http://www.consumeraffairs.com/news04/2005/cardsystems_court.html ~Mike. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Is the Bottom Line Impacted by Security Breaches?
White and Case, a top NYC law firm, posted a survey on Data Security Breach Notifications on September 26, 2005. >From the press release: "Victims of personal data security breaches are showing their displeasure by terminating relationships with the companies that maintained their data, according to a new national survey sponsored by global law firm White & Case. The independent survey of nearly 10,000 adults, conducted by the respected privacy research organization Ponemon Institute, reveals that nearly 20 percent of respondents say they have terminated a relationship with a company after being notified of a security breach." White and Case Press release: http://www.whitecase.com/news/news_detail.aspx?newsid=11731&type=News%20Releases White and Case Paper: http://www.whitecase.com/files/tbl_s5107Materials/FileUpload5837/151/Security_Breach_Survey.pdf My research takes a macro approach: "The keynote address will cover reputational risk in light of recent disclosures of high profile security incidents at such institutions as CitiFinancial (Citigroup), Bank of America and Wachovia, Choicepoint, DSW Shoe Warehouse and Polo Ralph Lauren. The presentation will create a framework for understanding reputational risk in light of these recent events that may be applicable to responding to future incidents." In the paper I ask: "If 40 million customer credit card numbers are exposed in a security breach at the credit card processor CardSystems, why do a significant number of people not cancel their Visa and/or Mastercard?" Reputational Risk Keynote Presentation: http://www.ftusecurity.com/pub/FiTechSummit_final_paper.pdf I am concerned that the survey is self-selecting. In other words, the people responding to the survey already have a disposition one way or the other. Of 51,433 people, only 17.8% (9,154) replied. That means 82.2% (42,279) did not reply! I'm not a statistician; is 17.8% statistically significant to determine a general consensus? The papers may not be directly contradictory to one another. Please keep that in mind. I would be interested to know other's opinions on the matter. Sincerely, Kenneth F. Belva, CISSP http://www.ftusecurity.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
