I was a speaker and panelist at Credit Union Conferences' recent InfoTech conference held in San Diego. I found the panel session particularly enlightening as it showcased a few of the major technology-related concerns in our industry. One of the audience member questions I found particularly telling had to do with member account security and fraud. The questioner was wondering what could be done to further protect credit union members from the risks inherent in the products and services we offer.
While there are certainly many steps credit unions and even individuals can take to protect against account fraud and identity theft, I felt it appropriate to point out one major flaw in the system over which we as members of the credit union community have little control. That flaw? The gaping security holes in our national retail infrastructure. Need an example? How about BJs and T.J. Maxx, to name two of the most recent "victims" of mass data theft.
I feel that security holes in retail establishments presents a far more grave threat than some of the data and identify theft perpetrated by individual criminals, if for no other reason than scale. T.J. Maxx (TJX Cos.) had over 45 million credit and debit cards compromised over an 18-month period. 45 million.
While this particular story is old news in the industry, one new survey should give us pause. A company called AirDefense recently released the results of an assessment of 3,000 retailers nationwide. What did they find? Take a look at this quote from their press release:
"AirDefense discovered more than 2,500 wireless devices such as laptops, hand-helds, and barcode scanners in use by retailers. Surprisingly, 85 percent of the devices could have been compromised or risk stolen data due to data leakage, mis-configured access points, poor naming choices for access points, outdated access point firmware and a “cookie-cutter” technology approach by large retailers. This type of approach occurs when the same technology is used in all retail locations so vulnerabilities will repeat themselves across the entire store’s chain."
The bottom line? Consumers are at risk, day-in and day-out, whenever they use their handy plastic payment alternatives - and they are at risk just as much in the "real" world as they are in the online world.
If you want to read the entire release, you will find it on the AirDefense website at:
http://www.airdefense.net/newsandpress/11_15_07.php
This is certainly not a plea to return to cash as the primary means of payment for goods and services. I believe that the efficiencies of plastics are worth the effort. What I do believe, however, and how I answered the conference attendee's question, is that the Visa's and MasterCard's of the world need to be better at policing the practices of retailers and merchants across the nation. They could start with simply enforcing the rules retailers agree to when signing up to take credit card payments in the first place. I am constantly amazed at the retail negligence I see when I travel.
I also answered that we have to be better as an industry at making members aware of the challenges they face when making purchases. Why? Because we get the blame whenever cards are compromised as we are the ones re-issuing replacement cards. Regardless of the fact that such reissues may be due to the mistakes of others, we are the ones "inconveniencing" members. Believe it or not, we bear the burden of reputation risk whenever a retailer makes the security mistakes described by AirDefense.