Commentaries and insightful analyses on the world of finance, technology and IT.

« The Waiting Line Conundrum | Main | The Risk Cost-Worth Postulate »

I'm Batman...

What would you do if you were really inspired by that late-night movie? 'Transform' an Optimus from trash cans? Improvise Tony Stark's Mark II Suit in a way that would rival 'War Machine' Rhodey? Attempt to become a real-life superhero? Develop an idée fixe of enigmatic moments to your special number in way that would trounce Scott Fahlman? Or armed with the same obsession, perhaps better Edward O. Thorp in 'counting' (for) some greenback?

I can reminisce about my Professors' analogies better than the classes - Sometimes it's nice to goof around the point. Anyways, circling back to the key topic - Expressing his anguish on the stance of the US government preventing civilians from launching into space; the protagonist Charles Famer who has a rocket under construction in his barn remarks that as a kid he was told, he could be anything he wanted to be and that he believes that. The recent string of hacks may lead to believe that someone's interpretation of Astronaut Farmer is skewed in the direction of irrationalism.

Beyond financial and reputational loss for the victim organisations and maybe, the backlog of Black Ops missions for users', the steady rise of such incidents in recent times is a real threat to the banks, credit card issuers, payment networks and insurance providers. Popular opinion has it that many of these have to do with the target organisations' (incl Sony, MasterCard, Visa etc) developing enemies in dark corners of the internet  Personal and financial data have been made away with in some cases, like Sony(n) and Citi. While debit and credit card holders, with limited timely action from their side are absolved of any large liabilities through various regulations (like Consumer Credit Act in UK, Truth in Lending Act in US), the real contention is who bears the loss then? If you aren't going to be paying for those shady transactions on your card, someone else is going to have to.

Unfortunately the story doesn't end there, financial data apart, loss of personal data and unencrypted passcodes, which users tend to rampantly reuse across the cyberspace heightens the potential for these incidents to magnify into large scale identity theft. While, the scene remains the same for customers, save for a lot of paperwork, the financial institutions are still the losing participant in the zero sum game. It remains to be seen whether and how victim organisations will be held responsible by the financial ecosystem for such write-offs.

When the users of the victimized organisation's service are spread across the globe (Eg: PSN), another key issue remains that the maturity of financial practices and the adroitness of the information systems supporting them are not on an even platform, making it challenging to provide a fighting chance against preventing or alerting on misuse. For instance, many countries do not have a unique resident id or central credit bureau, and the individual card issuers themselves may not have necessary infrastructure to effect pattern-based intelligence, leaving the card holder to foot the losses with the exception where certain classes of cards are insured against such mishaps, passing the buck back to the financial system.

Little comfort can be drawn from the fact that the bereavement from one of the breaches was just out-dated credit card information, since it begs the question of compliance with PCI-DSS 3.1 which emphasises minimal (amount and time) retention of cardholder data and secure deletion of data beyond what is dictated by business needs. This would hopefully drive the other online merchants to refrain from obsessively storing credit card information on opening an account, or comply with PCI-DSS. Well, it wouldn't hurt to atleast provide an option enabling the risk-averse / infrequent users to feed payment information on a transaction basis; after all it's their dough!

With these jeopardies no longer being surreal, the financial system has to bother about risks beyond its control, be it in the form of money (assuming non-recovery from victim organisations), procedural overhead or demand on its resources.

In the event of the bank or card issuer having to bear the monetary brunt, this would be yet another un-modelled scenario from an Operational Risk standpoint; well, it ain't a "catastrophe" which is what is bucketed / budgeted under 'external events' and even there, very few institutions factor in the far-side of the risk quadrant whilst assessing the extent of their exposure.

To re-quote Sheldon Cooper, even given the stolen identity, the hackers couldn't become Green Lantern unless they were chosen by the guardians of Oa, but given enough start-up capital and adequate research facilities, they could be Batman! The odds of witnessing the 'Dark' Knight seem oh so real now.

Even as I write this, news of infiltration into 72 world organisations targeting commercial, state secrets and intellectual property flows in. In this age, nothing is safe from the digital Jack Sparrow. But, hey, we can atleast do our part!

Comments

Thanks for sharing this with me, Vikram. While I have read quite a few articles on the hack, no one ever discussed about the impact on the banks or card issuers. These kind of "external events" are scary because under LDA this quadrant is completely ignored as quite improbable. But I believe this is because, they never considered these cases. As you righly said, they restricted it to just earthquakes, floods and similar catastrophes...This should be an eye opener.

Interesting perspective. I checked online and was shocked to find that Sony is not listed on mastercard website as PCI-DSS compliant. Like Verisign Secure, they should make PCI-DSS compliant as a way of encouraging companies handling customer data to be more secure in their practices and also ensuring that this awareness helps customers to decide whether the data they entrust with the organisation / vendor is in safe hands. If not, they can decide whether they would like to risk it.

If a mass scale misuse of the stolen data were to happen, I would reckon that companies like Sony would not be able to financially handle the same. And the banks would bear the brunt once again. This is the last thing that we need in these uncertain economic times. Thought provoking points, keep it up.

Intriguing point on Scott Fahlman. It definitely makes a lot of sense to include him here. His work on Cascade Correlation in neural networks has gained prominence in risk management and trading.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.