What would you do if you were really inspired by that late-night movie? 'Transform' an Optimus from trash cans? Improvise Tony Stark's Mark II Suit in a way that would rival 'War Machine' Rhodey? Attempt to become a real-life superhero? Develop an idée fixe of enigmatic moments to your special number in way that would trounce Scott Fahlman? Or armed with the same obsession, perhaps better Edward O. Thorp in 'counting' (for) some greenback?
I can reminisce about my Professors' analogies better than the classes - Sometimes it's nice to goof around the point. Anyways, circling back to the key topic - Expressing his anguish on the stance of the
Beyond financial and reputational loss for the victim organisations and maybe, the backlog of Black Ops missions for users', the steady rise of such incidents in recent times is a real threat to the banks, credit card issuers, payment networks and insurance providers. Popular opinion has it that many of these have to do with the target organisations' (incl Sony, MasterCard, Visa etc) developing enemies in dark corners of the internet Personal and financial data have been made away with in some cases, like Sony(n) and Citi. While debit and credit card holders, with limited timely action from their side are absolved of any large liabilities through various regulations (like Consumer Credit Act in UK, Truth in Lending Act in US), the real contention is who bears the loss then? If you aren't going to be paying for those shady transactions on your card, someone else is going to have to.
Unfortunately the story doesn't end there, financial data apart, loss of personal data and unencrypted passcodes, which users tend to rampantly reuse across the cyberspace heightens the potential for these incidents to magnify into large scale identity theft. While, the scene remains the same for customers, save for a lot of paperwork, the financial institutions are still the losing participant in the zero sum game. It remains to be seen whether and how victim organisations will be held responsible by the financial ecosystem for such write-offs.
When the users of the victimized organisation's service are spread across the globe (Eg: PSN), another key issue remains that the maturity of financial practices and the adroitness of the information systems supporting them are not on an even platform, making it challenging to provide a fighting chance against preventing or alerting on misuse. For instance, many countries do not have a unique resident id or central credit bureau, and the individual card issuers themselves may not have necessary infrastructure to effect pattern-based intelligence, leaving the card holder to foot the losses with the exception where certain classes of cards are insured against such mishaps, passing the buck back to the financial system.
Little comfort can be drawn from the fact that the bereavement from one of the breaches was just out-dated credit card information, since it begs the question of compliance with PCI-DSS 3.1 which emphasises minimal (amount and time) retention of cardholder data and secure deletion of data beyond what is dictated by business needs. This would hopefully drive the other online merchants to refrain from obsessively storing credit card information on opening an account, or comply with PCI-DSS. Well, it wouldn't hurt to atleast provide an option enabling the risk-averse / infrequent users to feed payment information on a transaction basis; after all it's their dough!
With these jeopardies no longer being surreal, the financial system has to bother about risks beyond its control, be it in the form of money (assuming non-recovery from victim organisations), procedural overhead or demand on its resources.
In the event of the bank or card issuer having to bear the monetary brunt, this would be yet another un-modelled scenario from an Operational Risk standpoint; well, it ain't a "catastrophe" which is what is bucketed / budgeted under 'external events' and even there, very few institutions factor in the far-side of the risk quadrant whilst assessing the extent of their exposure.
To re-quote Sheldon Cooper, even given the stolen identity, the hackers couldn't become Green Lantern unless they were chosen by the guardians of Oa, but given enough start-up capital and adequate research facilities, they could be Batman! The odds of witnessing the 'Dark' Knight seem oh so real now.
Even as I write this, news of infiltration into 72 world organisations targeting commercial, state secrets and intellectual property flows in. In this age, nothing is safe from the digital Jack Sparrow. But, hey, we can atleast do our part!