Tolerating online fraud

Laissez-faire attitudes toward security abound, as one money-making hand washes the other

Whenever I see someone turning the other cheek to a problem, I smile and think of the greatest golden retriever I’ve ever known, a family dog named Kayo who was a very strong swimmer.

Kayo would be paddling out in the San Francisco Bay, chasing a tennis ball, when a 1,000-pound sea lion would pop its head above water just a few feet away. You knew the dog was scared to death, but he’d respond by just ignoring the sea lion, pretending it didn’t exist. Of course, he didn’t really have any other choice.

Well, the same dynamic may be happening in online security, or so I gathered from some panelists during the recent RSA Conference (view our special report or slide show). “No one wants to break up the status quo,” one said. “Online theft is a cost of doing business.” The basic message was this: All the key players are making too much money on the Internet to raise the red flag about the relatively low level of online theft — both monetary and identity-related.

To elaborate: Online retailers are happy — they’re making a lot of money off the Internet. The banks and online middlemen are happy — they’re making tons of money as well. Even the bad guys are happy with their take. So what if there’s an occasional attack we have to cover up? Life is too good to do anything that would gum up the machine.

There’s only one problem. Try telling that to the few unlucky individuals who, caught on the wrong side of the cybertracks after dark, get mugged for their cash or identity and then have to spend months or years fighting to clear their good name or get their money back.

Corporate America has ported the credit card security model to the Internet — tolerate the fraud, and simply spread the financial costs evenly across a huge base of cardholders and merchants. But the victims are different here. The potential harm to individuals is greater, harder to fix, and not as easy to just boil down to the numbers.

I’m not advocating a dictatorial Internet lockdown, mind you — although apparently the banks in Serbia do require two-factor authentication for any online account access. But I do think that dealing with online security statistically may eventually have a dampening effect on online usage.

Case in point: In my quest to write more about ROW (the rest of the world), I came across a Forrester research report about the online insurance business in Spain. Apparently, online insurance purchases in Spain have been restrained by lack of confidence in the cyber domain (not to mention the rain, which falls on the plain). Due to security fears, only 40 percent of Spanish adults use the Internet regularly, and just 10 percent of them shop online, according to Forrester — numbers that are far lower than other European countries.

So perception does matter, and ultimately everybody’s ability to transact securely will determine how widely the Internet is leveraged. There are no acceptable losses in online fraud.

Epilogue: Reach Out and Touch Someone I got a very solicitous call from AT&T this week, most likely responding to my recent column blasting its attitude toward customers.

It’s funny how you feel when you get a call like this, one that’s so helpful and apologetic. My only thought: You’re gonna call back all those thousands of other people, too, right? The ones who don’t have columns?