When identity theft becomes standard operating procedure

TJX Companies suffers a long-term hacker breach and information related to more than 45 million credit cards is accessed by unauthorized parties. To put this in perspective, there are only about 180 million adults in the United States (out of more than 300 million people). If you assume that most of those adults have some form of available credit (many won’t because of personal choice, incarceration, bankruptcy, etc.), this breach alone compromised a quarter of the U.S. population’s cards.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

Of course, as TJX has stated, many of the cards were expired or otherwise protected -- but the percentage is nevertheless staggering.

At what point will we do something different to protect ourselves?

An even wilder story is that identity and credit card theft is so common these days that not only have readers become immune to the press stories, but the credit card companies and banks are treating it with an attitude that's almost laissez-faire. It’s becoming clear to me that credit card and identity theft are so common that affected companies are almost not caring. Here are some anecdotal stories that sparked that conclusion:

The first story was related to me by a CIO of a large world bank. He proactively scans his credit card bills online and noticed a charge from Yahoo for an e-mail account. Because he has been a Hotmail user for 10 years and has never used Yahoo, this surprised him. He called Yahoo and eventually got put to the billing department where he disputed the charge.

The agent tried to reassure him that it was probably just somebody else he had authorized to use his credit card, like a family member or employee. He asked them for the e-mail account name so he could confirm or deny that implication, even though he was pretty sure that wasn’t the case. Get this -- Yahoo wouldn’t reveal any of the e-mail information to him. They said he didn’t have rights to the information. He paid for it, but he didn’t have the right to hear the details of the account he had supposedly opened!

They -- and I’m not making this up -- essentially interrogated him for more personal information: his credit card number, CV number on the back of the card, birth date, place of birth, mother’s maiden name, and a secret question and answer that only he would know. At this point, I asked the CIO if he wasn’t really being phished, as the Yahoo agent was asking for all the information they would need to steal his identity, and per his claim he had no previous existing relationship with Yahoo. Personally, I would not have given the information.

Yahoo used the CIO's information to verify that none of personal information matched the account information given, and said they would reverse the charge and close the account. The CIO still wanted to know who opened the account, just in case it revealed some information that might be useful to him in determining how his card was compromised (the false account owner's location, name, date, etc.). Yahoo wants him to mail or fax an official letter requesting the information and reason for the request. This amazes me: The CIO had just provided Yahoo with every bit of evidence to prove the e-mail account was bogus, yet somehow that isn’t enough?