Recently, I experienced a very real instance of life imitating art. For all the years that I have been writing, speaking and strategising over all things cyber security, I became a victim of fraud not once – but twice – during the past fortnight. Aside from the usual stress of having to deal with ‘ongoing investigations’ and delinking debit cards from my Amazon account, the whole experience has demonstrated some pretty worrying differences between how various businesses treat security breaches.
My particular case concerns a big name retailer (not Target) and a high street bank, both of which will remain nameless. Starting with the bank, I was informed last week that there had been ‘suspicious activity’ on my debit card. These calls always strike fear in my heart – as I usually have to admit that those embarrassingly extravagant indulgences were indeed genuine – but it turned out that it was indeed a case of ‘proper fraud’ this time. Upon inspection, it emerged that my details had been cloned and (while I wish it were me spending hundreds in Milan), I informed the bank that the transaction was indeed illegitimate. The point here is that the bank had the appropriate measures in place to immediately spot the obvious problem with me buying a Snickers in Southwark and then using the same card ten minutes later to buy fine tailoring in Milan, realise that something was up and alert me right away. Having established that the transactions were fraudulent, I was promptly reimbursed and the card stopped. Sorted.
Moving onto the more painful experience, I contacted a certain retailer to report a gift card that had been used fraudulently – suspiciously dropping in value while being sat in my bedside cabinet untouched. The occurrence of fraud was clear, there was no doubt in my mind that it had been scraped or cloned. However, from my conversations with customer services, you would have thought we were collectively trying to answer the Billion Dollar Question. Despite countless calls over a fortnight, nobody had a clue what happened, where to start with the investigation (hint, CCTV or transaction records?) or how the situation will be resolved. Each call to the head office struck palpable fear and panic in the clueless employees who lack an adequate ‘fraud prevention’ point person. In short it is as if these guys had never heard of fraud or that cyber crime was a far off concept they had neither encountered nor planned for, which is both surprising and worrying.
It is my misfortune that the two incidents happened in such close proximity, but it has only improved the juxtaposition between good IT security and bad IT security. The lesson that I have learned is that there are some organisations – even large retail chains – that are so behind the times when it comes to fraud prevention and cyber security that it is disturbing. For all of the Government speeches and calls to become more ‘cyber street wise’ – not to mention all of the tech PRs like myself relentlessly shouting about the need for next-generation cyber security – you would think that businesses would be leading the way and making it safer for consumers. At the very least, with cyber crime and fraud pretty much inevitable in today’s society, I would expect a much better understanding of the risk and clear policies to deal with consumers who are in fact the victims here.