SAIJE Thoughts

PAPER OR PLASTIC?

 We are starting to hear more and more about data breaches where credit card accounts are lost (hence the need to outline PCI Compliance). The most recent is the breach where 4.2 million credit card/debit card numbers are lost at Hannaford Grocery Stores (North East and their other chain in FL). Here is the basic article. Already 1500 known cases of fraud have occurred as a result of this breach.

While many are looking at the issues of how this happened and we may or may not ever find that out, a couple items stick out.

• Once the breach was discovered, it took about 3 weeks to fix. I understand there are technical issues, but essentially Hannaford weighed risks of shutting down credit operations vs the incovenience of fraud to its customers. Where do you think they stood?

• If Hannaford shut even the debit card operations (and still allowed credit), the risk would have been lower for its customers (at a loss of 1 - 1.5 % of the value of the charges and an inconvenience for some whose check cards for some reason cannot be used as a credit card.

Ever wonder why if you get cash at an ATM, they charge you up to $3.00, but to get cash back at a store, you get charged nothing? Or why in many places they make it more difficult to do a credit operation vs a debit operation? The answer is simple again- money. Stores are charged a percentage of the value of goods when running a credit operation (lets say 2%). When running a debit operation it’s a flat fee (around ten cents). In either case, the cost is passed to you, the consumer, which is why stores prefer debit. They can offer lower prices the more debit is used OR get a bit higher short term profit.  So they push debit operations by offering cash back operations and discourage credit by requiring signatures, paper slips, etc. So you may prefer using debit - it helps your store lower prices, but remember security. With debit charges, you are almost immediately responsible for the charges, whereas when the same card is used as a credit, your charges (and losses) are insured.

 In this case, it may be time to rethink debit vs credit for most people and use credit…..unless you want to go way back and pay cash or check. And also time to rethink stores liabilities once they discover a breach. The primary concern should be protecting the customer - in this case, when breaches are discovered, debit operations at a minimum should be suspended. Of course if the breach is due to negligence on the stores part, who ultimately pays for credit operatations will be in play between the store and credit corporations, but at least in some small part, a customer’s security is  alittle better. Yes, I realize that identity theft will still need to be monitored and more can happen, but at least your money is a tiny bit safer that way.

Simply put, in at least one area, response to the consumer, Hannaford failed in their corporate governance.

or Uncommon Sense was a Common Virtue

A recent post on Codinghorror.com having to do with misuse of data (appropriating user name and passwords) caught my interest.  In this case, a developer was offering a free piece of software to archive a user’s GMail account on to the user’s computer. By doing this, one could access one’s GMail offline OR restore GMail if somehow one’s mail was lost. The person using this software had to supply their username and password so the program could download the email which makes sense. This is no different than setting up any email reader. Unfortunately for the user, the developer of the software  put in his code a means to forward the user name and password to his own GMail account. It turns out over 1700 people had unwittingly given this user their email account password and username The software’s name is G-Archiver.

This falls within one of the simple tenets of social engineering. Offer something free (even if relatively useless) and people will give away personal information (user names, passwords, email and physical addresses, etc.)  Even more ironic is that by using normal email clients from reputable open source shops or software firms, one could download their GMail easily. In other words, this software that was downloaded for no cost provided no real value but preyed on users’ ignorance of what else may be available.

This also highlights a danger in Freeware/Shareware/etc. Without knowing what company you are buying from, one may never know what you are getting into. Freeware/Shareware from well known sources may help and, of course, buying software from well known companies may work as well. Neither immunizes one from people misusing personal information, but at least there may be some legal recourse or the company/group may have self-interest in protecting their reputation (and your data by extension). Finally, a lot of people use similar usernames and passwords for their email account and other systems. For those that haven’t thought about this, keep in mind that once someone has your email username and password, it may be very easy to access all your other accounts.For example - you receive a monthly banking account reminder in your email to www.mybank.com.  The person with access to your email account can now go to www.mybank.com and log in, trying the same username and password you use for your email access. If it works, on the bank site, they can get your bank account number and even authorise transactions.  For those users that think their bank account number is hidden (many websites only show the last 4 digits), just pull up your paper statement or a check image….If you think you’re safe because your password is different, all they need to do is have the user name (or in some cases even email address), click on forgotten password and the password is emailed to your account that they already have accessed!Lesson - never use your email address/user name or password for other accounts and make sure you know when you are giving your username and password. If you’re doing that right now, you may want to consider changing your ways…. Thoughts?

Or Viral Marketing vs Joe Sixpack

Guy Kawasaki wrote in his blog recently (blog.guykawasaki.com) a post titled “ Forget the A List After All” which actually references another blog post called ” Is the Tipping Point Toast” from Fast Company Magazine.  Essentially they refute “The Tipping Point” through some research that says “Influencers” actually have very little impact on a trend and mass marketing is the most effective means to market an item, depending on whether society is ready for a trend.  I think the answer really is somewhere in the middle. Like many quoted in the article, I find it hard to believe that someone others wish to emulate and have a lot of connections (either personally or through the media) would have the same impact as joe blow in suburbia. If that were the case, I don’t think there would be the success of the whole paparazzi / people magazine culture where everyone wants to see what these stars are wearing.

If we take the old model with influencers and just assume they have more connections (we aren’t even talking influence here, but the number of connections) and do your typical 2 friends tell 2 friends progression, with the exception of the influencer (I put 100 but I think in the case of many, the influencers would reach many more people), you get the following table (courtesy of Open Office). Of course in this case, this is just getting the word out (in other words, before the trend hits)

Side Notes: I found the article interesting regarding Malcom Gladwell’s response. He respects the work even if it is in opposition to his work, stating that the answer is likely somewhere in between and he likened it to his disagreements with Mr Levitt (Freakanomics) on the reduction in Crime (Broken Windows theory vs increased abortions).  It was interesting as in a short comment I had put in a book review on Goodreads.com, I noted that Gladwell Blurbed Levitt’s book, but the book disagreed with Gladwell’s use of the Broken Windows theory). Originally I was disappointed in both books (The Tipping Point and Freakanomics) as they seem to have answers that are too neat. In here Gladwell almost recognizes that., which tends to make me like him more. I guess for books to sell (or magazines in the case of Fast Company), they need to be conclusive, even if the real answers are not so pat.

Of course I found this post through an influential blogger and technologist (I saw him speak a while back on “The Art of the Start”) so that is a little ironic.