Rhodri Marsden: How can we stop these criminals in cyberspace?

It's disconcertingly easy for someone to pretend to be you and use your money
Click to follow
The Independent Online

I've had many pieces of well-meaning advice given to me by my father over the years – most of them ways to avoid repeating my embarrassing DIY errors – but one memorable maxim of his was "never let your credit card out of your sight".

Before the advent of PIN terminals, following this rule would require him to pursue slightly perturbed waiters around restaurants until they gave him a slip of paper to sign; I don't think he knew exactly what underhand deeds he was looking out for, but having never been defrauded while using the technique, he stuck doggedly to it. He never worried about what happened to the credit card information after the transaction – where his number might be stored and who might have access to it – figuring that that was all probably taken care of by companies employing sophisticated security measures. Most of the time, that's probably true. But not always.

On Monday, a 28-year-old Floridan by the name of Alberto Gonzalez, along with two unnamed Russian co-conspirators, were charged in the US for stealing some 130 million credit and debit card numbers by hacking into the databases of a number of American companies that process card transactions. Gonzalez, already in federal custody for his part in the previous record-breaking theft of 40 million card numbers, is alleged to have used sophisticated software to infiltrate the systems and scoop out the data. If found guilty, all three face 35 years in prison.

Those unfortunate enough to own one of the 130 million compromised cards will probably be spluttering in indignation as to why these companies hang on to such details anyway. The answer is that they're legally obliged to, for a length of time, in case of queried transactions. But why aren't they forced to do it in a way that doesn't put our own security at risk?

There is a worldwide standard (the PCI-DSS) that any companies dealing with cardholder information are obliged to sign up to, but many security experts have pointed out that it's possible to tick all the PCI's boxes and still be insecure. The offence allegedly committed by Gonzalez is as vivid an illustration of that as one can imagine.

For once, this lapse in online security has nothing to do with us, the general public. We're guilty of all manner of stupidity when it comes to our personal financial security – writing down PIN numbers on Post-it notes, using the word "password" as our password – but in this case there's nothing we could have done, save for withdrawing entirely from the 21st century and using cash instead.

So what should these companies be doing to protect us? Graham Cluley, from internet security firm Sophos, has expressed his disbelief that our card details aren't encrypted when they're stored, so that hackers just find random gobbledygook. "If they were properly encrypted," he says, "it would take until the sun burns out for anyone to decode it."

But it's not just the companies storing our details that need to shape up. The 130 million stolen credit card numbers would be of no use to anyone if they couldn't be used to buy stuff. Any masterminds wouldn't have been the ones picking a card number and using it to buy soft furnishings on eBay; they'd sell the numbers on to other criminals in blocks of a few thousand. But eventually, someone would pretend to be you and use your money, because it's still disconcertingly easy to do.

Online shopping is a click-happy cinch, but with that convenience comes risk; if you can tap out your 16-digit number, expiry date and a supposed "secret" three-digit number on the back of your card to book a flight to the South of France, so can anyone else. We may balk at the idea of carrying around an additional device (of the kind Barclays customers now have to use for online banking) to enter our PIN every time we make a credit card purchase online, but when these kind of measures are inevitably introduced, we'll have to grin and bear it. It's for our own good, after all.

As for the likes of Alberto Gonzalez, they're talented individuals capable of writing sophisticated software that can detect weaknesses in even the strongest computer defences. Indeed, such characters frequently find themselves with job offers in the industry following their release from prison. But after a 35-year stretch, technology is likely to have marched on a bit too far for anyone to catch up. Marched on so far, one would hope, that our money would finally be safe from marauding cybercriminals. Fingers crossed.