So the security-related part of the web is stirring over the Heartland breach going to court, and having fun mocking Heartland for falling for the oldest trick in the SQL-injections book. Since Israel's IDF's chief of staff was also a victim of his credit card being stolen, newspapers in Israel feasted over this "hot news" item, to the extent that one blog even names Albert Gonzales (the "brain" behind the attack. I wonder who Pinky is) "The Al Capone of Cyber Thieves".
A flurry of blog posts and articles followed, telling us that checking your credit report is important (really?) and pulling some chargeback stories from the attic. One even went as far as interviewing the manager of operations for one of Israel's issuers. Don't get me wrong, while I'm against trying to scare people, public education makes sense (though many time is useless, as I have claimed in the past [Hebrew]). But the part I'm much more interested in is not the fact that a breach happened, those happen all the time although some retailers just hide their negligence. What I’m interested in is the publication of such an indictment, and its effect of the psychological aspect of committing internet fraud.
You see, analysts profile people. We know who the average fraudster is: a young, tech-savvy male with a knack for gadgets and digital goods, who thinks he could get away with it pretty easily. The “getting away with it” part is the important one; be that the average fraudster or a desperate housewife looking to earn a few dollars defrauding buyers on eBay, the mental state needed to commit a felony on the web is much less delinquent in nature. Because the web is not “the real world”. Because doing it over the computer pushes it away from me. It’s not me; actually, it’s my avatar. And pressing charges in the real world against people who wronged in the virtual world makes it as real as it gets. This, in turn, makes people a lot more aware of what they’re doing when they’re stealing – and the heuristic of a self-aware fraudster are different than those of one that isn’t. A fraudster who isn’t afraid of getting caught looks a lot more like your average Joe, and this is something we want to prevent. This is not only because risk analytics become easier (and legit people’s lives become better, since we need less “tricky” controls), but because indicting fraudsters is the right thing to do. Security and trust are, I believe, the key foundations of a thriving online community, and I’d like to help keep it as such.