Bell Canada was hacked this past weekend, the Financial Post reported, as the passwords for over 20,000 of their Quebec- and Ontario-based small business customers were posted online for all to see.
NullCrew, the Anonymous-affiliated group claiming responsibility for the incident, failed to provide a reason for the attack. Included in the breach were five valid credit card numbers, which raises the question: so what?
Anecdotally, my own credit card has been compromised three times. In each case, i identified the “unrecognized charges” to the credit card company (VISA, in this case), and they promptly removed the charges with no penalty or hassle. In at least two of these cases, the charges were for gas, and in one instance, the charges were for phone sex services, which were a little more amusing to protest.
In one case, i was instructed to take my card to the issuing bank. i clearly remember standing in a very long line in front of a teller kiosk, just as we were coming into the busy Christmas season. A bank manager was re-routing customers like a traffic cop. “New accounts? Over here. Withdrawals? Please move into that line.” i asked him if i really needed to wait in the gigantic queue. “Credit card fraud?” he asked. “Yep—you’re in the right line.”
When i reached the teller, she snipped my VISA with a pair of scissors, and put the plastic fragments into a fishbowl filled to the brim with other mutilated cards.
“Wow!” i said. “Are those all the defrauded cards you’ve had to cut up this week?”
“No,” she said. “These are the cards I’ve had to cut up this morning.” This incident was prior to my being issued a chip-enabled smart card, which has likely cut down considerably on the contents of that fishbowl.
Having your credit card compromised is constantly invoked as a terrifying bogeyman in privacy and online security debates. The only people these stories should unsettle are the issuing banks and credit card platforms themselves; VISA, Mastercard, and pals would never dare hold a small business accountable for unauthorized charges in a clearly criminal breach like this one, where the culprits even tweeted about their actions online.
Alarmist news stories warning of credit card theft serve to stall technological innovation and e-commerce, by making average people afraid to use their credit cards online. In my own experience (and again, it’s anecdotal), reclaiming money stolen from a duplicated Interac bank card is a much more challenging and arduous process than what i went through with VISA. It involved sworn affidavits and repeated stern warnings from bank employees to keep my PIN secure (even though PIN insecurity did not factor into the theft). Despite this, most moms and dogs feel safe and secure using Interac.
Similarly, i doubt that in a widespread hack like this one Bell Canada would hold its customers responsible for any resulting shenanigans. The biggest risk faced by Bell’s small business customers in this case is if the customers’ passwords were the same or similar for any other services they may use. In that case, the hacking incident serves as a good reminder to everyone: don’t use a one-size-fits-all password, don’t doubt the customer retention policies of your credit card company, and don’t put too much stock in a major Canadian telecom that can be so easily exploited by a group of listless teenagers out for a joyride on a Sunday afternoon.