Credit card fraud has always fascinated me. I am intrigued by how easy it is for the criminals. I am astonished at how little is being done to stop it. I wonder why proven solutions are not being rolled out. Innovation is too slow in this area. Scroll down if you want to view the video before reading.
Hiding in plain sight
A credit card works much like one of those fabled numbered accounts in a Swiss bank. Just show up at the bank, give the number and collect the money. This is a good security model, as long as the number remains secret.
On a credit card, the “secret” number is in plain view. Anyone with a web browser can use that information to buy things online. Anyone with a cheap printer and a set of blanks can create duplicates. Maybe not good enough for manual scrutiny but no one really looks at the card.
The PIN code offers some protection, as long as it is not shared with anyone. Of course, every time you use it, you share it. It is easy for third parties to intercept it with cameras, skimming devices or simple peeking.
The protection against credit card fraud is there
Modern cards have smart protection. It is next to impossible to duplicate one of those cards. The secret number (private key) remains secret within the card. The only way to use the card is if you take it through theft or robbery. That is a whole different ball game than remote fraud committed against anonymous people – people who get indemnified by their bank anyway.
Credit card fraud would be eliminated overnight if all transactions required cryptographic verification. The problem is that many merchants, both online and in brick-and-mortar stores do not require high security. In the beginning of 2016, only 33% of credit card terminals in the US supported secure transactions. Those who have not upgraded by the end of the year will have to take the credit risks themselves.
By the end of this year, most US merchants will have upgraded their credit card terminals. I would have hoped that merchants would have abandoned unsecure payments by now. Until now, it has been in their best interest to not do it. Money does not smell and the merchant is not the criminal. Most everyone is against crime but would not invest their own money to altruistically protect others.
Putting the credit card fraud risk where it belongs
People will not invest in risk management innovations unless they own the risk. People protect their homes and businesses with locks, burglar alarms, fire alarms and so on. I am pretty convinced that many do it, not because it deters and delays criminals, but because laws, regulations and insurance companies require that they do so.
We need to stop treating publicly and semi-publicly available information as if it was a shared secret. Credit card numbers are not the only piece of information that is easily obtainable by criminals and useful for fraud. If you can look up the information to verify it, so can the criminals.
As a society we need to drastically improve the ability to trust each other through appropriate security innovation. In some areas we need to wait for invention to catch up with the threats. Credit card fraud is not one of those areas.
Watch the video
Watch this video where I discuss the problems of credit card fraud with Jan Eldenmalm and Casimir Artmann. Jan also gives you some advice on what you can do as a consumer to protect yourself from credit card fraud when Merchants, Banks and Credit Card companies do not.
Part of a series
This is part 20 of an ongoing conversation on Innovation between me and Gene Hughson.
In part 18 I talked about the need for conservatism, newer does not mean better. But there are limits to conservatism. Proven solutions to known and rapidly growing problems need to be implemented now.
In part 19, Gene reminded us of an excellent example – the Sherman tank. It was not better than the German tanks on a one-on-one basis, but there were more of it. The story shows how sometimes you know that there are innovations that you could implement, only you can’t. As for the credit cards, it’s not “can’t” but “won’t”.
- Credit card fraud: Lance Cpl. Brandon R. Holgersen via Wikimedia Commons | PD
- Barclays Pinsentry: Ashley Pomeroy at English Wikipedia | CC BY 3.0
Pingback: Barriers to Innovation | Form Follows Function
This past week I traveled from Pennsylvania to Nebraska to visit my son and his family in their recently purchased home. As a housewarming gift, I took my son to a local store to pick out a big, flat screen television.
I don’t use credit cards often. I have an 800+ FICO score and I am careful to protect that. My bank credit card was declined. I was embarrassed, but pulled out my Discover card and handed it to the clerk. It was also declined. My first thought was, “I’ve been hacked!”
I used my American Express and it was accepted. Within 10 minutes, I received a phone call and text message from Discover asking me to call them. A few moments later, I received a text message from my bank explaining my card had suffered a “fraud alert”.
I called my bank and they explained they had shut the card off because I hadn’t informed them in advance that I’d be traveling. They demanded to know what dates, exactly, I’d be away from home. I told them I didn’t know, that my schedule was flexible. They refused to turn the card back on until I committed to an exact date. I’m furious with them and far from done with them.
The Discover system they had me call was automated and simply asked me to verify the last two charges I had made on the card and it was promptly restored.
I’ve been reading case studies on Machine Learning in credit decision making systems lately and I intend to try to find out what rule sets these two companies have in common that would trigger a fraud alert for simply being out of my normal usage area.