Credit card fraud has always fascinated me. I am intrigued by how easy it is for the criminals. I am astonished at how little is being done to stop it. I wonder why proven solutions are not being rolled out. Innovation is too slow in this area. Scroll down if you want to view the video before reading.
Hiding in plain sight
A credit card works much like one of those fabled numbered accounts in a Swiss bank. Just show up at the bank, give the number and collect the money. This is a good security model, as long as the number remains secret.
On a credit card, the “secret” number is in plain view. Anyone with a web browser can use that information to buy things online. Anyone with a cheap printer and a set of blanks can create duplicates. Maybe not good enough for manual scrutiny but no one really looks at the card.
The PIN code offers some protection, as long as it is not shared with anyone. Of course, every time you use it, you share it. It is easy for third parties to intercept it with cameras, skimming devices or simple peeking.
The protection against credit card fraud is there
Modern cards have smart protection. It is next to impossible to duplicate one of those cards. The secret number (private key) remains secret within the card. The only way to use the card is if you take it through theft or robbery. That is a whole different ball game than remote fraud committed against anonymous people – people who get indemnified by their bank anyway.
Credit card fraud would be eliminated overnight if all transactions required cryptographic verification. The problem is that many merchants, both online and in brick-and-mortar stores do not require high security. In the beginning of 2016, only 33% of credit card terminals in the US supported secure transactions. Those who have not upgraded by the end of the year will have to take the credit risks themselves.
By the end of this year, most US merchants will have upgraded their credit card terminals. I would have hoped that merchants would have abandoned unsecure payments by now. Until now, it has been in their best interest to not do it. Money does not smell and the merchant is not the criminal. Most everyone is against crime but would not invest their own money to altruistically protect others.
Putting the credit card fraud risk where it belongs
People will not invest in risk management innovations unless they own the risk. People protect their homes and businesses with locks, burglar alarms, fire alarms and so on. I am pretty convinced that many do it, not because it deters and delays criminals, but because laws, regulations and insurance companies require that they do so.
We need to stop treating publicly and semi-publicly available information as if it was a shared secret. Credit card numbers are not the only piece of information that is easily obtainable by criminals and useful for fraud. If you can look up the information to verify it, so can the criminals.
As a society we need to drastically improve the ability to trust each other through appropriate security innovation. In some areas we need to wait for invention to catch up with the threats. Credit card fraud is not one of those areas.
Watch the video
Watch this video where I discuss the problems of credit card fraud with Jan Eldenmalm and Casimir Artmann. Jan also gives you some advice on what you can do as a consumer to protect yourself from credit card fraud when Merchants, Banks and Credit Card companies do not.
Part of a series
In part 18 I talked about the need for conservatism, newer does not mean better. But there are limits to conservatism. Proven solutions to known and rapidly growing problems need to be implemented now.
In part 19, Gene reminded us of an excellent example – the Sherman tank. It was not better than the German tanks on a one-on-one basis, but there were more of it. The story shows how sometimes you know that there are innovations that you could implement, only you can’t. As for the credit cards, it’s not “can’t” but “won’t”.
- Credit card fraud: Lance Cpl. Brandon R. Holgersen via Wikimedia Commons | PD
- Barclays Pinsentry: Ashley Pomeroy at English Wikipedia | CC BY 3.0