Overreacting, shallow, misleading and bait-link article.
Overreacting:
- the most up-to-date technologies for anti-credit card fraud, namely variants of smart card/EMV, are already available and widely used by all the large credit card providers and banks in the EU and Asia (excluding domestic transactions in China and Japan). There are even US providers who use it in some situations.
- in addition, most merchants in those regions have upgraded their PoS terminals for smart cards and in some cases refuse to accept non-smart credit cards.
- he made no case for how HSBC money laundering and subprime crisis have anything whatsoever to do with anti-fraud credit card technologies. Just randomly put it out there...
Shallow:
- Not even a minor reference to the specific technology being discussed is made, only a vague mention of "public-key cryptography".
Misleading:
- the credit card industry HAS and IS deploying the most up-to-date technology. In some regions, e.g. US, there are legal or infrastructure barriers that take time to overcome.
- the key moment at which the new infrastructure is rapidly rolled out and fully enters the public consciousness is associated with the "liability shift" when credit card infastructure providers push liability for fraud to merchants, therefore forcing merchants to upgrade their equipment and processes:
-- Mastercard is implementing a liability shift for point of sale terminals in October, 2015. For pay at the pump, at gas stations, the liability shift is October, 2017. For ATMs, the liability shift date is in October 2016.
-- Visa is implementing a liability shift for point of sale terminals on October 1, 2015. For pay at the pump, at gas stations, the liability shift is October 1, 2017. For ATMs, the liability shift date is October 1, 2017. [1]
Bait-link:
- a solution is already out there. It is based on "public key cryptography". Whether it is "simple" or not is a matter of opinion at this point, without any further clarification by the author. Nothing he has proposed has improved on the solution.
> the credit card industry HAS and IS deploying the most up-to-date technology. In some regions, e.g. US, there are legal or infrastructure barriers that take time to overcome.
And why is that, you think? People are somewhat surprised that a magstripe is still even considered valid here and have been for years. I've seen zero chip readers in the US. It's been more than five years since I've heard of a merchant using magstrips in the EU.
The industry in the US isn't toothless. Nor is the government. They seemed perfectly capable of banning betting and sales of illegal goods or donations to causes they disapprove of. Yes, they are now starting to roll out stuff. I have no idea how they're going to do it seeing as they're apparently still living in the remote past. Can they roll out all this by 2017? Perhaps. Meanwhile, in the EU Square Up is distributing free chip readers for android or iphone, same as the US side does for magstripes. Which they can then transmit over the nice 100 Mbit fiber. Apparently, it wasn't that damn hard, except in the US.
I was in the US last summer for two weeks, and I saw several. Perhaps because I'm used to chip and pin?
> in the EU Square Up is distributing free chip readers for android or iphone
No they aren't, I think they said they were going to but there's no way to get one from them right now.
On the small business angle, chip and pin in the UK has been a nightmare for small retailers. It's been in for several years now and things like Square are much more recent. A chip and pin device is not cheap - far more than many small businesses can afford.
By 2015 (which is the liability date for point of sale terminals and you bet your boots they will change those machines quickly once it's costing them money) Square and things like it will be mature and ready, so hopefully you guys will make the transition much more easily than we are!
Banks make money on transactions regardless of whether they are fraudulent, criminal, or not. I think the argument is that as long as banks profit from illegal activity (identity theft) they have no incentive to take steps to reduce that profit. They lose money if the security is too strong or too weak. Apparently the security we get is just right (for the banks).
I agree he the OP is overreacting and thin on details (and whiny) but this post completely misses that the main thrust is card-not-present situations and the US.
As part of EMV, the liability is typically shifted to the merchant for non-EMV authenticated transactions. This provides strong motivation for merchants to do a better job of filtering out fishy transactions.
The only solutions I've seen to using EMV itself for online/phone transactions involve having a more advanced card (i.e. with LCD token readout) or a standalone card reader to interact with the chip.
Merchants already have to pay back the transaction, plus a charge, plus we're out the merchandise. We already have plenty of incentive to spot fraudulent transactions.
This isn't a book, and you aren't paying for it. Also, books are also assumed to be a finished product if they're being published, unlike a blog post that explicitly states it's the first of several. Not really an applicable analogy.
So is he planning on modifying the blog post to be of higher quality, or is it okay to be sloppy because he'll totally explain everything in the next chapter?
To expand upon the author's idea, the problem is not just that credit card data is reusable, but that possession of credit card data amounts to permission to charge any arbitrary amount to it. Not legal permission, mind you, but permission in the sense that the infrastructure lets you do it, and you have to sort out the consequences through social/legal channels after the fact.
Not only should future payment systems be based on cryptography, but they should also require an affirmative step on the part of the payer to initiate a given transaction of a given amount. In other words, it shouldn't be a matter of handing over your card number, or even a one-use cryptographic token, and letting the merchant fill in the details. You should have to explicitly send an amount of money that you specify. Then, of course, a smart merchant would verify that the amount is correct before fulfilling her end of the bargain.
In other words, the process should be that the payer gives money to the payee, not that the payee takes money from the payer.
Unfortunately, as the author points out, progress on this front has been almost nonexistent with respect to the established credit card networks. We may have to hope/work for a totally new system to replace it. (Perhaps Bitcoin, or something inspired by it.)
> possession of credit card data amounts to permission to charge any arbitrary amount to it
The word you're looking for is "capability", not permission. Permission requires consent, which is something you give separately from the actual card number.
A minor point, but I think it changes the tone of that statement.
> possession of credit card data amounts to the capability to charge any arbitrary amount to it
I'm not sure anyone is ignorant of this fact though, and yet everyone seems OK with it.
> Not only should future payment systems be based on cryptography, but they should also require an affirmative step on the part of the payer to initiate a given transaction of a given amount. In other words, it shouldn't be a matter of handing over your card number, or even a one-use cryptographic token, and letting the merchant fill in the details. You should have to explicitly send an amount of money that you specify. Then, of course, a smart merchant would verify that the amount is correct before fulfilling her end of the bargain.
Ugh, no thanks. The system you describe is more like cash. I have to actively dole out the necessary amount, and then receive change that is counted at each transition. I abhor these types of transactions.
Convenience is a significant motivator in the adoption of credit cards. Any competing system will have to compete on simplicity. The fact that consumers and merchants haven't fled from credit card use as fraud rates (and costs) have increased is evidence that the market is willing to bear them.
The legislative changes that allow merchants to charge a CC-use surcharge will resolve the significant matter of ignorance. I do agree that consumers are largely ignorant of the hidden costs of fraud associated with the current CC model. The question is whether they'll pay these costs once they're brought to light. I believe they will continue to pay them in exchange for convenience.
Ugh, no thanks. The system you describe is more like cash. I have to actively dole out the necessary amount, and then receive change that is counted at each transition. I abhor these types of transactions.
Not in this case. There's no reason the merchant can't send a request for a specific amount, encrypted using your credit account's public key and signed by their private key. Your credit authorizing device (smartphone, desktop app, phone call, whatever) then asks you to confirm the amount, and that amount is sent back to the merchant. I'm sure there's some way of cryptographically tying the request for funds to the transmission of funds so that it's clear what transaction the funds are for, that the amount sent matches the amount requested, etc.
No, because that only works through PayPal. This is more about a system that can be automated independently of the bank or service provider and provides independent cryptographic verification of transactions.
Yes, but imagine you can use it at the grocery store or a restaurant. Also, PayPal has a questionable reputation, so I wouldn't want to rely on them for all my day-to-day transactions.
Yes, capability is a fine word for this. I'd say the practical consequences are still exactly the same, regardless of the label.
Ugh, no thanks. The system you describe is more like cash. I have to actively dole out the necessary amount, and then receive change that is counted at each transition. I abhor these types of transactions.
Not as I imagine it. I think the merchant would be able to set up a transaction, and the consumer would have to take a minimal step to approve it.
Also, if this system would annoy you, I'd be fine with allowing individual consumers to opt out of it. Personally, I would absolutely opt in.
The fact that consumers and merchants haven't fled from credit card use as fraud rates (and costs) have increased is evidence that the market is willing to bear them.
Partially. But this fact can also be attributed in large part to the major barriers to entry.
I used to work in the credit card space, and what I witnessed is that the industry is adamantly opposed to anything they perceive as inconveniencing customers, at least at point of sale where they are competing with cash. In fact, Visa and Mastercard explicitly don't allow stores to ask for an ID with card purchases. This is why anything that requires effort from the cardholder won't happen soon.
Fortunately the anti-fraud solutions out there are pretty effective, which helps control the damage a stolen card can do.
Fortunately the anti-fraud solutions out there are pretty effective, which helps control the damage a stolen card can do.
In my experience, not reliably. For example, I've known people who gave their credit card info to a seemingly legit company, which then proceeded to make monthly debits without authorization, and this went on indefinitely. The credit card company was unwilling to intervene, and said it had to be worked out with the merchant.
That may sound surprising to you, because you're aware of chargebacks and other checks and balances. However, for some reason or another, none of that helped the victims in these cases. It's little consolation to them to say that "in theory, there are mechanisms in place to prevent this kind of abuse."
But "pushing" has proven to be problematic for US consumers. They've basically traded the 5 or 10 basis points of fraud losses for a substantially better user experience (although they didn't really get to make that tradeoff decision).
I don't think that consumers are aware of what they traded to get that convenience, though. Card companies have gone to great lengths to keep the costs hidden. They've even lobbied (so far, unsucessfully) to prevent merchants from charging extra for card transactions, which would make those costs all but invisible.
Anecdotally, I know that I'm much more hesitant to whip out my card for that burrito when they added a $.45 convenience charge. I still use the card sometimes, but that one charge is enough to make me keep cash on hand. I wonder whether people would pay for the convenience if the true cost of it were more visible.
If I could save .5% a transactin by looking at thr transaction cost on the card and then physically clicking ok I would probably do so. The problem is I have no choice one way or another.
The kind of work that would require would be on the order of hundreds of millions of dollars of work, an entirely new infrastructure, and massive retraining. The return on investment is a very long term issue.
I currently work in the sector, so can't say too much about it, but the problem is that it's a hard problem at scale.
If the true costs of fraud are 5-10 basis points, suggesting that we eliminate fraud by replacing that with a 50 basis point drain on the system seems unlikely to succeed.
Most likely that was a mental arithmetic error or he thought that 1 bp = 0.1%, but changing it from 0.5% back to 0.05% back really changes the utility. If your average CC transaction is $100, you're breaking even compared to picking up a nickel. I'd rather get on with my day then stand there waiting for the authorization or picking up a nickel.
I don't know whether those transactions tend to be larger or smaller than average. I'd assume the detection systems are quite good, and crooks start with small charges (gas stations and shoes are what I hear are test spots they use). So they may be pretty close to average sized transactions.
I agree with your solution of an affirmative step.
I can see internet credit/debit card transactions moving towards a "request for funds" model where the consumer(via smartphone) has to explicitly ok the transfer of funds:
Merchant - (RFF) -> Bank - (prompts for auth) -> Consumer - (grants auth) -> Bank - (RFF granted) -> Merchant
Of course, smartphones are still potentially insecure, another more cumbersome model could revolve around challenge-response codes - where the customer has an offline digital code card:
[Merchant - (RFF) -> Bank - ($challenge) -> Merchant -($challenge) -> Consumer(punches in challenge code) - ($response) -> Merchant - ($challenge$response) -> Bank - (auth) -> Merchant
The system that I think you are describing is already out there. I can’t speak for other countries but here in the Netherlands, the banks have standardised on “iDEAL”.
When you’re on a website and want to make a payment, the site makes a request to the bank, which then presents you with whatever method of authentication your bank uses. Generally this is some two-factor system. After giving the OK, you’re redirect back to the merchant.
Actually, it would seem to me that PayPal is very similar.
After having a cursory glance through the ARQC EMV wiki entry, it seems that EMV corresponds to what we currently have in Europe -> the same (consumer) PIN is still going to be re-entered in every transaction i.e. it's re-useable and can be easily captured(camera/eyeball) for later use at POS/ATM
Correct, it also describes your first flow; the only thing different is that the authentication is done through the merchant's PIN pad rather than a code sent through the cell network. In other words, providing the PIN unlocks the card, which serves as your authorization to dispense funds.
IIRC the card signs the merchant's request for funds once the PIN has been validated by the chip on the card, then sends it to the bank. I don't think there's anything in the standard that would preclude having one time PIN codes(the PIN validation is done by the chip, so you could just have a different app that does more than check a single PIN code), but the chip in the card itself doesn't have network access.
If you really wanted to have online authorization through the cell network, you could hold the processing of the AQRC message until it is verified through SMS (which can take several minutes for delivery and is best effort). However, that would hold the card reader unusable until the authorization is granted, as the card needs to stay in the terminal until the transaction is complete.
This obviously disregards offline processing (ie. card terminals that are not always connected to the network) and CNP transactions. For those, verification through another channel would be much more realistic.
For retail POS transactions, EMV (chip+pin) cards and terminal are an attempt to shift this balance. Unfortunately, the rollout isn't due for another couple of years yet in the USA, and there has been significant resistance to the change already (as demonstrated by the 10 year lag when compared to the EU rollout).
There are many use cases when pulling money is more convenient for the consumer. This is how most people pay their bills for example - they let providers deduct a different sum every month based on usage. There's a lot of value in being able to simply "set it and forget it"
Agreed. I think consumers should be allowed to explicitly enable that for certain merchants, and perhaps set some kind of limit on how much can be debited.
So you do this for a handful of companies (the electric company, the gas company, etc), and for everything else, you use the push model.
Dwolla's entire network is based on pushing the transaction rather than pulling. You can send request, but ultimately the money doesn't move until send it with your pin.
There's a simpler explanation to why merchants don't charge extra for credit card purchases: The cost of accepting cash is not zero.
The logistics of drop safes and daily deposits plus losses due to counterfeiting, robberies and pilfering can cost a similar amount to the 3-4% credit card fees.
Even simpler explanation: the cost of interchange fees are already priced in to the retail cost of goods.
In other words, cash buyers are subsidizing the interchange fees, your Rewards Points, Cash Back deals, etc.
This is evident especially at gas stations. Many have "cash only" prices that are lower than credit prices; Arco generally has the lowest gas prices but accepts only cash or ATM (with an additional ATM fee).
It's been policy for a while now that you simply can't charge more for (just) credit card transactions (you could however discount cash purchases). That landscape is changing recently [1][2], but we haven't seen its full effects yet.
That's a valid point surely but it's not a simpler explanation. The simple explanation is that you will have your ability to accept credit cards pulled if they find out you are charging more for CC purchases, although you are allowed to have a "cash discount" just as was stated. It's in every agreement. I'm a bit shocked that people are arguing about this actually, but I guess accepting credit cards and setting up card present accounts isn't exactly a universal experience.
I'm not sure how/if this was recently changed in the US, my knowledge is 5+ years out of date now and I'm not in the US either.
Some banks will let you generate single-use credit card numbers (e.g., Chase). So you have one CC # for the power company, a different one for Netflix, and so forth. Then if e.g., Netflix gets hacked you can just cancel that one card number. You can also generate cards with hard spending limits, cards that only work for a specific merchant, etc. And of course you can delete them anytime. Its a pretty good system.
That said, I agree with the author. Signature based debit should have long since been replaced by something more secure (e.g., Chip and PIN), yet its much higher fee structure creates a perverse incentive to maintain its use.
I had one of these for a while. I used them any time I bought from an online merchant I wasn't completely confident of. It let me put a specific purchase limit on each number, so I knew I couldn't be overcharged.
Then one day one of those slimy Brooklyn camera stores overcharged me by $10, even though I specifically put in a limit equal to the purchase price. I called the bank and asked what happened, and they said that they always add a pad on top of the limit because people often forget about shipping charges, etc.
Isn't it pretty easy to envision a system that puts the control directly with the user? The reseller requests an amount due, you punch that in into your credit card device, following it up with a pin code and you can now verify that payment..
But I don't think anyone wants to give customers this wallet-like capability..
There are issues with chip and pin, one of the major ones being it puts the onus of proof of fraud on the consumer. Hey, your card couldn't possibly have been used if you didn't type in the PIN or give it to someone else so you are liable.
This sort of thing reared its ugly head last decade in the UK with phantom ATM withdrawals. The banks claimed the consumers must have made the transactions as PINs are required and banks are perfectly secure. It turned out that the banks weren't as secure as claimed. (Search for [ross anderson phantom withdrawals] for more details as well as attacks on chip and pin systems.)
I've thought about this "problem" and decided there's no problem. You're solving a non-problem if you try to solve credit card fraud.
The reason we don't deal with credit card fraud is that there are no consequences for being a victim, for any definition of victim. If the victims had consequences, then there would be demand for action. But there is none. Further, because there are no consequences, the cost to solve credit card fraud isn't worth it.
Edit: This is a true statement. I feel capable to comment on this topic and have spent time working with this industry. I've dealt with abuse and fraud for years on many sides of the transaction (there are more than two). If you think you have a retort, please think carefully if you really understand what I just wrote above. There are no consequences for the victims. No matter how you define victim.
Edit 2: You deserve better explanations. I'll work on a blog post. But one case of a financially tight victim having to call the bank, etc. isn't enough. In the aggregate, nobody is inconvenienced. There are no consequences. If merchants had consequences, they'd stop accepting credit cards, but in the aggregate, that's a non-starter. Issuers similarly have no consequences. There's no arbitrage for improvement either.
If you think there is no victim I think you may not have a very firm grasp of economics. In particular, small negative consequences borne by many economic actors adds up to legitimate negative economic consequences, even if there is a collective action problem in addressing them. In order to make the argument that there is no victim, you will have to describe how this fraud is wealth creating, without appealing to any broken window fallacies. I guarantee this is impossible.
In reality, the costs of fraud are shared widely, and there are definitely victims in aggregate. First, the merchants are clearly victims. In a counterfactual universe that contains no credit card fraud, merchants pay lower fees to accept credit cards, and make more money for selling the same amount of goods at the same prices. Second, consumers are definitely victims. In the same counterfactual universe, consumers pay less for goods by a tiny margin, and thus are able to consume more and achieve higher levels of utility. Additionally, in this counterfactual universe, nobody has to deal with credit card fraud, which is an inconvenience which has both a direct dollar cost, in cases where people aren't satisfied with their legal protection or incur legal costs in exercising their protection, and in non-dollar costs like having to call their bank, stress, broken relationships etc. Note that these are real costs and lower standards of living and utility even if they aren't dollar costs.
From a macro perspective, it's obvious that fraud has a negative impact on the economy. All of the effort that is spent by every fraud researcher, fraud company, credit card company fraud agent etc. is fundamentally unproductive effort which is nonetheless included in GDP. If these people didn't have to deal with credit card fraud, because it simply didn't exist, they could be gainfully employed in other productive fields that work to meet the hedonic goals of other humans.
I just want you to be aware of the tough row you have to hoe if you are really planning on going down this path, and if you ignore the above arguments, well, you aren't making a very compelling case.
You are being downvoted because it is generally understood that there are indeed rather serious consequences for victims of credit card fraud[1].
If you have a viewpoint that is polar opposite to how everybody else understands something, maybe it's your obligation to explain it better. And saying that you're in some form of authority to speak about the subject isn't an explanation.
Updated: Apologies, I see now that the original comment specifically states there are no victims, period... even merchant victims.
Incorrect. There are no serious consequences for the victims of credit card fraud (unless you consider the victims to be the merchants).
When fraud takes place, the credit card company removes the bill from your statement. Then they take the money back that they sent to the merchant. The merchant is left holding the bag. Whatever they sold is now gone, and they have no money to cover the cost of that good. The merchants bear the entire risk of credit card fraud.
This is why it makes no sense that credit card companies even threaten to charge merchants higher rates if they have more fraud. Merchants with high chargebacks get beaten down in multiple ways. First there's a chargeback fee. Then they raise your processing rates. AND you still lose out on your goods that were stolen.
(Technically I suppose if the fraud is big enough, the merchant could be insolvent in which case the credit card companies bear the burden, but this is certainly an exception).
That's if the cardholder discovers the charge and if it hasn't already caused any problems (such as leading to bounced checks or inability to make an important payment). Your language is much to strong, especially since is wrong.
When the credit card is a check card (directly debits a checking account), and the fraudulent purchases leave insufficient funds to clear your outstanding checks.
He was very explicit in saying, multiple times, that his assertion was true for any definition of victim. It's easy to show that the victim of credit card fraud is typically the merchant, not the consumer.
I used the term consequences deliberately. The merchant may have losses, but they have no leverage. The option to not take credit cards is not available to most sellers of goods. On a large scale the cost of fraud simply becomes a cost of business that factors into the price the consumer pays. This is why many merchants offer a cash discount. To argue that the cash discount is just to cover credit card processing fees misses the point.
You may have used the word deliberately but you used it wholly incorrectly, which is the source of all the confused replies. Not being able to avoid consequences is not the same as there being no consequences.
The merchants are the victims, and the consequences include lost payments, lost merchandise, chargeback fees, lost cashflow when the merchant account provider starts requiring a risk reserve, and lost cashflow when their account gets terminated for exceeding the acceptable chargeback ratio. It can even lead to loss of the entire business. How is that not a consequence of credit card fraud?
This is true, although I think most people generally assume the "victim" in the case of credit card fraud is the individual whose card number is stolen.
I've had my card fraudulently used and I've also been on the merchant side of fraudulent transactions.
On the consumer side, I had to waste time ringing the bank, going through the chargeback process, getting a new card, not be able to use the card for a little while, etc.
On the merchant side, you waste time fighting the chargeback, and then if the chargeback goes through, you lose both the money and the goods.
So when you say there are no consequences for victims, it doesn't make sense to me... Could you elaborate?
CardSystems went out of business as a consequence of credit card fraud. Jonathan James killed himself swearing that he was innocent in relation to the TJX credit card breach. Perhaps orthogonal, but a consequence. Heartland Payment Systems went into pants-on-fire mode after their breach because they were very aware of the consequences CardSystems faced. Their strategy was to fess up and form an initiative for end-to-end payment encryption. They still have incurred over $150 million in costs and continue to face litigation 5 years after their breach. It could have been much worse, there's a per incident fine levied by Visa alone, outside of civil or statutory liability.
Maybe it 'isn't enough,' but that's not the same as no consequences.
While others have talked about the merchant as victim, it should be noted that the individual whose card is stolen and used also are victims. This is esp. true for folks who work multiple jobs or have very tight finances. Having to navigate banks to get fraud protection started or having your finances thrown off balance even for a day can be really hard on those people.
Even if you eventually get the money back, fraudulent credit card txns are extremely stressful and can easily have real impacts on debit card accounts. Saying so matter of factly "there is no consequence" is obviously wrong.
You say it's obviously untrue, so what are the obvious consequences of credit card fraud?
I believe that anything you suggest worth addressing costs more than the fraud itself. The only way to eliminate fraud is to show that doing so increases transaction volume. Since there has yet to be a proposed solution that does that, people focus instead on trying to "save money" lost to fraud, which doesn't work because there are no consequences to credit card fraud. (this is not a circular argument, though I see how it might read that way)
Well, theft is one obvious consequence. If someone steals my stuff with a credit card, I have suffered a loss as a consequence of the offender's fraud. I'm not sure how you can argue around that.
The "solution" to credit card fraud is monitoring and insurance.
I don't worry about credit card fraud because my credit card company does not hold me responsible for fraud as long as I bring it to their attention in a timely manner (30 to 60 days). So I just make sure to review my statements every month.
Yes, in a general sense I pay the cost of this insurance because all businesses are imaginary pass-through entities. By that standard, let's not tax businesses either since we ultimately all pay those taxes too.
But, complex technical solutions ALSO have a cost--not only to implement and maintain, but in the friction they introduce into the commerce of everyday people's lives. And since businesses exist to minimize costs, we can assume that they have not implemented complex technical solutions because they cost more than the insurance.
In summary: not every optimal solution exists in the space of engineering. Social and legal structures can help solve problems too.
Your CC number never leaves your card unencrypted. Your card details are encrypted on a server somewhere. A transaction consists of a record of sale that is signed by the merchant's private key, sent to your card, which then signs it with your private key.
Said package of data is delivered up to Visa's servers. Your digital signature is validated with your public key, merchant's key is validated, the order goes through. Yes this requires an internet connection, yes it breaks offline processing. It also cuts fraud to 0.
Online purchases get more complicated, sure. Lazy way is to have something running on client machine that can sign data downloaded from merchant, make it a browser plugin or even better a standard all browsers implement, so long as the private key is stored somewhere and can be applied to a message. This is not exactly a hard problem. Doing it right is tricky, thankfully a good number of correct implementations already exist. Use one of those.
A more secure solution, especially for PCs, is to have a dongle, everything is processed on card. Then even if the PC is rooted 50 ways to Sunday all orders are still secure.
This is no more convoluted (and many would argue less) than the current way by which credit card orders are processed.
Credit Card companies currently place the entire burden of fraud onto merchants. They don't really have a reason to care about fraud, other than that it is bad customer service to have your customer's identity stolen.
The real problem here is how to deal with crap like reoccurring payments. Too many organizations are used to a workflow where in they store your credit card number. That is obviously insecure (see: news stories that come out all the time). I am not sure how to solve that particular problem though. Obviously it is a big blocker to getting a more secure system implemented!
It's easy to envision a future without this inherent problem -- it's PayPal, it's Dwolla, or any other service where payments are pushed instead of pulled. If you pay someone with PayPal, online or off, you don't leave them with anything they (or the hacker that steals the store's DB) can use to charge you again in the future. For recurring payments, in the background all you're giving out are tokens you can revoke at will.
Getting stores to adopt these services is a lot easier than getting Visa to change how their product fundamentally works.
The interesting case will be POS situations where a customer wishes to use PayPal but they don't have a smartphone. In which case they will need access to a machine to send the payment. In that case they need access to a browser to interact with the PayPal site. In this scenario the customer's data (their username/password for PayPal) is being exposed.
In a rational world where declaring that government should be responsible for the foundational services that enable civil society the universal payment transaction service would be operated by the government as a public utility.
In this hypothetical rational world, you would go to the government office when you needed to open a new payment account to make or receive payments. You would show proof of identity, and receive a duly signed certificate bound to a a hardware token of a standard type that you could then use to make transactions both on and offline. Since everybody would use the same systems there would be no questions about if someone could pay you.
But in this world, government securing the currency is regarded as an outmoded and dangerous idea, unless it's a bailout...
> In a rational world where declaring that government should be responsible for the foundational services that enable civil society the universal payment transaction service would be operated by the government as a public utility.
That's one of the points I was alluding to. the .gov already does this in the physical world; why have they allowed a layer of private interests to insert themselves into the process when it is performed electronically?
I am reminded of a Max Headroom episode that covered the character Edison Carter's loss of one of those devices. It was also his key to personal property (house, car).
Ron, before you get into the chip-n-pin/smart-card stuff commonly used
in Europe and Asia, you should probably check out the modern
"Man-In-The-Browser" attacks:
As the above shows, crypto is useful, but it's far from perfect due
to its reliance on insecure stuff (i.e. web browsers, operating
systems, ...). When the foundation is flawed, it's turtles all the
way up.
Also, don't let HN or the web in general get you down. Writing for those
with a short attention span makes for short stories, not long ones.
Being wedged could be an indication that you have a lot to say, too much
to get it going properly. I've got a hunch you have a nice long story to
tell, and it will be worth reading even if it comes out in a round about
fashion. I ain't a crypto or security person, nor do I play one on TV,
but if you want a proof reader contact me privately.
If you look at how they were actually deployed in Europe, you'll realize that it's not much different over there. "Chip and Pin" is if anything worse than no encryption, because it gives the illusion of security. I don't know about the situation in Asia.
It's far from clear that chip-and-pin has been the unmitigated disaster you imply it to be. You're right that chip-and-pin has problems, but those are design and deployment problems, not problems with PKE in general.
The difference is that, using public-private key cryptography, an evil merchant can't, in any way, copy my european card. I can be sure that my CC number will not be stored.
There is no solution for credit card fraud because the credit card companies do not pay the bulk of the fraud that happens. I have been the subject of fraud both as a merchant and as a consumer and in both cases i was the one that paid.
Two-factor authentication is a good deterrent but is not available everywhere. For my card, for some sites, immediately after clicking "Buy" button, the bank will SMS me an expiring (within minutes) 6 digit code to my mobile phone, and I will have to enter the code to complete the transaction.
Can you elaborate on how you had to pay in the case when you were a consumer and suffered fraud? As a consumer and merchant, I've only ever had to pay when I'm a merchant.
Feels like over-reactive writing. Of course big business works to protect its interests and offload costs of business to customers. Big business is also terrified and highly resistant to change to systems that are generating profit that may reduce profit, regardless of any social value.
If the the card brand, say Visa, would generate a public key that I could use on my web server to send them their credit card data, then I, my payment gateway, and maybe even my even my merchant bank, would never have to know the card number. VisaNet could decrypt it on their side with their private key and determine the issuer and account information to process it. Just the customer and VisaNet and the issuer probably needs the card number itself. Everyone else just needs to know the result of the transation.
A large portion, if not most, of the card numbers being bought and sold on the black market are obtained via phishing or via malware on the end-user's computer. Better encryption between the computer and online stores doesn't affect either of those theft vectors.
Citi has offered virtual account numbers for its credit cards for a while, which solves the "Once someone knows your card number they can use it to conduct any transaction they choose" problem. It's still a hassle to remember to go to citicards.com and generate a new number, provided that Chrome helpfully auto-fills your saved number.
EMV is happening in the United States; the industry does recognize the problem though I agree there are poor incentives to make progress in solving it. It is late in starting and going to be slow and that is for some of the reasons OP states.
One thing that is now changing is that responsibility for charge-backs is going to be moving from the merchants and card issuers (who do bear risk in ATM transactions, for example) to the acquiring point of sale network, operator or ATM. In order to prevent that from happening, the operators are being required to support EMV in X% of devices by Y date. MasterCard has a write-up of this here: http://www.mastercardadvisors.com/_assets/pdf/emv_us_aquirer...
You can Google "EMV acquirer risk" to find more on this issue.
As someone who was part of a lawsuit involving public key cryptography I can assure you that the barrier to deploying it in the US rested squarely on RSA Data Security (patent holder) until the patents expired.
To understand how to deploy better security look at Stripe. Stripe is displacing (with pre-existing card technology) the connection between card companies and merchants with a better experience. With an established customer base they will be in a position to drive the replacement of cards.
No system with as many moving parts as the credit card system has, can be "quickly" changed (and by quick here I'm talking demi-decades) however it can be disrupted and replaced.
I was really expecting a solid article there since he claims he tried to solve it. Specifically --
- What exactly are these barriers the industry has set up?
- What kind of savings be obtained through his solution?
- What exactly is this solution without going into the crypto part (which I assume is what he wants to sell)?
- Any solution involving crypto means at the least both client and server side changes are needed, which means every merchant needs to upgrade. What is he proposing that has a better value proposition inspite of the costs involved?
I am not even questioning his crypto protocol, assuming its good.
"The risk of getting caught if you decided to try to commit credit card fraud was high enough that it was (mostly) an effective deterrent."
Unfortunately the risk isn't as high as the author intended. There are still many credit card launder groups that take advantage of in-person fake card transactions. The margin is so high that they would often purchase over a few thousand worth of items at Wal-mart or such (mostly gift cards) at a single time and the lack of care from cashiers just doesn't help with the deterrent factor.
Aside from the big boss, even the busboys would try to snatch up items for themselves from the store aside from the gift cards to give back to the big boss. This creates a healthy enough ecosystem that each part of the chain will have enough motivation to not cause the group to fall apart, because the margin is just too high.
The credit card itself builds too much on trust and is fundamentally broken. Trust is a rare quality in human and it is just not present in a criminal's eyes. Of course, the trust allows a credit card to be used simply without much additional overhead. If one day we collectively deem credit cards to be insecure enough maybe we'll consider trading off the easy usability for a more secure measure such as presenting your id when using credit card. Or perhaps we should all just wait for the future where we each have biometric chips embedded in us to scan at a credit card machine.
Not every problem needs to have a technology solution. In this case, the non-technology solution is to pass the fraud cost to the merchants (through fee) who in turn pass it to you (consumer). There is nothing wrong with it as long as everyone in the chain accepts it. Now, of course as a consumer you might feel bad about it but the penalty you pay for CC fraud is tiny. So you probably don't care because in exchange you get the convenience of using a credit card.
The industry is actually doing a lot of work to minimize the fraud and keep it under control. But there is absolutely correct understanding that it will never go down to 0. Even if you deploy super-modern PKI solution, you still have to deal with fraud like "didn't get an item", etc. Thus the benefits of not having a credit card number are not that significant in the big picture. While inconvenience and complexities are pretty high.
So...what's the solution?? "Use public key encryption" doesn't help us much. Especially when you claim "it's not hard". Disposable numbers have been tried many, many times and the user experience stinks. Maybe with the prevalence of good mobile experiences, their time has come?
I think the other thing is that most online credit fraud doesn't come intercepting credentials over wires but by dupe sites that imitate real realtors. I think two factor authentication might help with that, if it has to verify both sender and recipient on some mutual third party server of the credit card provider, but that costs them money, which gets back to the root problem, it doesn't cost the companies that would implement these schema anything now, and any change does cost them, and the market is rigged so you can't introduce competition.
I think it is much more likely bitcoin takes off as a real currency for exchange and people just start using banks that facilitates transparent conversion between the two when buying stuff online. It doesn't help with using a credit card online from a CC company, but it does skip them entirely.
In Canada they have a system where you input a PIN number every time you use a credit card at a POS.
I've heard from my Canadian friend who owns a Shoppers Drug Mart, that it has cut down chargebacks to almost 0.
Why they haven't implemented this in the US I'm not sure. The only problem is that if they figure out your PIN, it makes it very hard to fight chargebacks from the point of the consumer. But we all know that the CC companies don't care.
The one thing to note is that it's very hard for the CC companies to lose money with fraud. Usually the merchant or the consumer is on the hook. Then the issuing bank, etc. They're last in line, so their incentive to make drastic change is nil.
I worked in fraud prevention for several of the big banks. They definitely care about it and it is not passed on directly to customers.
There's a strong relationship between card fraud and DDA fraud which very directly hits the bottom line. Typically credit card fraud is monetized by making a balance transfer to a DDA.
Chip and pin is on the way. A lot of new cards have it. See below...
I think it is incorrect to say fraud is not costing credit card companies money, because they can transfer the cost to customers. If there was less fraud they could easily keep the transaction costs on same level and pocket the difference.
Some finnish banks introduced a "verified by Visa" scheme where you need to verify online transactions with one time password (those are normally used to log into online bank account). At least for me the result was that now I choose PayPal whenever possible, since PayPal allows me to pay with just username and normal password.
I have a German Visa card and for me it works by creating a seperate password for online purchases (once). This prevents a lot of fraud because the verified by Visa password resides on the servers of Visa (or the bank, I don't know) and is not compromised when a shop get's hacked. Also I don't have to enter it every time I use my credit card but rather I'd guess about 10% of the time.
I assume your simple solution handles common things such as recurring billing and the ability for websites to re-use previously entered card information without requiring the user re-enter it.
I learned some things about how the world works that I couldn't figure out how to write about without coming across like a paranoid loon, and I couldn't get them far enough out of my head to write cogently about anything else.
Indeed.
I'd like to elaborate on my agreement but...I can't figure out how to write about without coming across like a paranoid loon. Methinks it has to do with approaching the half-century mark. "I've seen things you people wouldn't believe..."
Plastic card are a useless middleman and inherently insecure. You're inserting your card and password to somebody else's device !
You should be able to the account URI (based on IBAN) and the total, issue the payment order to your bank with your phone. The recipient gets notified by his bank in real-time that the payment has been made. Thank you, have a good day.
The financial companies are the most technology adverse group out there. They are risk handling and money moving engines and not interested in innovation. Every advance in technology is a direct result of legislation (like the recent addition of check scanning at ATMs) and legislation never follows the cutting edge.
It's clear to me that the advent of push liability opens the lots wider for no-fraud payment systems, I.e. bitcoins. Evidentially, that situation is only two to five years away. Which is plenty of time for mobile wallet startups to help me get rid of my annoying leather wallet!
What are the downsides of making the CVV on your card have to come from a txt message to your phone? It seems like this could piggyback on the existing system that exists and would work with all current implementations. (It doesn't solve the subscription stored card problem I guess...)
Banks and card corps want a fool and his money to be able to push a button and buy something with as little hassle as possible. They are more than willing to use their trillions in profits to write off and eat some fraud if it means easy use for customers
The author seems to be referring to chip and PIN - but this isn't used in Europe for card not present transactions, which the author says accounts for nearly all fraud.
this place is close, but i bet they are running into the same issues. it's a shame, because it really could stop a lot of fraud using it.
http://dynamicsinc.com/Corporate/products_dynamic_cc.php
(note, they only now offer one type of card via one bank, they seem to have been sidelined)
Overreacting:
- the most up-to-date technologies for anti-credit card fraud, namely variants of smart card/EMV, are already available and widely used by all the large credit card providers and banks in the EU and Asia (excluding domestic transactions in China and Japan). There are even US providers who use it in some situations.
- in addition, most merchants in those regions have upgraded their PoS terminals for smart cards and in some cases refuse to accept non-smart credit cards.
- he made no case for how HSBC money laundering and subprime crisis have anything whatsoever to do with anti-fraud credit card technologies. Just randomly put it out there...
Shallow:
- Not even a minor reference to the specific technology being discussed is made, only a vague mention of "public-key cryptography".
Misleading:
- the credit card industry HAS and IS deploying the most up-to-date technology. In some regions, e.g. US, there are legal or infrastructure barriers that take time to overcome.
- the key moment at which the new infrastructure is rapidly rolled out and fully enters the public consciousness is associated with the "liability shift" when credit card infastructure providers push liability for fraud to merchants, therefore forcing merchants to upgrade their equipment and processes:
-- Mastercard is implementing a liability shift for point of sale terminals in October, 2015. For pay at the pump, at gas stations, the liability shift is October, 2017. For ATMs, the liability shift date is in October 2016.
-- Visa is implementing a liability shift for point of sale terminals on October 1, 2015. For pay at the pump, at gas stations, the liability shift is October 1, 2017. For ATMs, the liability shift date is October 1, 2017. [1]
Bait-link:
- a solution is already out there. It is based on "public key cryptography". Whether it is "simple" or not is a matter of opinion at this point, without any further clarification by the author. Nothing he has proposed has improved on the solution.
[1] http://en.wikipedia.org/wiki/EMV#United_States