Another round of credit card number exposures and my wife’s bank proactively changing her card number due to an  ‘ongoing investigation’ reminded me that I haven’t written about credit card issues for a while.

But please don’t click away — this isn’t going to be another ‘how you can protect yourself’ article.

Security can be complicated but there are some simple fundamentals that explain the credit card fraud problem. The first is the concept of risk. People often agonize over how to explain risk. But it can be simple if you break it down into three components:

  1. An asset — something of value
  2. A threat — something or someone that endangers the asset
  3. Vulnerabilities — a way for the threat to impact the asset

If all three of these are present, you have risk. The magnitude of the risk is related to the magnitude of each of the factors. Large assets, motivated threats and serious vulnerabilities mean high risk. Remove any one of the three and risk disappears.

Money is a great example. It is a valuable asset and there are always criminals (threats) who would like to steal it. So, the question becomes how much money, how many criminals and whether a vulnerability exists that allows the criminals to steal the money.

If we consider credit cards, there is a lot of money. From a criminal’s perspective, it doesn’t make sense to buy and sell drugs  (an inherently dangerous activity) or steal property and sell it (very low profit margins) if one can steal money directly.

When we consider credit cards, we’re dealing with a high-value asset and a high threat level. It’s not practical to try and reduce either. The whole point of the credit card industry is to make lots of money available and charge high interest rates for using it, so lowering the asset value isn’t going to happen. And we know that our criminal justice system certainly isn’t doing much to reduce the threat.

So, the key factor in credit card risk management is vulnerabilities. Reduce them and risk falls. Add vulnerabilities to the system and risk skyrockets. And that’s where we are now.

There are a number of weaknesses in the credit card system. For example, if you steal my credit card, you can probably get away with using it in certain stores until I report it stolen. And, if you’re a merchant, you can collect lists of credit card numbers, sell them to your criminal friends and they can charge stuff to them. Debit card issuers attempt to reduce some of these vulnerabilities by requiring the user to type a PIN but that fails miserably because it’s not all that difficult to watch someone type in their PIN — in person, using a camera or by modifying the PIN pad to capture it.

All these issues can be reduce to one vulnerability that isn’t in any way the consumer’s fault: Financial institutions fail to properly authenticate the cardholder.

But mine requires a PIN you say? Yes, but its not nearly enough and, while you should heed their advice and try to protect your PIN, there is a fundamental security flaw in the system.

To understand the flaw I need to touch briefly on authentication theory, which holds that there are three ways to authenticate a person:

  1. Something they know (like a PIN)
  2. Something they have (a physical thing like a card)
  3. Something they are (a fingerprint, iris scan, or other biometric)

To be sure that you know who you are dealing with — something that security practitioners call ‘strong authentication’ — you need at least two of the above factors. One just isn’t enough. And, in the case of (2) and (3), they also need to be something that isn’t easily copied.

Credit card security is fundamentally flawed because everything you need to authorize a credit card transaction is on the card. Sure they’ve added a three or four digit number for card not present transactions.  And some merchants use address verification services that require a postal/zip code. But, if you give me your credit card, I can take it to the store and use it.

Debit cards use two factors and, in theory, two factors is much stronger than a single factor. But one factor — the card, the thing you have — is easily copied. An unscrupulous merchant can run it through a (US)$100 device that records everything on the magnetic stripe and create an exact duplicate. So, the only thing between them and the money is your PIN. Any they are highly motivated to find a way to get it.

Of course, banks know this and their security professionals have expert knowledge of risk assessment and authentication theory. And they are, very slowly, starting to do something about it by moving toward credit and debit cards with a computer chip on them, making them more difficult to copy.

There is much more that they could be doing. But they choose not to. And, while I haven’t been privy to the discussions, I suspect it has something to do with the ability to charge 20 per cent interest even when the prime rate is less than 2 per cent.  It also, probably, has to do with the fact that, in many cases, it’s the merchants that take the loss, not the bank.

So, next time you hear a bank complain about credit card fraud losses, remember that it’s their system. They choose to issue cards, they choose the security mechanisms and they know the risks. And they’re the ones that should be fixing it.

One Response to Credit Card Insecurity

  1. Henning L. Ostergaard
    Feb 20, 2009

    Good article – and as you point out, there many factors in play here…

    It might interest you to have a look at The company has developed a card for the industry to make life harder for the criminals.

    The card hold an on-board fingerprint scanner, and a dynamic mag stripre. The card can only be used when powered on by swiping your finger, and now the card is only authorized for ONE transaction.

    The data (CVV code) on the dynamic mag stripe will simply change after each transaction, and thereby make a copy of the card useless.

    For online purchase, a one-time-CVV code will be generated and shown on the on-board display, i.e. a static CVV code is no longer printed or stored on the card.

    Now that’s a start – isn’t it?

Leave a Reply