Credit where credit isn’t due
Identity theft. Credit card fraud. There are big topics in the news, of course. Every other month or so one company or another announces a data breach. Credit card companies claim to be monitoring our purchases for fraud. It supposedly costs the various entities involved some $50 billion dollars a year in fraud. I have one simple question:
Why are we still using a system for authenticating credit card purchases that hasn’t changed since Diner’s Club invented credit cards? OK, fine, modern credit cards contain chips and have holographic stickers and the magic 3-digit “security number” on the back (Oh no! How will identity thieves every crack that impenetrable code!) and we slide the plastic through a reader, but even will all these security measures in place, the only situation I know for sure where my card will be turned down by a merchant is if I am over my limit.
Because despite all the security props put on the card, the fact remains that as long as you have the number, the expiration date, and the name–even without having the actual card–your friendly neighborhood credit card thief is home free.
And there are a dozen ways to get the number. Stealing the actual card, not elegant, but effective. That piece of plastic seldom needs further verification, and in many cases, the pickpocket nabbed your license along with your credit card.
But’s theft the old-fashioned way, one-at-a-time. Real thieves go after databases full of credit card numbers by the thousands. This is the equivalent of leaving your wallet in the store and asking the gum-chewing clerks not to let anyone look at it until you come back. I go into a store to spend 10 bucks on a paperback, and if I pay with plastic, it’s like I’ve left a couple thousand bucks worth of credit line at the store hoping no one breaks in.
Some credit card companies offer the ability to create one-time use numbers for online transactions. I can’t understand why all transactions are handled this way. Our web browsers do this all the time without our even knowing it–the HTTPS web pages are encrypted with keys and encryption that are created just for one session. In the early days of eCommerce, a lot of people who didn’t understand how it worked worried that hackers would intercept their credit card numbers on their way to a web merchant’s server. Fearing the hackers, these people would then pick up the phone and place an order on an 800 number, unaware that that if they used a cordless phone, their credit card number was at greater risk of being intercepted than if they used a web page.
But the problem really has never been the security of the channel between the customer and the merchant. The problem is the near total lack of security around credit card numbers.
Permalink | Trackback | del.icio.us Digg Reddit
Comments:
Leave a comment
[…] Original post by Mr. Alex […]