Recently, while out dining with the first lady, President Obama got reacquainted with the security battle impacting American consumers when his credit card was flatly denied. The awkward moment served to illustrate that even the most powerful man in the world is vulnerable to the weaknesses of the credit card industry.
In particular, the industry struggles to defend itself against both high-tech thieves and against victimized consumers. With all due respect to the resources already committed to secure credit cards, it is important to consider what is missing from the industry’s approach and the implications to the financial well-being of American consumers. Ultimately true security and fair liability policies can only be achieved by enforcing three essential elements: “who am I?” “what do I have?” and “what do I know?”
Historically, credit cards use a familiar magnetic strip which offers only the most basic sense of security in that it electronically signals that the bearer holds a line of credit. More so than your signature, it is the possession of the card that mattered as it represents “what do I have?”
However, credit card numbers are easily stolen. In response, the industry instituted a security code or card verification data (CVD). It is the three or four digits printed on the back of your credit card (or on the front). Thus, for online purchases, websites may ask you for the CVD number to insure that you have the physical card. This system is to protect the bank, not you or your account.
Some merchants including those selling high-end electronics require both the magnetic swipe and an official form of identification of the person using the card. This approach combines “what do I have?” with “who am I?”
More recently, the industry proposed further changes to your credit card. The characteristic magnetic strip is destined to go the way of eight-track tapes and cassettes. Newer technology uses a computer chip and pin number, hence the name “chip & pin.” The cards offer encryption, a more powerful form of security. They also involve a form of debit transaction requiring a pin number that establishes “what do I know?”
Over a year ago, Europe switched to chip & pin cards. However, hackers quickly defeated the chip & pin encryption. After consumers had used the card for purchases, hackers looted their bank accounts via ATMs. Unlike American credit institutions that assume liability for fraudulent withdrawals, in Europe institutions issue pin code numbers that transfer liability to the consumer. When hackers steal from a European credit account then the consumer loses out, which happens with alarming regularity.
The American changeover to chip & pin is imminent, but this adds only “what I know?” when it is clear that every transaction should also verify “who am I?” Our credit card industry remains disturbingly silent on this important matter. If they are serious about security, then new technology must incorporate all three elements of security. Credit card terminals should verify possession, scan the identification of the user and ask an identifying question or code. A simple question could be asked at the terminal “Does the person before you match the identification given?”
In absence of these steps, predictable breaches in security and the devastating transfer of liability to consumers will make the president’s denied credit card an emblem of our next financial disaster.
Bill Murray of West Hartford is a forensic computer technician. Under the pen name Trip Elix, he is author of books including “Extortionware: A Hacker’s Tale,” the forthcoming title “A Right To Property,” and blogs at http://tripelix.com.