MasterCard has announced that in the US and Canada, it will no longer require signatures on credit card transactions. (PINs will continue to be required on debit card transactions.) MC says that this will be more convenient for the customer and that it will rely on other (unnamed) mechanisms and processes for security. Let us look at some.
First, many issuers use computer aided mechanisms to detect fraudulent use by looking at such clues as location and other patterns of use. Most of us have had calls from our banks checking on the legitimacy of activity.
In theory, the required signature resists fraudulent use of lost or stolen cards. In practice, not so much. Even when clerks reconciled the signature on the check to the one on the card, it was an imperfect mechanism. In modern systems, where no one really reconciles the signature, the best that the mechanism can do is to permit the consumer to recognize disputed items that he really did sign. However, for the most part, issuers simply accept the word of the consumer that a transaction is fraudulent. The signature does not come into play.
The best way to resist the fraudulent use of lost or stolen cards is to check that a proffered card has not been reported lost or stolen. This works well in the US and Canada, where most transactions take place on line. In countries where many transactions take place off line, PINs are used.
American Express CEO, Kenneth Chennault told President Obama that Am Ex detects many fraudulent transactions within 60 seconds by sending a notification of use to the consumer’s mobile or e-mail in real time.
Bank of America and others resist fraudulent use by permitting the consumer to turn the card on and off using an app. Again, works well where most transactions are on line.
Android, Apple, and Samsung Pay resist fraudulent use by simply taking the card out of the transaction and substituting a digital token for the credit card number. Lost mobile phones resist fraudulent reuse with PINs for security and biometrics, e.g. facial and fingerprint recognition, for convenience.
On line merchants have never had the benefit of signatures but can resist fraud by using PayPal or other proxies instead of accepting credit cards at check out. Where the merchants cooperate and the consumer uses Ámerican Express at checkout, AmEx will prompt the user for a one-time-password sent to the users mobile. This protects the merchant, the consumer and AmEx. All of these resist “card not present” fraud.
Only the brands and issuers really know how necessary and effective signatures and PINs are: they take the risk when they are not required.
The fundamental vulnerability in the retail payment system is the credit card number in the clear on the magnetic stripe. Remains a risk to merchants and issuers but is only a nuisance to the consumer.
In short, the future is mobile, tokenized, cordless, contactless, signature and Pin less, and secure.
Showing posts with label POS. Show all posts
Showing posts with label POS. Show all posts
Friday, October 20, 2017
Monday, April 25, 2016
Compromise of Credit Card Numbers
Recently FireEye published an intelligence report stating that a previously unknown
cybercrime group has hacked into numerous organizations in the retail and
hospitality sectors to steal an estimated 20 million payment cards,
collectively worth an estimated $400 million on the "cybercrime" black market.
To a near approximation, all credit card numbers more than a few months old are public. The market price has dropped to pennies. We are all equally targets of opportunity. That any one of us has not been a victim of fraud is mere chance. They have so many that they simply cannot get to us all.
The brands are at fault for marketing a broken system, one that relies upon the secrecy of credit card numbers but which passes them around and stores them in the clear. Their business model is at risk. They have technology, EMV, tokenization, and checkout proxies, but the first is too slow for many applications and they are not promoting the other two to merchants or consumers.
Issuers take much of the fraud risk. They are attempting, with some short run success, to push this to the merchants. However, with merchants and consumers, they share in the risk of our broken system.
As the referenced report suggests, bricks and mortar merchants, particularly "big box" retailers and hospitality, are finding that both issuers and consumers are blaming them for the disclosure of the numbers. Issuers are charging back fraudulent transactions. and suing merchants for the expense of issuing new cards after a breach. Their systems are being penetrated and numbers ex-filtrated wholesale. Point of sale devices are being compromised, or even replaced, to capture debit card numbers and PINs. These are used to produce counterfeit cards. Some of these are used to,purchase gift cards or get cash at ATMs. Merchant brands have been badly damaged by bad publicity surrounding breaches. While most of these merchants can resist compromise, there are more than enough to guarantee that some will fall. Merchants can reduce fraudulent transactions by preferring mobile, EMV cards, and by checking cards, signatures, and IDs but all but the first slow the transaction and inconvenience the customer.
Online merchants are the target of all kinds of "card not present" scams and take the full cost of the fraud. While it will not stop the fraud, the online merchants can both protect themselves and speed up the transaction by not accepting credit cards and using only proxies like PayPal, Visa Checkout, Apple Pay, and Amazon.
While, at least by default, consumers are protected from financial loss from credit card fraud, the system relies heavily upon them to be embarrassed by it. At least on court has agreed to hear evidence as to whether or not consumers as a class are otherwise damaged when their card numbers are leaked to the black market.
All this is by way of saying that as long as anyone accepts credit card numbers in the clear, we will be vulnerable to their fraudulent use. There are now alternatives and we need to promote them, not simply tolerate them. Think numberless, card-less, and contact-less.
To a near approximation, all credit card numbers more than a few months old are public. The market price has dropped to pennies. We are all equally targets of opportunity. That any one of us has not been a victim of fraud is mere chance. They have so many that they simply cannot get to us all.
The brands are at fault for marketing a broken system, one that relies upon the secrecy of credit card numbers but which passes them around and stores them in the clear. Their business model is at risk. They have technology, EMV, tokenization, and checkout proxies, but the first is too slow for many applications and they are not promoting the other two to merchants or consumers.
Issuers take much of the fraud risk. They are attempting, with some short run success, to push this to the merchants. However, with merchants and consumers, they share in the risk of our broken system.
As the referenced report suggests, bricks and mortar merchants, particularly "big box" retailers and hospitality, are finding that both issuers and consumers are blaming them for the disclosure of the numbers. Issuers are charging back fraudulent transactions. and suing merchants for the expense of issuing new cards after a breach. Their systems are being penetrated and numbers ex-filtrated wholesale. Point of sale devices are being compromised, or even replaced, to capture debit card numbers and PINs. These are used to produce counterfeit cards. Some of these are used to,purchase gift cards or get cash at ATMs. Merchant brands have been badly damaged by bad publicity surrounding breaches. While most of these merchants can resist compromise, there are more than enough to guarantee that some will fall. Merchants can reduce fraudulent transactions by preferring mobile, EMV cards, and by checking cards, signatures, and IDs but all but the first slow the transaction and inconvenience the customer.
Online merchants are the target of all kinds of "card not present" scams and take the full cost of the fraud. While it will not stop the fraud, the online merchants can both protect themselves and speed up the transaction by not accepting credit cards and using only proxies like PayPal, Visa Checkout, Apple Pay, and Amazon.
While, at least by default, consumers are protected from financial loss from credit card fraud, the system relies heavily upon them to be embarrassed by it. At least on court has agreed to hear evidence as to whether or not consumers as a class are otherwise damaged when their card numbers are leaked to the black market.
All this is by way of saying that as long as anyone accepts credit card numbers in the clear, we will be vulnerable to their fraudulent use. There are now alternatives and we need to promote them, not simply tolerate them. Think numberless, card-less, and contact-less.
Monday, May 4, 2015
Chip and PIN Compared to Chip and Signature
As we begin on the long process of changing credit cards from the obsolete magnetic stripe technology to smart (EMV) "chip" cards, there has been a lot of criticism of the decision of the credit card issuers not to implement "Chip and PIN." Much of this discussion has asserted that "Chip and PIN" is more secure than the chosen chip card and signature strategy. Apparently this position is so obvious that it has stifled analysis.
I assert that Chip and PIN is only marginally more secure than Chip and Signature. It protects against the fraudulent use of lost or stolen cards. However, fraudulent use of lost or stolen cards is only a small portion of the fraud. The largest part uses counterfeit cards; chips resist counterfeiting.
For both the individual and the issuer, the best protection against fraudulent use of lost or stolen cards is to report the card lost or stolen. The individual is now protected against any use of the card. The issuer will revoke the card and is now protected against any online use of the card.
Note that the effectiveness of revocation depends in part upon the market. In the U.S., where most transactions take place online, it is very effective. In markets where the infrastructure is less robust and many transactions take place offline, revocation is less effective. Thus in the U.S. issuers are opting for Chip and Signature while in other markets Chip and PIN is chosen.
Note that only the issuers know what the losses are for fraudulent use of lost or stolen cards is, that is, how much fraud might be reduced by the use of a PIN on all transactions. It is fair to assume that they know what they are doing.
Some have asserted that, in the absence of the PIN, security will rely upon clerks to reconcile a signature on the transaction document to,the reference signature on the card. For most routine transactions we do not rely upon the clerk to verify the signature or even to touch the card. While in some places we still sign a chit, at checkout stands we sign on a little tablet (I hate them.) No one ever checks the signature unless the transaction is disputed. Said another way, at least in the U.S., we rely mostly on possession of a current card to authenticate most transactions; both signatures and PINs are backup and there is little to choose between them?
Subscribe to:
Posts (Atom)
Posts
