The following is a two-part article. The first is below, and the second may be viewed here.
Credit card fraud and Christmas season go together like hot chocolate and a yuletide log fire …but instead of a log it’s actually your house burning to the ground. Fortunately these days, peace of mind is offered by credit card companies with their ‘100% consumer protection against fraud and unauthorized charges’. Still, receiving the fateful call from your bank that your card has been flagged puts a giant damper on the caroling spirit.
The worse case, your credit card is on holiday several days until the next arrives with no money lost. Worst yet, your debit card was stolen. Debit cards don’t enjoy the same consumer protection as they aren’t backed by credit. Sadly, you are more than likely out the money the thief stole. Panic sets in, and the clock ticks faster towards Saint Nick’s arrival. “How did I let this happen?” questions fill your head. Is there anything you can do to save Christmas?
If the above paragraph doesn’t sound like you, consider yourself so-far fortunate. Many this holiday season will experience for the first time their identity being compromised. For the rest, this may be the third or fourth time they’ve been compromised and are out of ideas on how to stop it. Fortunately, for everything, prevention is key.
The State of Credit Card Fraud
In truth, there’s very little the industry is willing to do to prevent fraud. In regards to card security, they’ve set the barrier to entry for cards to low for consumers thieves still can’t believe how easy it is. Tools to combat fraud exist, but the industry wishes not to sacrifice their revenue streams to educate you or even ask you to use them.
This is not to say the industry isn’t trying. In 2004, the major card brands (Visa, MasterCard, Discover, and American Express) formed a council that developed the PCI Compliance standard. The standards dictacte what merchants must do to ensure they are conform to card security. The problem lies within the fact that a standard is not law. With merchants feeling the brunt of responsibility, it’s often easier to deal with the fine than to implement the PCI compliant standards. If there is any opportunity to be made on the industry, it may begin with the consumer.
So how prevalent is credit card fraud? According to Nasdaq.com, credit card and identify theft jumped 43% worldwide in 2014 from the year before, resulting in over $16 billion in losses in the U.S. alone. Speaking of the United States, we’ve been hysterically slow at combating the problem. While we’ve adopted the EMV-chip technology a few years ago, we’ve refused to enable the 4-digit pin. Both have been in use in Europe since the 1990’s.
Certainly as a consumer like myself, you dread the idea of remembering ANOTHER 4-digit pin. But both are great examples of security fundamentals that you need to know.
Understanding the 3 Factors of Authentication
Let’s start with a simple scenario: You want to pay for goods with a credit card. In order to pay for those goods, you need to give up your credit card momentarily to the merchant.
You trust the merchant, and hand over your card. Congrats, you performed just one access control factor out of three possible factors, which was “something you have”.
Here are the three factors to authentication (with examples):
- Something you know. (password, pin number)
- Something you have. (credit card, house key)
- Something you are. (finger print, retina)
Security fundamentals suggest that having at least one of the above factors provides a layer of security. The problem is that each factor alone has drawbacks. A password can easily be stolen, a house key could be replicated, and biometrics can be expensive to implement. But if you combine two or more of those factors, your security increases substantially.
In the scenario above, your credit card was an item you determined to be relinquished in order to gain access. A second layer of security was assumed provided with the advent of the signature. The problem with credit cards is that they can be misplaced or the full card details stolen. And let’s be honest, cashiers are conditioned to not care about the signature.
The EMV-chip and 4-pin combo addressed the above problems. The chip is designed to dynamically generate a unique code at each transaction, making the credit card number touch fewer systems. Add on an extra layer of 4-digit pin code, the card becomes useless when stolen.
At the forefront of mobile payments, Apple and Google have implemented additional authentication factors to consumers to varying degrees of success. Given the above scenario we discussed, it’s hopefully easier understand why these are intelligent by design. Despite this, merchants have been extremely slow to enable the functionality, robbing consumers of the protection they need.
Part 1 Conclusion
So we’ve discussed the stale & stagnant state of the industry. We’ve discussed how factors of authentication adds protection. But how do the thieves do it? How can you identify fraud? How do you prevent it? We’ll have the answers for you in the next article.
Ready Part 2 here.