Charging Technology Is Not "Pre-Approved"
by Paul McGoldrick
Credit/charge card fraud must have hit just about every family in America
that carries such convenience plastic. I know that in my family my spouse
had an online "gift" charged to a card with the product shipped
to an address in Eastern Europe but my Epiphany to such fraud was a real
eye-opener.
I was buying yet another garment bag at a shopping outlet when the charge on one of my credit cards was declined. It was a Saturday, of course, so (and things have changed since then to 24/7 service) I had to wait until Monday to find that someone had bought a huge volume of perfume on "my card" in Paris. As the card was in my physical possession the card that had been tendered must have been fake. Not only did the thief get away with all that perfume, he/she also bought a splendid dinner at a restaurant in Paris that I would never have been able to afford and, the cheek of it, charged a train and ferry ride (to the UK) and took my account over its credit limit.
Cards are better designed now and have that extra code on the back (next to the signature box) that adds another layer of security in a face-to-face transaction. But the industry seems to have been very slow in endorsing technology to catch up to the crooks. Why?
I have been unable to find a total for the amount of credit card fraud in the US -- maybe it's not really known, or just too embarrassing -- but the UK reported £430 million (about US$650 million) in 2002 with nearly half of that still from what the industry calls "card skimming," which is the use of counterfeit cards where the data on a real card is read from the magnetic stripe and copied to the counterfeit. Consumers are said to not even check their statements in many cases, so there is probably a lot more fraud out there that is not reported. But when you look at who actually loses the money it is easy to find why the card issuers haven't been in any rush to stay ahead of the crooks. That huge amount of money in the UK was, as it is here, at absolutely no cost to the card industry. All is eaten by the businesses that accepted the card.
Worse still, the card issuers actually make money on bad transactions. Although, in most cases, the bank can charge the cardholder up to $50 on a fraudulent transaction, they seem to avoid doing it unless the consumer was really stupid -- like losing a card and not reporting it. But the merchant receives a chargeback of the amount of the transaction and is also charged a service fee to do so. MasterCard even adds a fine as well if the merchant accepts more than 1% of bad charges in any month! So the merchant is out his service or merchandise, a service fee and maybe a fine.
There are solutions for face-to-face transactions. Smart cards embedded with a chip have been around in Germany and France for some years and they are now being adopted in the UK. What happens is that buyer needs to key in a four digit PIN (matching that stored in the IC) whenever the card is used. There are different terminals for differing sorts of business, with even wireless units that can be used in restaurants where the diner doesn't have to leave the table -- nor let the charge card leave his physical presence. But with cards issued valid for 3 and 4 years it will take that amount of time for the additional security to be globally effective, and in the US there is not even the hint that such a system is being considered. The merchant also needs to buy or rent the additional equipment for the PIN recognition but most would do that in an instant if they knew the days of chargebacks was going away…except of course in the case of people who keep records of their PINs in the same place as the cards, as many do with their ATM cards, so the stolen wallet is quickly transformed by the crook into cash or merchandise, up to the charging limit.
But fraud online is rampant, when the charge card doesn't have to be physically present, and although deterrents like ZIP code verification are used (no, you were wrong when you thought your complete billing address is verified) it has made little difference. Identity theft has now been recognized as a serious crime and statutes define it as a federal felony in the US; there is no reason why credit card fraud should not be considered a version of identity theft, but when you look at the countries where a lot of transactions originate there is no way the FBI is going to pursue them unless the amounts of money involved are huge.
The leading countries in credit card fraud are (in alphabetical order to protect the less guilty):
Visa has now launched the "Verified By Visa" program which causes a pop-up window to appear in a transaction with a participating online vendor, when you use a participating financial institution's Visa card, and when the card has been registered. The pop-up window can even have a personal message for your card, like "It's OK, John, this is a real Verified By Visa message." You then enter your registered PIN and Visa approves you and the transaction. It appears that the promise for the merchant is that any Verified By Visa transaction can not be charged back as any error would be Visa's.
This system will again take 3 or 4 years before it is widespread enough to do any real good. And, the system requires cookies enabled, as well as JavaScript and pop-up windows -- three known anathemas for engineers! It also offers no protection again for people who leave their PIN with their card, and as the merchant is still going to be presented card numbers which aren't set up for the system, or aren't registered, he is going to have to decide whether he can risk those other transactions.
Surely, however, the easy way to verify a transaction is not being diverted to one of the known rogue countries is very simple: Do an IP address verification on the buyer. If the country does not match the buyer's address, no order. If the country is one of the rogues, no order. If the purchaser uses an Anonymous Proxy, hiding the real IP address, no order. Such a system can be taken further within North America by having the actual IP address somehow coded into the credit card verification information (so, ZIP code plus IP address) -- maybe not the last digits to allow for dial-up systems that don't offer fixed IP addresses.
Yes this would make it a little difficult to order when you are on the road but there could be a back-up system for that too if the actual ISP providing your e-mail was also in the verification records.
It would be real nice if the next generation of charge card users would
be able to say, "I know nobody who has had fraud on their credit cards."