Wednesday, October 14, 2015

New season of credit cards fraud

Holiday season is coming and with it a new credit card fraud season. You might say I'm exaggerating, but I'm not. Experts are expecting it. Everyone might argue that, after what happened at Target, vendors are ready, you would be wrong.What is the problem with credit cards in US? Infrastructure and the credit card it self. Why? Well is the same as with the Internet infrastructure. In the US you can pay lots of money for a modest Internet connection compared with other countries, which implemented the network in the last 15 years, and offer greater speeds for less money. The explanation is simple: those countries implemented new technologies to begin with and upgraded them regularly due to fierce competition or government regulations.The same thing applies to credit card technology, which was implemented in US and still uses outdated systems. I remember when I received my first bank card over 10 years ago, it only have a magnetic stripe and PIN. We have always used PIN in Europe, which is a code you input to accept a transaction. After four years I received a new card, a chip card. This was done automatically by the bank in accordance with EU regulations.Why did US waited for such a long time to impose chip cards?
It was evident for more then 7 years that stripe cards can be easily cloned and nothing happened. Everyone was telling the US they should implement chip cards. It's difficult now to change all the cards, forcefully. If the process would have started 7 years ago, it would have been seamlessly. In Europe this process didn't happened in a year, it took three or four years. It started with the government of a particular country deciding that from a certain date all the credit cards issued in that country will be chip cards. When someone needed to renew their expired card, they automatically received a new chip card. The same principle applied for POS. When the first chip cards were issued, no one had a chip POS, but in one or two years all the merchants switched.This month, October 2015, was the game changer for credit card fraudulent transactions in the form of responsibility shift. If a POS transaction is made using the old method (swipe and signature) the responsibility of reimbursement falls to the merchant. This is meant to impose the new chip POS. 
I must say that US has implemented the less secure version using chip and signature instead of chip and PIN. The faulty arguments were: PIN can be easily stolen and signature is much easier for the merchants.  Yes is true, PIN can be stolen, but if you have decent security for that, it doesn't happen that often. Plus the PIN database is kept separate from the credit card numbers database, as per regulations. When you input the wrong PIN for three times the card is blocked, which is a very good security feature. Signature is very easy to falsify in the context of credit cards. What some experts argue is: you will sign on the back of the credit card and then you sign the receipt and the vendor will check the signature. That's funny! If you steal a credit card all you have to do is check on the back, see the signature, and do something almost similar. The vendor is not an expert in signatures, and let's be realistic, in most cases he won't check it. If you use PIN transaction you have to input the PIN in the POS. Someone might look over your shoulder when you type it, but you can easily defend against that. People think that it takes longer to finalize a transaction with PIN, which is not true, because after you input the PIN (4 or 6 digits) you wait for the receipt and leave (you don't need a signature). It's the same amount of time.
The problem in the US is even bigger, because merchants who want to implement chip POS have to be PCI-DSS compliant (Payment Card Industry Data Security Standard).  The image for this post is the high level overview of PCI-DSS. You can clearly see that the requirements are not that stringent, and is what you would expect when handling credit card information. In January 2015 Verizon released a report, which shows that from 5000 companies from 30 countries, which suffered a security breach, none was compliant with PCI-DSS at the time of the breach. Another problem is outdated OS. Statistics show that over 52% of merchants still run Windows XP (EOL - End of Life April 2014), and 20% run Windows 2003 Server (EOL July 2015). The merchant can buy support for 400$ per machine, but that doesn't guarantee that Microsoft will solve all the security issues. The price is that high that it doesn't even make sense to use EOL systems. Personally I doubt they even buy support.
Some companies might be compliant when they implement the PCI-DSS standard, but after an average of 6 months they don't comply anymore. People don't understand that security is an ongoing effort and the least you should do is install all the updates, which for most part represent security fixes. This next holiday season will be very interesting from the security point of view, way worse then last one, from the shopper perspective. The shoppers will have to get their money back for fraudulent transactions, from the merchants and not credit card companies. Some merchants might be small businesses and might not afford to give the money back.

1 comment:

  1. "The vendor is not an expert in signatures, and let's be realistic, in most cases he won't check it."

    Bingo. The entire idea of signatures is a joke thanks to this. No one checks the signature anyway, it's basically just for show.

    - Sarah