This is the first in what will probably be a very long series of articles. Ultimately, this is the beginning of the story of why I stopped writing nearly a year ago. TL;DR: I learned some things about how the world works that I couldn't figure out how to write about without coming across like a paranoid loon, and I couldn't get them far enough out of my head to write cogently about anything else. I'm still not sure I can tell this story without sounding like a paranoid loon, but I've decided to take that chance.
TL;DR2: There are some fairly straightforward technical solution to the problem of credit card fraud. Some of them are new and innovative, while others are already in widespread use throughout the world, but not in the U.S. But none of these solutions will be deployed in the U.S. any time soon, not because it's hard, but because the established players in the financial industry won't allow it.
Some of this gets technically complicated, but I'm going to try to keep it as simple as I can. Part of the solution to the problem has to be to educate people about what is going on, so I hope this post and the ones that follow will reach a broad audience. If you're one of my technical readers, I apologize if some of what follows sounds condescending.
So let's start with the problem, and the solution.
The fundamental problem with credit cards is that the protocol they use is fundamentally insecure. To conduct a transaction with a credit card you have to give information to the person you're transacting with. In particular, you have to give them your card number. The problem is that this information is not bound to the transaction you are conducting. It is reusable. Once someone knows your card number they can use it to conduct any transaction they choose. There is no security built into the system at all. It relies entirely on trust.
This was OK back in the 1950s (or the 1930s, or 1887 depending on how you count) when credit cards were first invented. Back then you had to be physically present to conduct a transaction. The risk of getting caught if you decided to try to commit credit card fraud was high enough that it was (mostly) an effective deterrent.
In the 1960s merchants began to accept credit cards for orders placed over the telephone. This decreased the risk of getting caught, and fraud began to be a major problem. Those of us who grew up in the 1960s and 70s will remember merchants leafing through paper directories of compromised credit card numbers issued on a regular basis by the card companies.
With the advent of the internet and e-comerce in the 1990s, the risk of getting caught committing credit card fraud dropped essentially to zero, especially if you were located in a different country. The result was the beginning of the epidemic of card fraud and identity theft we see today.
There are technological solutions to this problem. The most effective (IMHO) is a technology that was first invented in the 1970s and has since become widely used called public-key cryptography. I don't want to get too deeply into the technological weeds at this point in the story, so for now just take my word for it: using this technology, it is possible to design protocols that allow the information exchanged to conduct a financial transaction to be strongly bound to that one transaction so it can't be reused. Deploying this technology would essentially solve the problem of credit card fraud, and save the world's economy billions of dollars a year.
So why hasn't it been done?
It's not because no one has tried. I took a serious whack at it starting in December 2008. I finally folded up the tent on that effort in March of last year (shortly after I stopped writing, and the two events are not unrelated). The story of that effort is long and complicated, but the upshot is this: the financial industry has erected barriers to entry that are much more effective than I ever dreamed possible in an ostensibly democratic and capitalistic society. It is not just me who has failed to deploy public-key encryption technology in the United States, no one has been able to do it. I don't know how many serious attempts there have been besides my own, but I do know that public-key technology has been successfully deployed in other parts of the world, notably Asia and Europe. Furthermore, this is no secret. I wouldn't say that everyone knows it (one of the shocking things I learned is that there are profoundly disturbing levels of ignorance about how the financial system works even among people who work in the industry) but it is widely known.
Why has the credit card industry not deployed this technology? Surely all this fraud is costing them money, so they have a strong incentive to fix it? Well, no. Fraud isn't costing them money, it is costing you money. All of the costs of processing credit cards, including the cost of fraud, is passed on by the card companies and the banks to the merchants, who in turn pass the cost on to you, the consumer. Worse, until very recently, merchants were contractually forbidden from letting you know that these costs were being passed on to you. In a free market, the way this would sort itself out is that merchants would charge extra for paying with a credit card to reflect the extra costs associated with them. But until last year, this was forbidden, not by law, but by the card companies' terms of service.
Even just this little corner of the problem is far from being resolved. It's complicated. The whole situation is horribly, horribly complicated, which is one of the things that makes it so hard to write about, and why I wedged on it for nearly a year. (Maybe I'm still wedged. We'll see.)
I'm going to leave it at that for now. This story is going to be a long haul. But I'll give you a sneak preview of things to come by pointing out two facts: 1) no one has gone to prison as a result of the sub-prime disaster. No one has even been brought to trial. And 2) Hong Kong Savings Bank was recently caught red-handed laundering vast amounts of money for drug cartels over a ten-year period. The punishment they received was a fine amounting to about a month's worth of profits.
Neither of those things surprises me any more.