Friday, February 22, 2013

A simple solution to credit card fraud (and why you won't see it any time soon)

This is the first in what will probably be a very long series of articles.  Ultimately, this is the beginning of the story of why I stopped writing nearly a year ago.  TL;DR: I learned some things about how the world works that I couldn't figure out how to write about without coming across like a paranoid loon, and I couldn't get them far enough out of my head to write cogently about anything else.  I'm still not sure I can tell this story without sounding like a paranoid loon, but I've decided to take that chance.

TL;DR2: There are some fairly straightforward technical solution to the problem of credit card fraud.  Some of them are new and innovative, while others are already in widespread use throughout the world, but not in the U.S.  But none of these solutions will be deployed in the U.S. any time soon, not because it's hard, but because the established players in the financial industry won't allow it.

Some of this gets technically complicated, but I'm going to try to keep it as simple as I can.  Part of the solution to the problem has to be to educate people about what is going on, so I hope this post and the ones that follow will reach a broad audience.  If you're one of my technical readers, I apologize if some of what follows sounds condescending.

So let's start with the problem, and the solution.

The fundamental problem with credit cards is that the protocol they use is fundamentally insecure.  To conduct a transaction with a credit card you have to give information to the person you're transacting with.  In particular, you have to give them your card number.  The problem is that this information is not bound to the transaction you are conducting.  It is reusable.  Once someone knows your card number they can use it to conduct any transaction they choose.  There is no security built into the system at all.  It relies entirely on trust.

This was OK back in the 1950s (or the 1930s, or 1887 depending on how you count) when credit cards were first invented.  Back then you had to be physically present to conduct a transaction.  The risk of getting caught if you decided to try to commit credit card fraud was high enough that it was (mostly) an effective deterrent.

In the 1960s merchants began to accept credit cards for orders placed over the telephone.  This decreased the risk of getting caught, and fraud began to be a major problem.  Those of us who grew up in the 1960s and 70s will remember merchants leafing through paper directories of compromised credit card numbers issued on a regular basis by the card companies.

With the advent of the internet and e-comerce in the 1990s, the risk of getting caught committing credit card fraud dropped essentially to zero, especially if you were located in a different country.  The result was the beginning of the epidemic of card fraud and identity theft we see today.

There are technological solutions to this problem.  The most effective (IMHO) is a technology that was first invented in the 1970s and has since become widely used called public-key cryptography.  I don't want to get too deeply into the technological weeds at this point in the story, so for now just take my word for it: using this technology, it is possible to design protocols that allow the information exchanged to conduct a financial transaction to be strongly bound to that one transaction so it can't be reused.  Deploying this technology would essentially solve the problem of credit card fraud, and save the world's economy billions of dollars a year.

So why hasn't it been done?

It's not because no one has tried.  I took a serious whack at it starting in December 2008.  I finally folded up the tent on that effort in March of last year (shortly after I stopped writing, and the two events are not unrelated).  The story of that effort is long and complicated, but the upshot is this: the financial industry has erected barriers to entry that are much more effective than I ever dreamed possible in an ostensibly democratic and capitalistic society.  It is not just me who has failed to deploy public-key encryption technology in the United States, no one has been able to do it.  I don't know how many serious attempts there have been besides my own, but I do know that public-key technology has been successfully deployed in other parts of the world, notably Asia and Europe.  Furthermore, this is no secret.  I wouldn't say that everyone knows it (one of the shocking things I learned is that there are profoundly disturbing levels of ignorance about how the financial system works even among people who work in the industry) but it is widely known.

Why has the credit card industry not deployed this technology?  Surely all this fraud is costing them money, so they have a strong incentive to fix it?  Well, no.  Fraud isn't costing them money, it is costing you money.  All of the costs of processing credit cards, including the cost of fraud, is passed on by the card companies and the banks to the merchants, who in turn pass the cost on to you, the consumer.  Worse, until very recently, merchants were contractually forbidden from letting you know that these costs were being passed on to you.  In a free market, the way this would sort itself out is that merchants would charge extra for paying with a credit card to reflect the extra costs associated with them.  But until last year, this was forbidden, not by law, but by the card companies' terms of service.

Even just this little corner of the problem is far from being resolved.  It's complicated.  The whole situation is horribly, horribly complicated, which is one of the things that makes it so hard to write about, and why I wedged on it for nearly a year.  (Maybe I'm still wedged.  We'll see.)

I'm going to leave it at that for now.  This story is going to be a long haul.  But I'll give you a sneak preview of things to come by pointing out two facts: 1) no one has gone to prison as a result of the sub-prime disaster.  No one has even been brought to trial.  And 2) Hong Kong Savings Bank was recently caught red-handed laundering vast amounts of money for drug cartels over a ten-year period.  The punishment they received was a fine amounting to about a month's worth of profits.

Neither of those things surprises me any more.

32 comments:

tonyg said...

When you say that public-key crypto has been deployed in Europe for credit cards, do you mean "chip and pin"?

Ron said...

Yes.

Anonymous said...

Two spaces after a period...on the *internet*?! Did you write this blog post on a typewriter?!

“In the nineteenth century, which was a dark and inflationary age in typography and type design, many compositors were encouraged to stuff extra space between sentences. Generations of twentieth century typists were then taught to do the same, by hitting the spacebar twice after every period. Your typing as well as your typesetting will benefit from unlearning this quaint Victorian habit. As a general rule, no more than a single space is required after a period, colon or any other mark of punctuation”


Ron said...

Seriously? Your complaining about my use of spaces? But if you must know, I actually *did* start my typing career on an actual typewriter, and old habits die hard.

pehrlich said...

I'm curious about these 'very recent' changes in how fees are represented, and especially the forces at work today causing this change (and hopefully more?) to happen. Will you be writing more on this?

PJ Gupta said...

Ron,

PKI would be a panacea for Credit Card transactions, particularly for the CNP (Card not present ) space since the fraud in CNP is generally an order of magnitude more than Physical i.e. Card Present space, however given today's state of affairs there are many more elegant ways to reduce fraud. Banks have multiple ways to generate a one-time use number linked to the Credit/Debit card number but like you said - they are "insured" against fraud and have little incentive.
Agreed on the need to have private enterprise solve this problem.

Nate Abele said...

In a free market, the way this would sort itself out is that merchants would charge extra for paying with a credit card to reflect the extra costs associated with them.

As far as I'm aware, what credit card companies' terms of service forbid are undisclosed surcharges associated with accepting credit card payments (they also forbid transaction minimums). Charging extra for credit card payments is perfectly acceptable if you list the credit card price in the same place as the cash price.

This is why, for example, you often see separate CC & cash prices listed for a gallon of gas at a gas station.

Don Geddis said...

@Nate: you can offer a "cash discount", but you cannot advertise a "extra fee for credit cards".

You may think it's the same thing, but the subtle marketing difference can matter. The "regular posted advertised price" must be the credit card price. You cannot advertise a lower price, and then when the customer comes in, and wishes to pay with credit card, only then say "oh, if you want to use a CC, I'm going to raise the price."

Anonymous said...

Ron,

Someone needs to share this stuff. I can understand being frustrated about writing about this, but it sounds like your experiences NEED to be out there. I hope you will continue sharing your knowledge!

Andy J said...

@Don is correct. I worked for a company that almost had it's merchant account pulled because they were charging extra for a credit card transaction. They even blatantly advertised there would be an additional fee.
The whole thing is really messed up. Even in a previous company I owned it stated in the merchant account agreement that I could not charge extra for credit card transactions. But the card companies can charge all they want.

@Ron hit it right on the head. It is not the credit card companies that are losing billions every year is is us the consumers. They will gladly keep losing money if it means they can charge more for the use of the card and in interest.

It truly is the messed up country we live in. Similar to the tobacco companies that were fined several years ago. The fine amounted to less than what the companies made in a day.

Anonymous said...

Bitcoin! Currency founded on public key cryptography, free of chargebacks!

Unknown said...

Looking forward to reading more.

Anonymous said...

as someone who experienced CC fraud for the 1st time yesterday, I can say it has nothing to do with the paradigm changing from 'being there' to 'buying remotely' at all!

all the fraudulent charges on my card happened in 2 or 3 days, in another state, at supermarkets and wallgreens and CVSs.

at all times, the person was present, and commiting good old fraud as they would have commited in 1950s, or the 1930s, or 1887.

Anonymous said...

I'm still disgusted (perhaps more than I should be) that nobody has yet been brought to trial for the sub-prime abuses / collapse.

What's even more disturbing is the amount of "oh well" / helplessness feeling there is about it..

This post brings up an old youtube clip I found concerning the Mythbusters and RFID on the credit card. I remember seeing a short clip where they revealed a certain phone call which turned out to be several giant world corps and heavy legal reps "pursuading" them to drop the idea. In fact, it seems like they can't even discuss it beyond that one mention.

Anonymous said...

>"Seriously? Your complaining about my use of spaces? But if you must know, I actually *did* start my typing career on an actual typewriter, and old habits die hard."

I was going to defend your use of two spaces until you used "your" in place of "you're".

Ron said...

Youch! Your vs you're is one of my pet peeves. Pure carelessness on my part. Mea maxima culpa. It's been a crazy morning.

Anonymous said...

@Ron, you might want to get all your posts online quickly and not drag it out too long. Please do it before you get a "persuasive" call from some powerful people like the MythBusters show got. At least everything you have to say will be online and your story can be heard. It sounds too important to take a chance on being silenced.

Anonymous said...

The subprime crisis was caused by the government- Obama's lawsuit that not-lending to people who can't repay is "racist"( and then after winning his clients defaulted) and the Clinton changes to the CRA forcing banks to lend to people who couldn't repay and the Clinton, Bush and Obama low-interest rates and incentives to lend by providing a market for bad mortgages by Fannie Mae made the whole thing profitable.

The people who belong in jail are universally politicians.

So, of course none of them are going to go on trial.

That's how deep the corruption runs.

Anonymous said...

"In a free market, the way this would sort itself out...this was forbidden, not by law, but by the card companies' terms of service."

(emphasis mine)

Isn't it the free market (ie. one without regulation, namely by laws) that allows this?

Rudd-O said...

I love the two spaces after a period, and I do so myself not even caring that HTML usually swallows it unless nbsp.

Fuck yes.

Also, BITCOIN solves your problem and it is being deployed now. Get on board!

Bradley said...

Hey Ron. When you say chip and pin is the public key crypto you wanted, are you referring to an EMV transaction? Because if so that's actually symmetric key crypto. I'm surprised that American banks don't use this.

Anonymous said...

> The punishment they received was a fine amounting to about a month's worth of profits.
> Neither of those things surprises me any more.

Ron, now I am surprised that it took you that long to figure out how the world works. Ok, can't blame you, most people don't have a clue, the school system is part of the problem and if you are one of the few independent thinkers you will be considered a lunatic.

Pablo S. said...

What about something like this? This is starting to be rolled out slowly, but I think it will be a nice approach.

http://news.discovery.com/tech/mastercard-display-card-121109.htm

BrunoC said...

"Once someone knows your card number they can use it to conduct any transaction they choose.". Not quite the case. In order to authorize a transaction, you must provide authentication data, such as the full track of the card (meaning that you have the actual physical card with you) or card validation codes for card-not-present transactions. Card numbers, a.k.a. PAN, alone will get you virtually nowhere. That said, I agree that a '50s tech isn't the way to go. However, as of 4/1/2013, here's what Visa is requiring: "U.S. acquirer processors and sub-processor service providers must be able to support merchant acceptance of chip transactions ". And, for those who so are inclined, take a look at the Visa International Operating Regulations (look it up, it's a public doc) document, a baffling 1287 page document that pretty much explains every single aspect of Visa's operation.

Unknown said...

@Ron is there any chance we can talk? I'm actually working on this Very issue and it might be good for a conversation. What do you say?

Anonymous said...

I agree.
This miscreant has obviously looked this up on Wikipedia or he's 100 years old. Two spaces make it easier to READ, giving your brain the subconscious preview that the thought is coming to an end.

Ron said...

> Please do it before you get a "persuasive" call from some powerful people like the MythBusters show got.

That's pretty unlikely. Frankly, I hope I do get such a call. It would mean I've made an impact.

> Isn't it the free market (ie. one without regulation, namely by laws) that allows this?

No. The real problem is regulatory capture.

> When you say chip and pin is the public key crypto you wanted, are you referring to an EMV transaction?

Chip-and-pin is not what I want, it's just an existence proof that this technology can be deployed by the financial industry. It refutes all arguments of the form, "It hasn't been done in the U.S. because of X" for all legitimate values of X.

But what I actually want is quite different. What I actually want is an open protocol. I'll be getting to that in future posts.

> I am surprised that it took you that long to figure out how the world works.

Really? Why? I spent most of my career in academia.

> Not quite the case. In order to authorize a transaction, you must provide authentication data, such as the full track of the card (meaning that you have the actual physical card with you) or card validation codes for card-not-present transactions. Card numbers, a.k.a. PAN, alone will get you virtually nowhere.

That's true, but irrelevant. The point is, whatever the information is (PAN, CVV, billing zip, expiration date, mother's maiden name, favorite ice cream flavor) it's not bound to a transaction and hence reusable.

> a baffling 1287 page document

This is part of the problem. The financial industry has taken something that should be very simple and made it very complicated. This artificial complexity is one of many barriers to entry that shouldn't be there IMO.

Unknown said...

You should write a book.... like hard copy so it is harder for big brother to delete it into oblivion. You only sound like a lunatic to the ignorant and gullible. Please, inform us.

anontrol said...

Your take on industry prohibitions is interesting.

I've largely avoided using on-line commerce due to the fraud, anonymity and tracking issues.

One thing that did catch my eye was that prior to 9/11 there was an Irish company that had a technology (software) that allowed card issuers and clearing houses to implement one time credit card numbers.

I've always though this was an incredibly good idea since it would allow confederated tracking of which companies had their databases compromised by tracking which "used" credit card numbers suddenly started being used again.

Alas, post 9/11 the idea evaporated in the perceived need to track each and every transaction every human on earth makes.

Unknown said...

Hi there.

I live in France and it's been 10 year that my bank let me generate a new card number for every transaction.
The way it work is that the bank is blocking every online transaction (phone/internet) on the real credit card and when i make a purchase, i use a program (or on a website) with dual authentication to generate a unique card number with a limited credit and an end of date.I can also decide if it can be used for one or multiple transaction for recuring payment.
So most of the time , i just punch the amount to pay and after the initial transaction, the card is blocked, the banck will block any further use of this number.

Looks like a good and secure system to me.
The only issue is merchant doing a first transaction to test the card before precessing it since this will burn the card and marchant charging an order on multiple transactions (ordering goods from amazon and amazon marketplace in one transaction).
Oh , and paypal insisting on remembering evry one of theses numbers, notifying me of their future expiration...



Mike A. said...

More ludicrously, Chip and Pin are the standard in CANADA.

I have to assume its coming, as my newest card from Chase does include a chip, but remains chip and sign only.

Unknown said...

100% agree with you Ron