Credit card fraud costs merchants— and consumers—over $190 billion/yr.
Fraud prevention in our entire payments system – credit and debit cards – is based on a culture of detection, not prevention. As a result, identity theft costs Americans over $37 billion a year, and merchants in the US alone lose approximately $190 billion per year to credit card fraud. And yet this only accounts for the fraud we can identify. Something is clearly wrong with a system that allows theft to happen and expects American consumers to pay the costs of reimbursing merchants and credit card companies through higher prices. What are we doing wrong?
We’re using antiquated technologies. Credit and debit cards use magnetic strips – a seventy year-old technology – to hold sensitive financial information such as customer name, card number, and expiration dates. All this info can be easily copied and spoofed innumerable times to create hundreds of fake credit cards, or sold online for as little as $1 for each credit card identity. Financial services companies “prevent fraud” by using back-end analytics to catch the crime after the fact, instead of authenticating the card and the card holder are legitimate prior to making any transaction.
Chip-and-PIN users are protected globally from ID theft and fraud.
But why is it a uniquely American problem? Almost every other country and region in the world authenticates the card and the holder as being real prior to the transaction by using Chip-and-PIN credit and debit cards, based on the internationally recognized EMV standard. This upgrade for the rest of the world has resulted in a big problem for American consumers: international credit and debit card fraud has migrated to the United States due to our lax authentication protocols for payment cards. Here’s an example of the differences:
Mag-Stripe Credit Cards
Joe eats at a restaurant in Florida and hands his mag-stripe credit card to the waiter, who disappears into a back room with it to not only run it through the machine, but to copy the numbers down for his own nefarious use later. Joe then makes an online purchase with the same credit card, but the online merchant’s site gets hacked and they lose not only Joe’s credit card data, but that of hundreds of other people – all to be sold online on the black market. On the way to the police station to file a report, Joe is pickpocketed. The criminal then uses Joe’s credit card to purchase a $50 mag-stripe reader to make an additional 200 copies of Joe’s credit card to sell to his cohorts. While Federal law protects Joe against loss, it doesn’t protect the merchants who’ve been cheated, who then pass the costs of the fraud back on to consumers.
Chip-and-PIN Credit Cards
Joe eats at a restaurant in Rome and asks to pay the bill. The waiter presents him with a card-reader tableside, into which he inserts his card. The card’s onboard chip authenticates that the reader is legitimate, and the reader validates that the card is legitimate. (This step did not happen in Florida). Once it is confirmed that both the reader and the card are legitimate, Joe is required to enter his secret PIN, which authenticates that Joe is who he says he is. A thief that obtained Joe’s credit card number couldn’t create a fake card because he wouldn’t be able to counterfeit the card’s authenticating chip; likewise a pickpocket wouldn’t be able to use it because he wouldn’t have the secret PIN. Online fraud would be deterred by sites that require the card be inserted into a card-reader prior to its use. Joe is safe, the merchants suffer no fraud losses, and the savings are passed on to consumers through lower prices.
The future’s looking brighter...we’ll just have to wait until 2015.
U.S. card issuers are now slowly migrating to the EMV Chip-and-PIN cards, and beginning October 2015, credit card companies will shift the liability for fraud to merchants if they do not comply with the EMV standard. This will encourage many merchants to move to the more secure standard, bringing a windfall of benefits to American consumers, including improved international interoperability and a sizable reduction in fraud.
Click here to download the PDF version.
Secure ID News to Know
If there’s one thing that we’ve learned over the past few days since the Internet of Things (IoT) distributed-denial-of-service attack (DDoS) attack gave the Internet brain freeze last Friday is that (1) IoT devices are insecure, (2) we have a really good idea what needs to be done to make them more secure, yet (3) it’s hard to get everyone on the same page in dedicating the resources to actually make them more secure.
While that might seem like a stark truth, it only makes sense given how our economy and legal system works. Since no one company or device was responsible for allowing the attack, there’s no specific organization to shame or blame. Plus, it’s way too easy to point fingers at everyone else in the room and say there was nothing that could’ve been done, as everyone is responsible. Further, security costs money, and at the moment, companies want to pour their resources into grabbing IoT market share, not plugging holes that may or may not cause problems downstream. Unfortunately, this kind of thinking invites regulators and legislators to step in and attempt to dictate technology standards and best practices to address harms, both real and imagined.Read more...
Monday kicked off National Health IT week! While the United States has made progress in moving towards a more modern healthcare system, significant work remains. There’s no disputing that our medical device and health technology companies are the most advanced on the planet, developing the solutions that are diagnosing diseases earlier, expanding treatment options, and improving quality of life. However, when it comes to healthcare and identity—making sure that the correct data is associated with the right patient, and ensuring that that information is able to be shared, analyzed, and acted upon in a timely fashion—the United States lags woefully behind many other developed nations.Read more...
The Secure ID Coalition is thrilled to announce the launch of its new Action Center to build grassroots support for the Medicare Common Access Card Act (H.R.3220/S.1871), a bipartisan measure in Congress that will upgrade the current paper Medicare card with the same secure, electronic smart card trusted by the Department of Defense to authorize access to its most secure IT systems and facilities—including the Pentagon.
Members of Congress have begun to recognize that if we are going to get serious about stopping Medicare fraud, we have to start by modernizing the current paper Medicare card. Last week Bloomberg BNA reported on the latest efforts by members of the House Ways & Means Committee to bring Medicare into the 21st Century by upgrading the Medicare Card. The article summarized efforts in last week's House Ways & Means Committee hearing in which Rep. Peter Roskam highlighted the Medicare Common Access Card Act (click here to watch Rep. Roskam tackle the issue head on).Read more...