Why Don't Banks Make Payment Cards Secure

MakeCardssecure

Identity theft is a serious problem and every year millions of people have their Payment Card Details stolen or copied and used fraudulently. The Banks would have you believe that the problem is caused by everyone else and they are doing everything they can to protect cardholder data... utter tosh, the problem IS caused by the Banks and I've spent over two years trying to get an answer to a simple question.
Why don't the banks implement remote authentication for cardholder not present transactions?
The vast majority of payment card frauds are perpetrated by criminals using stolen or copied card holder information and this is only possible because whenever we make a telephone or internet purchase we quite literally have to hand over everything that a criminal needs, our name, address, card number, cvv number etc... Isn't this utterly ridiculous?
On the internet we now occassionally get "verified by visa" and "mastercard secure"...fine words, but hold on "Please enter your password now". Ok so we've handed over our details and now we hand over our password as well. This is not secure as bogus/hacked sites could skim your password.
This is the system that is IMPOSED on society by the banks and is the root cause of payment card fraud that costs society hundreds of millions of pounds every year. If the banks were a chemical factory that was causing this much damage to the environment I'm sure laws to stop this polution would be quickly put in place!
There is the alternative and it is available now. Instead of handing over all card holder data we can:
Give our name, address, card type, last four digits of the long card number and a one time only authentication code.
The one time authentication code is generated by a remote device that we put our card into and enter our PIN to generate the authentication code.
This code can then be given on the internet or over the phone and does not need to be secure as it will only be valid for that one transaction and cannot be used again.
search for "PIN Sentry" or "Emue Card" on google for examples of this type of system.
I contacted VISA about the emue card, they say they offered it to UK banks but none of them took it up! WHY?
Please contact your payment card provider and ask to speak to someone about payment card security. When you get someone ask them why they are not providing remote authentication to secure cardholder not present transactions.
Make that call and let us know what they say... I suspect the excuses or lack of cogent responses will make for amusing reading.

coolesticeking

People have been using Two Factor Authentication with one of the most popular being RSA SecrID but even this has been hacked in recent times.

http://www.bbc.co.uk/news/technology-13681566

The sad factor is these systems are made for security but not totally foolproof and it shows.

MakeCardssecure

Hard to argue that anything man made will ever be foolproof. However these systems provide a much higher degree of security than having to repeatedly hand out all our card holder information to complete strangers over the phone and the internet... Now the other implication of this system is it make the banks directly responsible for maintaining security. Currently the banks have introduced PCI-DSS which pretty much makes everyone else responsible for keeping card holder data secure. And in typical banking fashion they have introduced a system of hefty fines on anyone who is compromised. So if you employ someone and they are trusted to take orders over the phone and unknown to the business owner they write down payment card details and sell them down the pub, who ends up paying a hefty fine? Yep the business owner. More than this the banks have contracted security companies to levy charges that have to be paid to maintain membership of the PCI-DSS compliance club. Work it out, every merchant has to pay hundreds of pounds every year to play this ridiculous game. So who ends up paying for this sham? Well it goes onto the cost of the goods you buy.

coolesticeking

MakeCardssecure wrote: »

Hard to argue that anything man made will ever be foolproof. However these systems provide a much higher degree of security than having to repeatedly hand out all our card holder information to complete strangers over the phone and the internet... Now the other implication of this system is it make the banks directly responsible for maintaining security. Currently the banks have introduced PCI-DSS which pretty much makes everyone else responsible for keeping card holder data secure. And in typical banking fashion they have introduced a system of hefty fines on anyone who is compromised. So if you employ someone and they are trusted to take orders over the phone and unknown to the business owner they write down payment card details and sell them down the pub, who ends up paying a hefty fine? Yep the business owner. More than this the banks have contracted security companies to levy charges that have to be paid to maintain membership of the PCI-DSS compliance club. Work it out, every merchant has to pay hundreds of pounds every year to play this ridiculous game. So who ends up paying for this sham? Well it goes onto the cost of the goods you buy.

I agree with everything you have said here, but what happens if a company gets a fine and they can't pay it and goes out of business - it no doubt still has to be paid by someone and at my guess its either us humans like normal or the bank has to take the hit again.

eddddy

MakeCardssecure wrote: »

Work it out, every merchant has to pay hundreds of pounds every year to play this ridiculous game. So who ends up paying for this sham? Well it goes onto the cost of the goods you buy.

I think there may be a bigger picture to consider.

My assumption is that the "industry" (the banks, merchants etc) tolerate theses losses, because the cost of implementing more security is greater than the savings they would generate. (The cost includes lost profit, because customers buy less online, because of the extra hassle.)

So the cost of goods to the consumer would increase, not decrease, as a result.

I'm no fan of the banks, but it is a very competitive industry, they ruthlessly search for profit, and I don't think they're that stupid. You've suggested a possible appraoch to security - I'm sure the banks have thoroughly researched it, along with many others, and decided against them for business reasons.

They wouldn't publicly admit "we let fraudsters steal money, because it's cheaper than stopping them" - but I think that's almost certainly the case.

Looking at it from a different perspective, for example, if MasterCard really could devise a security system that minimised merchants' fraud losses, did not deter customers, did not cost the merchants extra..., merchants would use it and start telling customers that they prefer MasterCard, and perhaps even eventually drop Visa and Amex. So why wouldn't MasterCard do it? It would generate extra business and extra profit for them.

MakeCardssecure

The Banks take a Hit! The charge is levied against your payment provider and they siphon it off your account. Last thing I read said over 50% of small businesses hit by this went bust. The problem is that any business compromised is immediately put on a level 1 status comparable with the likes of Amazon, even if you're just a one man band retailer. The costs associated with level 1 status are just not sustainable for your average small business. You can understand why PCI-DSS is necessary given the utterly rubbish system we all have to use. But given this is a situation of the Banks making then surely they should pay for it... I had this converstion with a gentleman in customer support at Barclays, and after a pretty constructive conversation he said he would look into in and get back to me. The next day I got a call back from a different gentleman at Barclays saying they're not a liberty to discuss the development of card security... I only asked why they don't offer remote authentication as this was now available from VISA www visaeurope.com /en/newsroom/news/articles/2010/visa_codesure_gets_green_light.aspx
But this has been typical... either you get no reply and they simply ignore you or they say it's being looked at and hope you go away.

jonnyd281

Every time the banks do introduce new security measures people complain, look at the threads about chip and pin, I can't remember my pin and so on, or the complaints about the security keys for online banking. I think any other measures introduced would face the same level of complaints, so the banks aren't going to win.

MakeCardssecure

Hi Edddy

Yes undoubtedly there would be an additional upfront cost to the banks but the on cost of fraud to society in general is ongoing every month, year on year and it's growing fast. Sure the Banks find it easier to rip off customers and merchants to recover any losses than spend the money to fix the problem. But that doesn't make it right... this issue needs a lot more public discussion and pressure. It took pressure to drag the the banks kicking and screaming to chip and PIN. You don't have to look far on these forums to see that Payment Cards are a big problem and the issue of security need to be addressed properly by the Banks.

bert&ernie

The issuers were hardly pressured into adopting EMV (Chip & Pin) - the liability shift gave them a great incentive. This is why they aren't interested in the USA

You have to remember that issuers are selling a product to consumers. The consumer is indemnified against fraud anyway, so enhanced security isn't a saleable product feature in a payment card, particularly if it makes the card less convenient to use.

Merchants can reduce their exposure to fraud risk by using existing security features like CVC, AVS and 3DSecure. Many choose not to though as these features can increase sales breakage

MakeCardssecure

Until 1 November 2009 banks' legal liability in cases of unauthorised use of card accounts was subject to terms of the voluntary Banking code, and in many cases banks refused to reimburse cardholders who reported unauthorised card use, claiming that their systems could not fail and consequently the cardholder must have acted "without reasonable care"—the Code states that unless a bank can prove that its customer acted fraudulently or without reasonable care, the most that the customer will be liable for is £50. The FSA Payment Services Regulations 2009 came into force on 1 November 2009 and shifted the onus onto the banks to prove, rather than assume, that the cardholder is at fault. The FSA said "It is for the bank, building society or credit card company to show that the transaction was made by you, and there was no breakdown in procedures or technical difficulty" before refusing liability. Which is all well and good for cardholders in terms of getting their money back. But this isn't a solution this is just papering over the cracks. Chip and PIN has helped to reduce over the counter fraud but CNP (Card holder not present) fraud continues to rise and accounts for something in the region of £250million a year. We are all paying for this one way or another, you don't have to look far on these forums to find out how distressing and time consuming being a victim can be. Quite frankly i've been a victim twice now and the idea that handing over the same number of digits on the phone or internet allbeit in two separate chunks instead of one is more inconvenient doesn't hold water compared to the piece of mind I would get from not handing over all my details everytime I shop on the internet!

bert&ernie

Well, I think people like yourself are in a small minority. There is probably a small Market for enhanced security solutions like multi factor authentication or Controlled Payment Numbers. There are a number of solutions in this space supported by the card schemes, but the business case just doesn't work for most issuers.