Archives

Categories

Replacement Credit Cards and Bank Failings

I just read an interesting article by Brian Krebs about the difficulty in replacing credit cards [1].

The main reason that credit cards need to be replaced is that they have a single set of numbers that is used for all transactions. If credit cards were designed properly for modern use (IE since 2000 or so) they would act as a smart-card as the recommended way of payment in store. Currently I have a Mastercard and an Amex card, the Mastercard (issued about a year ago) has no smart-card feature and as Amex is rejected by most stores I’ve never had a chance to use the smart-card part of a credit card. If all American credit cards had a smart card feature which was recommended by store staff then the problems that Brian documents would never have happened, the attacks on Target and other companies would have got very few card numbers and the companies that make cards wouldn’t have a backlog of orders.

If a bank was to buy USB smart-card readers for all their customers then they would be very cheap (the hardware is simple and therefore the unit price would be low if purchasing a few million). As banks are greedy they could make customers pay for the readers and even make a profit on them. Then for online banking at home the user could use a code that’s generated for the transaction in question and thus avoid most forms of online banking fraud – the only possible form of fraud would be to make a $10 payment to a legitimate company become a $1000 payment to a fraudster but that’s a lot more work and a lot less money than other forms of credit card fraud.

A significant portion of all credit card transactions performed over the phone are made from the customer’s home. Of the ones that aren’t made from home a significant portion would be done from a hotel, office, or other place where a smart-card reader might be conveniently used to generate a one-time code for the transaction.

The main remaining problem seems to be the use of raised numbers. Many years ago it used to be common for credit card purchases to involve using some form of “carbon paper” and the raised numbers made an impression on the credit card transfer form. I don’t recall ever using a credit card in that way, I’ve only had credit cards for about 18 years and my memories of the raised numbers on credit cards being used to make an impression on paper only involve watching my parents pay when I was young. It seems likely that someone who likes paying by credit card and does so at small companies might have some recent experience of “carbon paper” payment, but anyone who prefers EFTPOS and cash probably wouldn’t.

If the credit card number (used for phone and Internet transactions in situations where a smart card reader isn’t available) wasn’t raised then it could be changed by posting a sticker with a new number that the customer could apply to their card. The customer wouldn’t even need to wait for the post before their card could be used again as the smart card part would never be invalid. The magnetic stripe on the card could be changed at any bank and there’s no reason why an ATM couldn’t identify a card by it’s smart-card and then write a new magnetic stripe automatically.

These problems aren’t difficult to solve. The amounts of effort and money involved in solving them are tiny compared to the costs of cleaning up the mess from a major breach such as the recent Target one, the main thing that needs to be done to implement my ideas is widespread support of smart-card readers and that seems to have been done already. It seems to me that the main problem is the incompetence of financial institutions. I think the fact that there’s no serious competitor to Paypal is one of the many obvious proofs of the incompetence of financial companies.

The effective operation of banks is essential to the economy and the savings of individuals are guaranteed by the government (so when a bank fails a lot of tax money will be used). It seems to me that we need to have national banks run by governments with the aim of financial security. Even if banks were good at their business (and they obviously aren’t) I don’t think that they can be trusted with it, an organisation that’s “too big to fail” is too big to lack accountability to the citizens.

4 comments to Replacement Credit Cards and Bank Failings

  • Mika

    Hi,

    actually, my bank (in Germany) offers a smart-card system for online banking. And it is even more secure than the system you describe: When I want to make an online bank transfer, the banking website shows flashing lights , which are read by the seperate smartcard reader by holding it to the screen. The smartcard reader than displays the beneficiary of the transaction and the amount to be transferred. If I put my credit card into the smartcard reader and confirm both the beneficiary and the amount, the smartcard reader displays a code valid only for this transaction.
    This, in principle, does not even allow a MITM attacker to change a transaction of 10 € to someone into a transaction of 1000 € to someone else.
    And since the smartcard reader is a seperate device, never connected to the computer and the only information transfer from the computer to the smartcard reader is via flashing lights (essentially the same as a QR code, but readable with less sophisticated imaging hardware) I have some hope that the implementation of the smartcard reader is easy enough such that the banks got that one right.
    Sadly, not many banks offer this and my bank only uses this system for bank transfers, not for onlyine payment using my credit card (there, they use sms-tan where a TAN is send to me via SMS, which obviously is much less secure – and I totally hate that I paid for a smart card reader and can only secure half of my transactions with it…).
    Also, it would be glorious if I had to give the smartcard reader my credit card _and_ pin in order to generate my tan (currently, my credit card is enough), but you can’t have everything…

    Cheers,

    Mika

  • Jeroen Dekkers

    Not only are the problems not difficult to solve, they already have been solved and implemented. My bank in the Netherlands gives everybody a digipass reader like this. Normally I use it with my debit card to login on the bank website and make payments, but it can also be used for the MasterCard SecureCode system. To confirm the credit card payment I simply have to insert the card, type in my pin, type in the callenge number and I get a response number back that I have to enter. That way you need to have the card and know the PIN before you can do a payment, not just the CC number. And doing non-internet payments already requires the use of the EMV chip and your PIN code here. So the technology already exists, it just needs to be made a requirement by mastercard and visa.

    With debit cards it is even beter, EMV is required in the whole EU so you can’t do anyting with a skimmed magnetic strip in the EU anymore. This caused the criminals to move to countries outside the EU where magnetic strips were still in use to cash out, so last year most banks blocked the use of cards outside the EU by default and if you travel outside the EU you can easily activate it on the bank website.

  • etbe

    Mika that screen-scanning idea is really good, it should work in Internet cafe’s etc. It would be good if most banks supported it.

    Regarding using a smartcard and PIN, I think that some banks in the Netherlands gave away devices to authorise transactions on “chip” cards based on card and PIN some time before 2003. But note that I’m going on a description of Dutch friends from 10 years ago so I might have got it wrong. Anyway it’s definitely not a technical challenge even if my recollection that it was already done more than 10 years ago in .nl isn’t correct.

    Jeroen: I think the most promising thing in your comment is the issue of EU law being changed to restrict such things. That forces everyone who wants to defraud banks in those ways to go to the US and other countries thus giving the banks in those countries even more incentive to fix the problems.

  • In Mexico, for a couple of years already, all credit and debit cards have a chip on them, and most in-commerce terminals do have a reader that can accomodate both magnetic and electronic cards.

    Last December, I was visiting our family in Argentina. There, the technology seems not to have been widely deployed as well — Cards with a chip are still a novelty, but in-commerce terminals already have the chip reader. Of course, it was a bit awkward to have to explain to almost all stores where I went with my (not very new) card that the bank was not declining the operation, but that instead, they should stick the card in the front slot and not just pass them on the magnetic reader.