Sunday, March 1, 2015

Monetary Security

I ran across a post in my Facebook feed today about the ability to skim credit cards, specifically pointing out the vulnerabilities of RFID cards. The video wasn't entirely truthful, and borders on fear mongering.

First of all, RFID cards are rarer than hens teeth. And the guys little "case" had both RFID and magnetic loop detectors. Magnetic loop detectors can glean the same info from older normal everyday magnetic stripe cards. None of this is new, or news. Just remember that the video is featuring a man who charges you money to protect your identity.

The reporter then claims to have used this guys equipment to skim a colleagues card (with permission) and made a purchase online with L.L. Bean. I decided to check so I went to L.L. Bean.

Bottom line you cannot purchase from L.L. Bean with merely the credit card number. They, like nearly everyone else online, asks for expiration dates, CV2 codes, and billing zipcodes. Two of those things are not revealed in a skim, so I call bullshit on a reporter trying his damndest to make a sensational story.

Here's the inconvenient truth.

Actually doing something with recovered numbers without fully expressed account names, billing zipcodes, CVV2 codes found on the back of the cards is a whole order of magnitude more complicated than implied and would require the resources of organized crime to do anything meaningful with, unless your laundering stolen card numbers through flimsy security overseas websites for merchandise (or for an asian or eastern european crime syndicate). Things do get more dicey if the numbers are used to make a physical card however as I'll cover below.

Smart cards (the ones with that thingy that looks like a SIM card (it actually *IS* a SIM card) and tap pay systems with phones are an order of magnitude safer than anything else you pay with, except for cash.

What is the least safe method to pay for anything? Personal checks. Given that most companies process these electronically as an ACH transaction, they are the absolute least safe thing you can use. The numbers on the bottom of the check are the only thing required for a transaction to process and can be easily duplicated by criminals with 1980's tech...merely by stealing your mail to get those numbers off of a check and printing their own...with their own names, addresses etc, to get past the one thing companies do check. ID's...which can be easily faked. Electronic ID checking does not verify who you are. ID checking is merely done to look for "flagged" ID numbers of people who have bounced checks.

Low tech crime is made easier by a high tech world you're not willing to join. This is why you should tell your parents and grandparents to STOP WRITING CHECKS. They are a bad idea, unless you pay bills and drop those bills at the post office. Putting bills in your mailbox in this day and age is phenomenally stupid. And you might as well tell them and everyone else you know that direct deposit makes sense for equally simple reasons. The ability to easily cash payroll checks is quickly going away as banks and retailers do not want the risk, because they can be so easily duplicated and stolen. You can also tell your older friends and relatives that it'd be a good idea to be more cautious doing credit transactions period, at least until Smartcard reading systems are more widespread. Why? Because in a brick and mortar scenario you are never asked for your CV2 code or billing zipcode. The idea here is having the physical card represents equivalent security to a pin code, but this is incorrect. People are encouraged by banks to do credit transactions, and they reward you with "points systems", but here's the inconvenient truth. Firstly, if you think running a bank card linked to your checking account as credit gives you the fraud protection of a proper credit card (based on a line of credit) you are woefully mistaken. The law about this changed in 2008. If it's linked to your checking account you have no greater legally obligated protection from your bank than you do if you do a debit transaction or write a check. Secondly those rewards are paid for by retailers, because banks get to charge retailers nearly three times the transaction fee of a debit transaction. THAT is what pays for those rewards. Thirdly, credit is a weakness in the current system precisely because all it requires is the physical card without a pin code. Credit cards can be easily duplicated. The pin code used in a debit transaction is nowhere on your card and is verified in an encrypted network transaction. Sadly most debit cards are also Visa cards...and this is by design. Banks make more money off of the higher credit transaction fees than they lose through fraud. 

If it's a debit Visa, you're as likely to be on the hook as you would be if it weren't a Visa.

By November of this year PCI Compliance regulations will demand that all retailers than use national credit and debit card processing networks install NFC and Smart card compatible payment systems (these have been the norm every where else in the world for over a decade). These systems are encrypted and create one time use "numbers" that are tied to a time window (they're only valid for a few seconds, and are NOT YOUR CARD NUMBER). They are also pretty much impossible to skim without physical access to your card or device.

If retailers fail to install this newer equipment they will be on the hook for any fraud. Not you. Not your bank. So there is a strong impetus to comply. However.........

Companies like Walmart and Home Depot (and a few dozen others) are railing against this and are attempting to put in place their own system, known as Current-C, which is far less safe but far more profitable for them, because it's cheaper and forces consumers to bear the brunt of fraud protection by turning electronic transactions into ACH (checking) network transactions, in essence a system barely safer than already unsafe personal checks. This will require signing up for Current-C and giving your banking information over to them explicitly. This saves those companies anywhere from 20-50 cents per transaction compared to existing and future debit and credit charges they pay, and puts all of the burden of fraud protection on you and your bank.

It's a changing landscape, but you have to be aware and change with the times.