Wednesday, December 30, 2009

Protecting Consumers by Solving Credit Card Theft

Over the past month of so, I have spent a lot of time thinking about the various weak points in the consumer privacy and protection space. Everything from the risks of smart phones, to the increasing risks of social networking, to the never ending problem of credit card theft.

The problem that seems so easy to solve and the one that would have the biggest benefit to not only consumers but financial institutions is to fix the credit card theft problem. When we look at this problem deep down, it is very simple. You use your credit card somewhere and either the clerk or server makes a copy of your account number and CVV code (3 digit code on the back of the card) or the system processing the card stores that information and is later compromised through various malicious attack vectors. Once this account number and CVV is in the hands of someone else, if can be freely used and abused and or sold to be used and abused by someone else.

The simple solution to this problem is to marry the token code technology that has been providing trusted mutli-factor authentication for years in to the credit card. Meaning that your credit card would look very similar to RSA's SecurID 900 series token cards, as seen here

Token code technology provides a changing one time use number (called a token code) that is good for 60 seconds and then changes to a new number that is then good for 60 seconds. So in the event that some one did steal your credit card number, CVV code, and they wrote down the current token value that is being displayed on the card, they would have to use that within 60 seconds and they would only be allowed to use it once. After the 60 seconds were up, the token code would not work. This would prevent all credit card number theft and would limit credit card issues to physical theft of the actual card itself.

The token code verification process would work very similar to the way credit card companies will some times ask for you to enter your zip code during a transaction to verify that you are the owner of the card. But the token code can not be stolen and reused. It can not be socially engineered. A cyber-criminal would have to physically have possession of the card to use it.

Given that token codes can only be used once and they are only good for 60 seconds, this greatly reduces if not eliminates the risk to consumers and financial institutions, however, it does introduce two very solvable draw backs:

1) You would need to replace all existing cards with token cards, which are not cheap. However, it could be argued that financial institutions spend far more than the cost of the tokens in dealing with fraud each year. Financial institutions could also offer this as a service to consumers and say that for a $10.00 one time fee, we will give you a card that you do not have to worry about the number being stolen.

2) What do you do with quick pay on-line sites like and automatic bill pay sites that allow consumers to store their card on file for quick and easy checkout. To solve this problem there would be an authentication process that would require the consumer to log in to the their credit card company's web site and authorize an existing successful token based transaction to be repeatable and tokenless. Therefore you would need to have one successful token based purchase in order to set this up which would guarantee that you were in possession of the card during the first transaction. You could then further set restrictions on how many tokenless transactions from a specific web site or company could be made per period of time or how large of a dollar value could be charged tokenless per period of time.

If credit card companies made this very simple change, it would greatly reduce or eliminate all of the issues with credit card number theft. This could save financial institutions an enormous amount of money each year in dealing with fraud and would increase consumer confidence in the protection of their credit card information.