“Use plastic money” is supposedly the advice floating around. Safe, secure, instant transactions – all marinated, cooked and ready to eat. Facilitates the banks, vendor and client. All in one. Fantastic.
Yet, the security provided in CCs is pathetic. Let me start my rant with the “industry standard” security that ought to be provided for anything that costs you money, be it Re. 1 or Rs. 1 lakh.
Say you have a bank account and password which serves as identity proof as well as payment proof. How does the bank verify that someone has not stolen your password from password.txt conveniently stored in your notebook?
So the smart banks like ICICI develop a system wherein you need to enter some randomly requested numbers which can be seen at the back of your bank debit card.
The ICICI funds transfer requires you to login, then provide the transaction-specific password (2nd level of security) and in addition, some digits on the back of your debit card. This “some digits” security feature is really good, because the position of numbers requested changes for every transaction.
The security explained above is known as Multifactor Authentication (in this case, two-factor authentication).
Compare this against the current security provided in case of Credit Cards. What is the “password” you use for online transactions? Its the CVV number which is printed on the back of the CC. So anyone who has stolen a CC effectively has access to all the information he ever needed to perform an online transaction. And while we’re at it, why think of only thieves? We don’t even know whether websites retain your credit card information in their database or not. A response from ICICI CC help: “No sir, they cannot retain your CVV number, because it comes in password field, right? It is not displayed on screen, and thus they can’t even store it if they wanted to!”
I nearly died laughing.
Okay, so the security issue is present only for online transactions? Not really. What happened last time you paid for dinner at the restaurant? You slipped the CC, the waiter was kind enough to swipe the card, get the Merchant Copy, Customer Copy, and bring it back to you after a good 5 minutes.
Did he verify the signature you made on the bill against the one on Credit Card? If not, then anyone who finds your card (or steals it) can go to a restaurant and sign as per his will. Will the credit card company pay the restaurant if they see that the signature is incorrect? Of course they will! I discussed this with ICICI bank. The fellow at their helpcenter stressed that it is the duty of the vendor to verify your signature against the one on the back of the card! Well, I’ve never come across any such vendor in my four years with CCs.
Lets go back to the restaurant scenario. The waiter came back after quite a while. It takes around 10 seconds to note all the information on your CC onto a piece of paper. How do you know the waiter didn’t do it? Of course, if he performs any transaction with this information, he can be easily tracked, innit? Oh, but what if he sits in an internet cafe and pays to some shady porn site hosted in South East Asia? Transaction is over, bank has paid them in a few hours and only you stand to be the loser.
So, if CC security is really this screwed up, shouldn’t there be a lot of fraud already happening around here?
The cost of credit card fraud reaches into billions of dollars annually. In 2006, fraud in the United Kingdom alone was estimated at £428 million, or US$750-830 million at prevailing 2006 exchange rates.
After all this, you’d think that some CC provider would want to pep up security measures. Na-aa! In fact, if you try booking any flight via telephone today, the executive at the other end happily notes down all the information required, including your CVV number. This, according to banks, is wrong. Yet, I don’t see any action against this practice.
All in all, credit cards are hardly secure. What can we do in this case? Well there are a few basic measures for us
- Wherever you pay by credit card, ensure the credit card is never out of your sight.
- Never pay by credit card on phone.
- Write more about this on your blogs, spread the message
- Protect your wallet like crazy. If there’s hundred bucks, you would lose just hundred bucks. With cards, you lose a lot more than what you’d like to carry around with you
- Have emergency bank numbers in your phone, pocket, wadrobe, just about everywhere. In case of theft, don’t lose any time in contacting the bank.
Well, it would all be easier if credit card companies followed some more security measures. CC 2.0?
- Have some passwords or PIN numbers for us please!
- Have payment gateways for telephone payments. Use automated systems for users to press CC number and PIN from their telephone. Prevent human interaction.
- Stop printing the CVV on the card. Its not a secret if its on the card! Everyone knows where to find it!
January 14th, 2009 at 5:47 pm
There are new facilities to stop online transactions like MasterCard Secure and Verified by Visa which ask for user-defined password in addition to the original checks..
See
http://www.mastercard.com/us/business/en/corporate/securecode/popup.html
https://netsafe.hdfcbank.com/ACSWeb/enrolljsp/vbv.jsp
January 15th, 2009 at 10:58 am
Perhaps an addition to the security measures suggested :
The authentication taken is one such measure, but again if we get a token for every card we subscribe for then it would be a tough time for us to juggle through all these tokens. Or it could be such that we get one token and subscribe all our cards to that same token. Dunno though how the security concept would work in such a case.
January 15th, 2009 at 11:00 am
I am not very much for passwords, pins, etc. Its already so difficult for me to juggle through my emails, netbanking, atm, tele-pins that I dont think I would have the energy to handle some more. And to add to my woes, these guys already ask me to change the passwords every three months, along with a lot of funny restrictions on what the new password needs to contain.
January 15th, 2009 at 11:01 am
To top it all – there are problems galore. The next best seller and easy solution could very well earn the next billion. This is recession era, already the ‘moolah’ is tough to come by – so its essential that we safeguard what we have
.
That’s all from my end – my two cents.
January 15th, 2009 at 3:38 pm
@Devendra: The additional “Security” measures are sloppy as well!
The other day we were making a transaction with MasterCard when we were requested to register for “SecureCode” since we hadn’t done so already. In the next screen it was ready with “Set you password”. What? Shouldn’t there be some sort of authentication prior to this? Well, the auth was (yet again) the CVV on the card. This is shitty security. If a guy who already knows my card information is paying online, you can’t just let him set the password!
It did send an SMS post-registration, but what if my cell is unreachable / switched off at that time?
January 15th, 2009 at 3:40 pm
@Anil: The answer is to have the user decide what password he wants, and how long he wants it. Security can’t override the very service which is provided. More on this in my next posts
January 15th, 2009 at 6:27 pm
Regarding your comment to the additional “Security” measures while settig the secure password, the birth date also needs to be inserted before setting the new password. I guess HDFC has also cone up with some picture related security. I had to selet three picture out of a available set of pictures and they will prompt me the images to select, before allowing me inside.
January 15th, 2009 at 7:14 pm
Nice read Swapz.
I endorse the Netsafe virtual card provided by HDFC.
It basically generates a virtual credit card that can be used only once.
Securecode is useless though, since you get the securecode password screen only after you have entered all the CC details on a site.
So securecode only tells you that the site was safe/unsafe after you have given out your details (including CVV)
Regarding offline uses by CC, never let it slip out of sight. (Not always practical in restaurants/ petrol pumps)
One option is to get a CC with very small credit limit and use it for all offline purchases.
Swapz,
I was wondering if one can delete the CVV number with indelible ink?
That would make offline usage a bit safer.
But would doing so render my CC invalid? Can you find out the answer to that?
January 15th, 2009 at 8:52 pm
Hey Swap,
Until CC companies themselves bear the brunt of fraudulent expenses, you can be assured that your CC experience will never be secure.
Most CC companies in the USA, just required you to make a phone call to them (wait endlessly for the operator) and report the fraudulent transaction. They wont charge you for the fraudulent expense, and the only other inconvenience to you would be not using that CC till you get a replacement card (With a new number).
This means that you have to continuously monitor your CC statements regularly and look out for unrecognizable expenses.
January 15th, 2009 at 9:00 pm
The only thing you can do to save yourselves from getting cheated is not to use credit card. I used credit card only on reputed company’s websites. And hardly use it at any shop.
January 16th, 2009 at 1:57 pm
@Swapnil: You can remove the CVV number, I believe. I will post any link if I find, but I do not think erasing or scratching out your CVV affects the card operation in any way.
January 16th, 2009 at 1:59 pm
@Dev: As you have mentioned within your post, one needs to check his CC statement daily to ensure that he catches a fraudulent expense. However, as long as its “in the pipeline” (CC company has not transferred the amount to merchant) it can be stopped. If not, you lose. No insurance in India against such payments, as far as I know.
January 16th, 2009 at 2:00 pm
@Vimal: Very true, but for expenses greater than a few hundreds (which you will begin to incur after marrying
) you start relying on cards instead of cash
January 17th, 2009 at 8:16 pm
2 factor authentication cannot be based on numbers on the very same card that can be stolen.
It has to be with another device that generates OTP’s.
ICICI gives an illusion of security, but it actually is only an extra annoying step on the way to authentication.
January 19th, 2009 at 11:37 am
@Kiran: The 2-factor authentication I talk about is for Internet Banking, not for card payment, so the authentication is something-you-know (password) and something-you-have (debit card). How is this an illusion of security?