It's a Matter of Trust

By Avi Deitcher

With due respect to Billy Joel, this article is not about music, but about buying music - or anything else - without getting your credit card information stolen.

Over a period of more than two weeks, data thieves stole more than 40 million credit and debit cards from Target stores. Unlike most well-publicized cyberthefts of cards, the thieves apparently did not break into the back-end IT systems and databases of the company and take a big dump of the cards. Rather, they managed to infect tens of thousands of point of sale systems - those red card-swipe machines at every Target store - so that as you swiped your card or entered your PIN, it transmitted the information simultaneously both to Target's own systems (and on to the payment processors for validation) and to the thieves. Kudos to Brian Krebs's Krebs on Security for breaking the story and following up. In many ways, this is very similar to the infamous TJ Maxx breach a few years back, where they hacked in using improperly secured store WiFi.

This incident highlights, yet again, the fundamental weaknesses of the credit card system, and what we need to do to repair it.

Since the early years of credit cards, your card number has been the approval to draw from your account. Since cards were physical items, the most one had to worry about was the card itself being stolen. Sure, thieves stole carbon copies of the card imprint machine slips, but as a matter of scale, it was quite small, and all you really had to do was shred those. These were losses both people and the industry could absorb.

The real question became, "how do I verify that the person giving me the card is the real owner?"

The idea that the merchant was fraudulent or irresponsible was simply a non-issue. You trust the merchant, the merchant verifies you.

Over time, as the credit card industry enabled catalog sales and then Internet sales, the scale of card usage has grown. But so have the opportunities for fraud. The card industry's answer has been:

  1. Magnetic strip encoding
  2. Risk evaluation - if you purchase an item with a physical card present, the risk is lower, and so are the fees charged the merchant
  3. IT - use algorithms to identify suspicious purchases and block them
  4. Security code - the code on the front (AmEx) or back (others) of cards that is neither encoded on a magnetic strip nor raised in the imprinted number of the card.
  5. Processes - lay down rules for merchants as to what data they can store and how. Your name can be kept, the card number must be encrypted, the security code must never be kept

All of these, however, follow the same fundamental assumption: the merchant's job is to collect enough information to allow the credit card industry to validate the user of the card, while the cardholder's job is to hand all of that information over to the merchant. We must trust the merchant, but we must question the cardholder.

To their credit, these actions have reduced the valid lifetime of a stolen card before it is blocked, which reduces each card's value; according to the latest information on the Target thefts, the card numbers were being sold for ~$40/card. However, with the massive growth of the number of merchants, and hence points of sale, network transits and storage databases, the volume of theft will more than compensate for the drop in value of a stolen card.

This game of cat and mouse will go on... until the industry realizes - and merchants and cardholders insist - that the best way to prevent credit card fraud is not to prevent fraudulent card usage, but to prevent credit card theft in the first place!

We must challenge our assumptions about merchants. We need to begin to trust the merchants about as much as we trust the cardholders: very little. Lest anyone become offended on behalf of the merchants, they themselves would far prefer not to have to worry about card storage. I have evaluated and managed a goodly number of PCI implementations; they would far prefer to get out of the business entirely.

What does this mean practically?

What I as a cardholder really need is a system that gives me the ability to give my merchant enough information for them to verify this one sale at this one moment, but not enough information for them to make even a single additional sale!

There are two ways to do this. It is much to my surprise that no provider has done this yet.

  1. Push instead of pull: Giving Target my card number is nothing more or less than an authorization to post a charge, i.e. pull funds from, my account. It is this very "pull" nature that allows thieves to reuse that number and pull more from the same account. Instead of pull, I should be able to push. Target should give me a unique transaction number on checkout. I then go into my account, to which only I have access, and push funds (perhaps via smartphone) to that transaction. Target neither needs to know nor care if I am a legitimate cardholder, just as they neither know nor care when I pay them in cash. They have gotten paid; move on.
  2. One-Time Numbers: If we continue to insist on pulling funds rather than pushing them, then we create one-time credit card numbers. Similar to those RSA keychain fobs, or the now-popular Google Auth iPhone/Android App, credit card numbers would have a base of 16 numbers that is unchanging, and 4 digits that change every thirty seconds. You need the entire 20 digits to make a transaction, can only use it within a short window, say 5 minutes, after it appears, and each one can only be used once. The 20 digits are more than enough for Hertz to identify me, far more reliably than in the current manner, but even if a thief broke into Hertz and stole that number, it would be useless, as it had already been used.

Most of us may not care, since the card companies and banks cover fraud on our behalf, as they should. Nonetheless, there is a large inconvenience factor, and the card issues must cover their expenses by charging more to merchants, who must cover their costs by increased prices. It may only total 1% of the total card usage in a year, but with almost $3TN in credit card purchases in 2012 in the US alone, 1% is $30BN out of the hands of thieves and into the economy.

What could the economy do with $30BN...