Friday, June 5, 2015

One Way That Chip Credit Cards Aren't More Secure

Within three days of arriving in "Country X" fraudulent charges began appearing on our credit card account from vendors elsewhere in the country.  (I'm withholding the name of our destination because I don't want you to think there is something uniquely dastardly about people there -- this was just as likely to have happened in any large city in the U.S.)

We were particularly frustrated because this was the maiden foreign voyage of our new Barclay chip-and-pin credit card that my wife and I obtained after a trip to Europe to last year, where our antiquated and grossly insecure swipe-and-sign card had proven to be a major pain in the butt -- see my blog, American Travelers Abroad: The Chips Are Down. As soon as we noticed the fraudulent charges we naturally notified the company, whose solution was to cancel the card immediately.  They assured us that we wouldn't be liable for the fraudulent charges and that they would send a new card immediately.  Oh, ok, that's grea.... Wait -- we were thousands of miles from our home and since we were traveling for the next month we were moving targets for any attempt to deliver a card somewhere else.  Bottom line is that we had to go without that bright shiny, chip card for the rest of the trip.  We fortunately had a couple of fall-backs -- the old swipe and sign card we had replaced because it was inconvenient and insecure, and an ATM card.

So what had happened?  We racked our brains to try to figure out how this supposedly more secure card could have so easily become the plaything of nefarious ne'er-do-wells.  We had used the card a number of times after starting the trip, but it never left our sight because this country, being somewhat more advanced than the U.S. in these matters, follows the practice of bringing a point-of-sale-device to you and inserting your card into the machine right in your presence.  And since these were chip transactions, they were much less susceptible to some fancy electronic hack of the payment system. Hmmm....

It then occurred to us that the Barclay fraud department agent we had spoken to said that the transactions had been "manually" entered, the same way your credit card details are entered when you make a phone order or a mail order for merchandise.  These are called "card-not-present" transactions.  The proper security procedures in these cases is for the merchant to ask for information that (supposedly) only someone in possession of the card could supply -- namely the expiration date of the card and the CVV ("Card Validation Value").  The CVV is that three digit number printed on the back of your card, or in the case of American Express, the four digit number on the front.

Gee, how in the world could some criminal get our expiration date and CVV?

How about by looking?  All a clerk has to do is glance at your card during a card-present transaction to obtain this information.  It's then a matter of having sophisticated cronies who can charge merchandise by phone or mail order and then have it delivered to some temporary pick-up point.  Or perhaps the merchants supplying the illicit goods or services might be in on the scheme. If they're lucky the victim won't notice the transactions on their card statement, something more likely in the case of travelers who make a number of foreign charges that are hard to recognize as fraudulent ones, especially if currency conversion makes the amounts unfamiliar.  If the charges are reported as fraudulent, as in our case, all that happens is that the merchant is forced to reverse them.  Note there is no real victim if the merchant was in on it -- the credit card company isn't out anything, nor is the merchant, nor is the customer.  Seems to me like a good way to reward bad behavior.

Note that this is a potential problem regardless of  whether you have a chip card or not.  All currently issued credit cards are susceptible because they all have CVV's and expiration dates on them.

Am I being overly paranoid (in addition to my many other personality quirks)?   Not according to a number of sources, including the highly respected internet security firm, AVG which gives this explicit advice about the CVV:

"...when purchasing an item or service in person, you should never provide the details of your CVV...Handing over your CVV for purchases completed offline serves no purpose other than providing someone with the opportunity to steal the information. Because if they were to do this, they’d have everything they need to go ahead and make a bunch of fraudulent online [and offline] transactions – on you! 
Don’t provide your CVV when processing a payment in person. It should never be required and if someone tells you otherwise, it’s a reason to be highly suspicious!  " (AVG article by Michael McKinnon, January 15, 2015)
Unfortunately, the wisdom of AVG stops short of telling you how, during an in-person transaction, you can prevent a clerk from seeing the CVV and expiration date.  If the transaction requires a signature, the clerk is perfectly justified in turning the card over and looking at the signature and even refusing the card if it hasn't been signed.  That CVV is right next to the signature on most cards and even easier to spot on Amex cards.  And even if a signature isn't required a little artful fumbling with the card can allow a quick glance at the code.  I'm not the only person to have made this observation and the security risk it entails -- see Henry Bagdasarian's paper on CVV and Identity Theft Awareness. In other words AVG's admonishment to never hand over your CVV information during in-person purchases is nearly impossible to follow.

My solution has been to black out the CVV's on all of my credit cards (I keep the numbers in a cloud-based secure service where I can access them if I need to).  I found, though, that the number is hard to obliterate completely because it is actually embossed into the card surface.  Still, the number can only be seen by tilting the card back and forth to catch the light just right, a rather obvious maneuver.  Another approach suggested by Bagdasarian is to tape a small piece of paper over the CVV. 

In my humble opinion, credit card companies are foolish (I had another word in mind) to put this important information right on the card.  It really should be treated like a pin, with the same level of secure handling. When I did research for this blog, I came across several references to developments that will make CVV theft more difficult in the future by using something called a "Dynamic CVV," essentially a code that changes for each transaction. (See articles by CNNMoney, Credit Card Reviews, and Money Nation).  Don't hold your breath, though.  The estimated cost of these cards to produce is about 10 times that of a chip card, which is in turn about 6 times more than an ordinary swipe and sign card.  And credit card companies are all about the bottom line -- it is generally cheaper for them to absorb fraud losses than to upgrade technology.

The current switchover to chip cards will be expensive -- about $8 billion for the card companies, and about $25 billion for merchants, according to CNNMoney analyst Jose Paglieri.  But as Paglieri and many others have pointed out, the new U.S.-style chip cards really aren't that much more secure if lost or stolen because they don't require a pin. So why isn't the U.S. joining the rest of the world in moving to chip-and-pin?  Paglieri suggests it is at least partly a matter of profit -- banks charge merchants more for each signature transaction than one involving a pin (currently only debit cards) and would lose huge amounts of revenue.  Retail merchant lobbyist Mallory Duncan has made this point very clear about the motives of credit card companies:  "They'd rather have fraud-prone signatures, because it potentially makes them more money than a secure PIN."

Of course, as my experience shows, even chip-and-pin cards are vulnerable to certain kinds of fraud, namely the CVV scam.  In the future we are probably not going to have cards at all and instead move toward something like ApplePay, which most analysts believe to be much more secure.  That reality is some ways off, however, and in the meantime we will remain vulnerable to preventable fraud.  The reassurance of banks that the customer isn't financially liable for fraudulent charges is bogus.  The hassle and inconvenience of dealing with a compromised credit card account can be major wastes of time and energy for the account owner.  Further, the $ billions in card fraud each year don't just vanish -- they are passed on to the consumer in the form of higher prices for goods and services.

Banker's Math wins again.

Source Links


Randy said...

My new (old signature style) MasterCard only has my name on the front of the card - all other information is on the back of the card. I assume that this was to make it a bit harder to casually spy on. I agree that the new setup is based on greed and not security. I can't wait for a more secure method of payment to come along.

Gordon said...

Sounds like another situation for duck tape. A small piece covers the cvv and is easily but obviously removable

Coleen Hanna said...

What about restaurants in which the server does not come to the table with a device, and instead takes your card away, out of sight, to another location? That gives them plenty of time to record everything on the card before giving it back to you. Many of my friends pay cash at restaurants and I'm wondering if this is why.

Richard Sherman said...

Coleen -- You're absolutely right that whenever your card leaves your sight it opens the potential for fraud. And with the chip card this will be no better, because a waiter can copy the card number, expiration date, and CVV and make online or phone purchases. This is why I have decided to hide the CVV. By the way, I have gone up a notch and covered it with a small piece of paper and tape (Gordon's suggestion of duct tape is great, too). When my card comes back I can see if the cover has been tampered with.

The new American chip and sign system won't protect from CVV fraud. It won't help if your card is lost or stolen, either (unlike the European system of requiring a pin). Mainly it makes cards harder to counterfeit and also makes transactions stored by merchants less vulnerable to hacking. That's it.

Bankers have no interest in protecting consumers -- we have to do it ourselves as best we can.

Coleen Hanna said...

Has anyone ever questioned your covering up the CVV? Tell you they need to see it for some reason?

Richard & Karen said...

Colleen -

Only once so far and it seemed legit. Karen's long time hair stylist had a new payment system and it couldn't read the magnetic strip on her card so the stylist had to manually enter the transaction and needed the cvv. Otherwise, as the AVG quote indicates, be very suspicious if a merchant wants that code--they simply do not need it if they swipe your card or read the chip.