Why is it so damn hard to prevent credit card fraud?

Miscellaneous and Personal Stuff I Must Share
1

Please learn me…

I had my debit card hacked for an online purchase of $30.
Caught it the same day because I have an app (on my phone) for my banking and noticed the charge. Made the call and talked with a bank associate for about 45 minutes during which a contest of the charge was filled out etc.
According to the very friendly associate I spoke with it is not really possible for the bank to figure out who or where this charge was made. It’s obvious for what the charge was made, but the whom is a mystery.
The frustrating part was the cancelling of the debit card and having to wait a week to get the new one. I rely heavily on my card for day to day and online purchases.

Anyway…I was thinking…why can’t my pin number be required for ALL purchases? My card also had the chip in it…much good that did. Or…if the pin number can’t be required, then send me a text that I have to respond to to finalize the sale.
It seems like there are many ways to prevent fraudulent activity. I, as the card holder, should be able to decide how “locked down” I want my card or cards to be. I understand the more security features you would require means that purchase processing may take longer. It beats having to dick around with the whole process AFTER the theft has occurred.

2

I’ve always said that [at terminals, when swiping your card] you should only be able to use a PIN. As it stands, I can steal someone’s card and use it until it gets shut off. Really, when do you get asked for an ID (let’s move past the CID stuff for the moment, that’s another discussion). Furthermore, there’s gas stations, self checkouts, customer facing terminals etc. I’m still very surprised that we didn’t just go right to Chip & PIN with migration to chipped cards. I don’t understand why. This move (and I say this as a merchant that made the conversion very early and mostly seamlessly) has been a trainwreck…and we’ll probably have to go through it again when we do decide to do Chip & PIN.

But that doesn’t help us with the internet and phone orders, the latter which, traditionally, involved a human at the other end typing your credit card number into their terminal by hand.

When I first got my Amex card it came with the ability to generate a temporary number for one off internet purchases. That’s something I’d like to see again, but expanded a bit. I’d like to see the ability to generate multiple numbers with restrictions, say a time limit (24 hours/3 days/7 days/1 month), times used and most importantly who can use it. So if I want to buy something from a website I’m not sure about, I can generate a new number, tell Amex that only that store can use it, only once and then it declines after that. Now I can feel safer buying from places I’ve never heard of. Further, I can generate a number to keep on file with Amazon and one for Netflix and one for any other websites. Now, when I get an email that my credit card number may have been stolen, it’s no big deal, just put a new one on that site and move on.

I can only assume that, right now, the cost of doing this is more expensive than eating the fraudulent charges.

As for the chip not doing any good, well, it didn’t you’re right, but your card number was likely lifted from an online purchase or a place where you swiped your card (assuming someone didn’t just look at it and write it down at some point). Part of the way the chip works is by masking the number. With the upgrade to the chip, your actual number, the 16 digit number on your card is no longer transmitted back and forth over the internet/phone when it’s used. The chip generates a different number, unrelated to your number and useless to anyone else. Also, your number is no longer stored on the terminal so a nosy cashier can’t go back and look at it. OTOH, of course, I can go into my merchant account and pull it up (which always seemed odd) but if a person as high up as me is stealing credit card numbers on any kind of a regular basis, I’d wager the store would get caught at some point.

Two more things that I’m a bit fuzzy on because it’s been a while since I’ve read up on it:
Tokens: Tokens are used in place of your number, but IIRC, they’re encrypted versions of your number and, again IIRC, EMV (chips) use a random version of it.

Regarding EMV, at some point I heard that the credit card machine talks back to the chip. Possible something about making sure the random number it generated hasn’t been used before and making sure it won’t be used again. At the beginning of all this, many terminals wouldn’t finish talking to the chip until near the end of the transaction and that’s why if you pulled the card out of the reader to early the transaction would fail and the cashier would have to start it all over, it was also why it seemed to take so long. A few software upgrades later and they’ve managed to get all (or most of) the reading/writing at the beginning so if you yank the card out early it’s okay. Honestly, that, the ‘ugh, the chip thing takes sooo long’ and 'I have to put it in again, how many times am I gonna get charged?" (well I told you twice to wait until it says please remove card) are probably the biggest reasons why customers hate the chipped cards so much. Honestly, I’ll watch a customer yank their card out two or three times in a row, whine about it and say ‘this is sooo stupid, all this work and I don’t see why it’s any more safe’, and it’s not like I can explain this whole screed to a customer that thinks dipping their card is that much bigger of a deal than swiping it.

3

Security procedures have costs as well, and additional security procedures have much higher costs in the US than in many other places, largely because the US has such a large installed base of equipment.

Think about all those point of sale machines and gas pumps and other systems that take credit cards. If you change the process for security reasons, all those things need to be updated or replaced. That doesn’t mean that nothing gets fixed, but it means that it takes time, and it often takes a lot longer than you’d think.

And, as you point out, until everything is upgraded, the new security features don’t accomplish much. Like, your card has a chip in it, but since you can still purchase things without using the chip… it doesn’t actually secure your card against fraud. And the chip is never going to protect against online fraud, unless you think everyone’s going to buy a chip reader and plug it into their computer/phone?

I suggest: get another credit card from another source as a backup. Then you won’t be without one when you inevitably have to wait a week or so for a replacement.

4

That’s exactly why I’m surprised we didn’t go right to chip and pin. Assuming we do, we’re going to have to go through this whole mess again.

Oddly enough, when I mentioned that my Amex card could create temporary numbers that’s how it did it. This was back in 2002, it had a chip and came with a USB dongle that I plugged the card into to get the new number. I don’t know why they did it that why unless they were just testing out the chips. It seems like it would have been just as easy to go to their website to get a number.

This was the OP’s debit card and the exact reason that I always suggest only using a credit card (if that’s not a problem for you). I’d much rather have my credit card maxed out than my bank account drained, even if it’s only temporary.
But, yes, having another card/account is a good idea. In fact, many years ago when I lost a (business) card, that’s what I used as leverage to get the new one overnighted to me. They wanted to send it out in “2-3 weeks” and when I pointed out to them that the $300-$400 per day that I spend on that card, I’d have to spend on the my other card for the next few weeks, I suddenly had one the next day (that was after arguing with them for a few minutes about it, they also waived the fee for expediting it).

5

I believe the US has an unusually low fraud rate as well.
So, a large and diverse installed base making changes costly and a relatively low cost of fraud. The CC companies aren’t in any hurry to upgrade.
In fact, I believe the only reason there have been any changes to date is that the CCCs became concerned that people would hesitate to use their card because of the business hacks that were in the news. The CCCs know that even a few percent drop in usage will cost them far more than any upgrade costs or fraud costs.

6

Why use a debit card? Use a credit card, preferably a cash back card and link it to your bank account so it pays the full balance monthly. No worries. The bank covers fraudulent purchases, and you get leveraged dealing with bad purchases AND you get cash back.

7

Just this morning, a friend told me she had forgotten to pay her electric bill, and was afraid it would be cut off, so I put it on my credit card. The entirely automated call required the card number, the CC billing zip code, the expiration date and the security number on the back. Then everything just went through. She could have charged her bill to any card number for which she knew that information. Sounds pretty slipshod.

By the way, last week I was talking to my bank, and they didn’t ask me any security questions, i just entered my account number n the phone pad and I was addressed by name by an CS rep. Later I asked h im about security, how was he sure it was me he was talking to. He floored me – he said “We have voice recognition software” and he told me the date of my last call. I was impressed. This bank has 16-million clients.

Would voice recognition work if I called on a different phone, in which a microphone difference would give the same voice a completely different signature?

8

Two things. First, the credit card processor will NOT decline a card if the address or security code doesn’t match (at least very very rarely), it just reports if those three things (address/zip/security code) match or do not match. The merchant then gets to decide what they want to do from there. Those pieces of information are there, not to protect the cardholder, but to protect the merchant. When someone calls me with a card, and those numbers are verified, it tells me that the person that I’m speaking with is more than likely the owner of the card. If all you do is lift a card number and expiration date (and nothing else), you’re not going to have their address or CVV. If you know where they live, you probably don’t have the CVV. If you steal the card, you probably don’t have the address. If you have all of it and it all goes through properly, in all likelihood, I’ll never even hear about it when the charges are taken off you bill since there wasn’t really much I could have done beyond that.

Second, I’m not sure what else you’d want? Yes, she could have charged it to anyone. But, even ignoring what I said about the mismatches not really mattering, what more information could a merchant have asked for to make sure that they were authorized to use the card?

Part of what makes a card easy to use fraudulently, is also what makes it easy to use, period. Credit cards have to walk a fine line between not making totally opening themselves up to anyone just being able to input a random string of numbers and getting free stuff and making them so hard to use that people don’t want to use them. If they get to be too much of a PITA to use, more and more people will just go back to checks and cash. It’s this exact reason that the merchant agreement generally bars asking for an ID (as a policy). They want people to pull out their card, swipe it and put it away, while trying to maintain some level of protection for everyone that has their hands on the transaction.

9

If the name of the cardholder is not the same as the name of the client on whose behalf the payment is being tendered, would that nor raise a question in your mind? In this case, as I stated, there was no human review. It was all done just by keying in the numbers, and then a payment confirmation number was voiced.

10

The cardholder name on file with the credit card company and the name the electric company has on file are never checked against each other. You never told them your name and short of a doing a voice authorization (which costs a ton of money and I’m not sure if they check the name even then) there’s no way that I know of to check the cardholder name.

About the most you can ask for at this point is that the billing address for the credit card and the service address are different, but that’s very common, especially for utilities.

As it stands, card not present transactions are still a pretty reliable way to use stolen credit cards. It’s the nature of the beast, it’s why you need to cancel your credit cards as soon as you notice they’re missing and keep an eye on your account.

11

its cheaper for the bank to deal with fraud than prevent it.

mc

12

You could have used a stolen credit card, and the utility company could have had an expensive procedure in place to catch that, or they can just re-issue the bill when the credit card company cancels the payment.

More security might make more sense in other scenarios, but it makes none in this.

13

I’m not in the US, but fwiw my bank allows me to create temporary card numbers(using Mastercard atm, but they had it with Visa too) with their online services, it’s what I use every time I make an online purchase with a credit card.
So such things are certainly possible.

14

A 45-minute phone call? Please tell us the bank so we can avoid it. The few times I’ve had fraud on any cc (never debit, because using a debit card for purchases is bad) it’s taken just a few minutes.

15

I think you are simply underestimating the costs of the change. It’s not just the capital cost of the equipment, or writing new software.

It’s waiting in line for 10 minutes at the grocery store, getting to the front, and having the machine crash and then having to go wait in another line (this happened to me the first week my grocery store started accepting chip cards) or (and this also happened to me) even though there’s a chip slot on the terminal, it’s not working right, and if you insert a chip card, you have to void the whole transaction and start over, which requires you to call a manager…)

It’s having it take an extra 15 or 30 seconds per customer at every sale because the new system is slower, or because customers can’t figure it out, or because someone forgot their PIN that they didn’t think they’d need to use.

All that stuff adds up. Occasionally getting a card replaced isn’t really a big deal. And if you just get a second card, it’s even less of one.

There’s no such thing as perfect security, and the system we have works pretty well, despite not looking very secure.

16

Yeah but when you noticed the money missing it would be pretty obvious from the recipient’s electric account who’d done it. Of course a fraudster could also buy goods online but that requires a delivery address, someone to sign for it etc.

17

I run a small grocery store, every time the machine crashed, I was the one the cashiers yelled for all effing day, trust me, I’m more than aware of the delays.
During those first few months, one of my machines handled the transition so poorly, I’ll bet I spent upwards of 6 hours on the phone with tech support/customer service and they even swapped out the machine 3 times PLUS gave me a free Clover machine just to help deal with it.

That’s why I’m saying I’m surprised we didn’t just make the jump directly to Chip and Pin. At first it seemed like they tried. Quite a few credit (not debit) cards asked for a Pin. Out of those, maybe 1 in 20 people just happened to know their pin. They said they had one mailed to them weeks ago, but didn’t know why. I called my processor and was told it was supposed to be rolled out as more and more banks issued pins, but it never happened and the terminals stopped asking for them on credit only cards.

I’d rather see cards that required a pin, I just don’t look forward to having to go through this all again.

18

And then, as a fraudulent payer, she was going to tuck her house in her pocket and sneak away into the night?

19

Which works great IF you keep track of your spending and pay off each month. I do keep track and I do pay off each month. This, however, was not always the case. That was many years ago and I currently can cover every bit of my debt with the money I have in savings. If I HAD to. I still am reluctant to go the full credit card route because of the feeling of having spent more than I should have. I’m gradually spending more on the credit cards, but I still use the debit card primarily.

There are the benefits you mention, but it’s not a good plan for everyone. The inexperienced or undisciplined can easily find themselves using up their whole paycheck in one week.

But back to the OP’s bank.

What do you mean they couldn’t tell you where the fraudulent charge was made? Something’s not right there. My bank statement always contains all debit card transactions. Who? Maybe not. Where? Most definitely.

A week for a new card? When someone used my debit card to try and order a phone with six months service (did you REALLY think I couldn’t trace that?), I got a new card the same day. Granted, I had to go into the bank in person, but that option was definitely open. Did they tell you a week period, or a week by mail?

I set up an alert system with my credit union. On their website, I chose a dollar amount that was just outside my usual grocery bill for a week. If I spend over that amount, I get an email at work and my personal email. It doesn’t stop anything, but it allows me to track and doesn’t cost anything. It’s annoying the first of the month when I pay electric, rent, cable, and my car payment. But worth the annoyance.

20

I found this out recently. It’s our fourth go around with card fraud with BOA. This time it was someone charging two plane tickets from Mexico to Seattle. Called the airline and they said “Oh, yeah, the person who charged that is (gave us the name). You’ll have to call the credit card company. It’s probably just a number that got transposed.” I sent them an email asking how it was possible that someone was able to charge tickets to a credit card that didn’t match the CVV. They haven’t answered. Meanwhile we’re going through the usual fucking hell with BOA to get our card cancelled and reissued. They’ve fucked up the information they were given three goddamn times in three different phone calls. Every time we have to deal with this, they screw it up. I really am about an inch from telling them to go fuck themselves, air miles be damned.