Bricks and Wedges

It’s possible to construct a wheel out of bricks by using little wooden wedges in between the bricks to make the whole production sort of vaguely round. But no sane engineer would be proud to have designed such a thing.

That’s what I think of every time when I look at the landscape of security “solutions” for credit card payments.

I had a vendor call me last week to tell me that my credit card had been declined by my bank. So I called my bank. After listening carefully (because they tell me that their “menu has changed,”) I talked to a customer service rep. The guy I spoke with cheerfully informed me that the bank had turned down a transaction I’d requested because it didn’t fit the pattern of other recent transactions. By turning down my request, my bank was doing me a favor by protecting me from fraud. They do me this favor fairly frequently, particularly when I’m traveling overseas.

I was also recently sent a new credit card (by another bank) because my card number had been compromised somehow. No unauthorized charges ever appeared, but it was pretty clearly a precautionary measure taken by the bank because of a data leak somewhere.

I’m not opposed to anti-fraud measures by any means. Banks and merchants wind up having to absorb losses when fraud occurs. And customers ultimately have to absorb the loss, since the associated costs are baked into everything.

And some of the anti-fraud measures are genuinely clever. I’m sure there’s a lot of data mining science behind the software that analyzes a transaction stream in order to look for suspicious activity. And fraud tracing is clever, too. Card issuers look at the transaction data of a large number of cards that have been used fraudulently; if a single merchant shows up in the legitimate transaction stream of many compromised cards, this suggests dishonesty and/or a data leak by that merchant may have led to the compromise. That’s probably what happened when the bank told me it was replacing a card for security reasons.

But why is this necessary in the first place?

It’s necessary because the financial services industry still authenticates transactions using a 16-digit account number and expiration date that are the same for every single transaction. Sometimes another number, the three- or four-digit CVV2 code, is also used. That’s a little better, I suppose, since the CVV2 code doesn’t show up on the card’s magnetic stripe.

But the bottom line is this: the data used to validate a transaction is shared widely (with everyone you choose to transact business with) and is typically valid for years. It’s somewhat surprising to me that fraud isn’t more rampant than it already is. In the security engineering world, we have a technical term to describe this sort of data management practice: stupid.

I admire the sophistication of anti-fraud systems. But they exist mostly to avoid solving the obvious problem: that the card number itself is a crummy way to validate a transaction. The industry ought to be aiming for a system where the account number isn’t very helpful in perpretating fraud, and where the data used to validate one transaction isn’t useful for another.

One bank I know of has “virtual card numbers,” where you can generate one-time-use account numbers online. That’s a baby step in the right direction.

But consider a system where the customer could digitally sign each transaction–and the transaction to be signed encoded information like the account number, merchant ID, the amount of money being exchanged (or a ceiling on the amount of money to be exchanged), and a validity timeframe (one-time, monthly for a year, etc.)

Account numbers would still be compromised in the future, as would transaction data. The difference: this information wouldn’t be so directly useful for fraud since the information is different for every transaction.

This would require some non-trivial infrastructure to accomplish. For one thing, customers would have to be issued smart cards or other convenient hardware capable of doing the required cryptography. Merchants would have to have equipment to handle this. All of this would cost money. And we’d doubtless see a whole new threat environment develop, as fraudsters try to trick people into signing illegitimate transactions through technical and social means.

But it’s past time to begin the process of retiring reusable transaction authenticators. The anti-fraud countermeasures currently deployed are certainly impressive and clever (albeit inconvenient at times).

But at the end of the day, the financial services industry can’t escape the fact that they’ve built payment infrastructure on wheels made from bricks and little wooden wedges.

Leave a Reply

Your email address will not be published. Required fields are marked *