Christmas time is here and the American economy shows that things may not be as bad as one thinks as billions are spent this month. I am not here to post about financial status but payment method and the security around it. We are moving into an electronic payment world and the retailers, credit card companies and card holders are so far behind on protecting this it’s beyond scary.
I am going to pick on Target and Wal Mart and use them as the retailer examples throughout. They are one the biggest retailers and they are the worst and preventing credit card fraud. The solution is so simple that I have yet to grasp why Visa and Mastercard are overhauling the system to protect their money. Because it’s their money that’s getting spent when you use a credit card, it’s not your money. You are accountable for it but not responsible for it.
You can walk into Target, load up your card with a few hundred dollars of merchandise, hand them a credit card and walk out. NEVER do I get checked, asked for ID, or the clerks validate that card is valid. Is a 6 foot guy using a card that has the name Shirley on it? Not once at any Target store I go to. Wal Mart is the same way, especially if you use the Express Self Checkout lanes.
I know this is true because one of my new bits I focus on is the local police reports. In almost every single case of a stolen purse, smash and grab, lifed wallet where there were credit cards involved they all were used at Target, Wal Mart or a grocery store for about $200 and then the card was dumped. Stupid, stupid, stupid. If you pay with a $50 or $100 dollar bill they will call over the manager, pull out a blacklight counterfeit checker, examine the bill like a doctor. A credit card purchase, swipe and smile, walk out. Do you see the disconnect here?
If I were Visa and Mastercard I would get so fed up in the billions of false charges that they have to deal with every year that I would put in a system changing prevention measure to protect my money. Consumer convenience for payment speed is now secondary. I would put security measures in place that would render the cards themselves completely useless in the physical form. If you lose it, no big deal because the security measures in place for payment would prevent an unauthorized use.
Here’s are the changes that would make the cards more secure, save billions in the process and prevent credit scores from being destroyed.
- Photos on the Credit Cards – I never understood this. A few cards have added this feature but I am talking about a industry wide mandate. Everything about you is centralized anyway with the credit bureaus, add a photo to the mix. Get certified photo centers and every 5 years you go there as part of a credit report update and the service adds your photo. Then when you apply for a new credit card they print your central credit photo to the card.
- PINs – I have to put in a PIN code to get $20 out of my account (MY MONEY) at an ATM but can freely swipe away $1,000 purchase with no checks if I am the right card holder. Require personal swipe pads and PIN entry. Some consumers might get confused with all these PINs sure, but most will not.
- Mobile Verification – This one might be a little more advanced but solid. When you walk into a store you swipe your card before you start shopping, you get a text with a code, you then validate that at purchase time. Probably too complex.
- Biometric – Same concept as the photo. Go to a service center and scan your finger then you add a finger scanner to the swipe pad. Some stores do this already I have seen but it’s localized to that store. I am talking about an industry mandate. Or we could just jump to the Minority Report level and do full retina scans, no cards, nothing to steal… other than your eyes.
- Shift Full Liability To The Retailers – This is the best method to get people to fall into line. The retailers seems to wash their hands here, sure they lose some merchandise but the insurance covers it. What if Visa and Mastercard changed their tunes and put the retailers 100% responsible for covering the false charges. Since the retailers are not doing their due diligence to check the validity of the card user then why are the credit card companies paying for the retailers stupidity and laziness? If Target had to not only cover the merchandise lost but the credit card charges as well, they would put in place a hard process to validate the credit and debit card users like they do for $100 bills. Back in the old days the retailers would even call the credit card company and have them talk to the user to validate. I remember having to do that on a few occasions.
As an individual user I write SEE ID in the signature box next to my signature on all my cards. Big black Sharpie Ink. I have no problem showing my ID, I usually have it out and displaying it to the clerk regardless. If I forget and the clerk doesn’t ask, I always tell them that they need to read the card and check all IDs. If they do actually look at the card and ask me, I shower them with thanks and praise. You should to.
Until the retailers get their acts together around purchase security take as much precaution as you can and talk about getting them to change things. One mistake can have your cards gone in a flash with you stuck with the headache cleaning up the mess.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.