Tag : CNP credit card theft

BlogImageEyeHow Secure are Biometric Payments?

How Secure are Biometric Payments?

There’s been a lot of buzz around the payments industry lately with news about MasterCard testing “selfie pay” and banks like Wells Fargo experimenting with eyeball scanning software.

Surveys show that people like these approaches because they are more convenient that using passwords but it does raise questions around how secure they really are.

        MasterCard Makes Selfie Pay a Reality

        Wells Fargo to Verify Customers through Eye Prints

Can biometrics apps be fooled?

I’ve seen the movie Avatar and I can tell you that computer generated images can be pretty darn realistic.  It’s not that difficult to start with a still image from a Facebook post and animate it enough to fool a biometrics app.

It might be more difficult to get an image of someone’s eyes, but is it really that hard?  How many close up selfies get posted every year?

There have also been several large data breaches that contained fingerprint information, so even that data might not be safe.

 Severe Weaknesses in Android Handsets could Leak Fingerprints

OPM now Says more than Five Million Fingerprints Compromised

Once your data is stolen you are out of luck since there is no way to change your personal data.

Even if your data is not stolen, recent research has shown that fingerprint sensors can be compromised with “master prints” containing common fingerprint features.

Fingerprint Sensor not as Secure as you Think

Biometric enrollment fraud

The dirty little secret of biometrics is that enrollment is the weakest link and in some cases makes fraud easier to commit than non-biometric systems.

Imagine that your bank is rolling out voice identification to verify your identity, but for it to work, they need several samples of your voice recorded in their system.

If a thief is the first one to call up and record their voiceprint, then they can bypass the new security measure that is meant to be safer.

Time will tell if biometrics emerge as a reliable form of security or if they will be as easily defeated as the username/passwords they are meant to replace.




Read More
socialsecuritynumbersfraudfeaturedThe Failure of Social Security Numbers

The Failure of Social Security Numbers


As I’ve been out and about talking to people about our solution to protect credit card numbers, the topic of protecting social security numbers has come up several times.

The recent spike in tax fraud and the theft of millions of government employee records has given the problem of social security number theft a new urgency.

When I was first asked about this, I joked that I’d tackle that one with my next company. But after a while, I started thinking about what was wrong with social security numbers, what a mess we’ve gotten ourselves into by relying on them, and how it could be fixed.

We’ve all known for quite some time that credit card numbers are too easy to steal, and that motivated hackers and thieves were finding countless ways to break into systems and grab that information.

The only relatively good thing is that a credit card number can be replaced. It’s a hassle and it’s costly to banks and merchants, but we’ve all cycled through enough cards to know that it’s not the end of the world.

Social Security Numbers are a nightmare by comparison.  As far as the government is concerned, and credit agencies, and insurance companies, and employers, this one number is your identity.

Yeah, a New Social Security Number

The government has a process to replace your social security number if it’s stolen, and it’s relatively straight forward.  It requires proving your identity with supporting documentation and then filing out some paperwork.

Assuming you can prove who you are (in person or through a notary), you’ll have a new number in a couple of weeks.

Ok, so you’ve got a new number. Now what?

Have you been keeping track of which organizations track you buy your social security number?  Do you know how many of these places have a process in place to update your number, and what type of documentation they require to make this type of change?

How many months will it take to wade through request forms for bank accounts, credit cards, credit agencies, schools, insurance companies, doctor’s offices, stock brokers, employers, 401k accounts, car loans, home loans, etc.?

And once it’s updated, tomorrow’s data breach is just going to use your new number to steal your identity, and the cycle starts over…

SSN Requests like Payments

Part of the solution is to start thinking of social security numbers in a different way than we’re used to.  Instead of thinking that the number itself is important, we should think about the transactions that we allow people to do with this number.

With a credit card purchase, you want to give a specific merchant permission to make an approved funds request from your bank.  

With your SSN, you want to give a merchant or agency permission to make an identity request from the government, for a specific purpose.

You might give someone permission to access information about you, like your credit report, your tax return, or your medical records. Or you might give permission to report about you, such as your wages or loan payment status.

When you give permission to make an identity request, you want to be sure that the request can only be made by the person you approve, and it can’t later be stolen and used by someone else to falsely identify themselves as you.

For example, if I give permission to Bob’s Used Cars to check my credit report one time when I apply for a loan.  Bob should not be able to file my tax return.

For the same reason that generating dynamic card numbers for each merchant prevents credit card theft, a similar approach could generate a “Virtual Social Security Number” for each one-time request.

The government in this case acts like a bank, generating temporary numbers and approving these requests.

If a request is made from a different person, or for a different purpose, it is blocked.  So Bob can approve my loan, but not file my tax return.

The Wheels on the Bus

All of this is an interesting thought exercise, but it would take a monumental effort for the government, credit agencies and thousands of merchants and lenders to change their process in such a significant manner.

But, we might be close to a point where the wheels are about to fall off the bus, and the Chip Shield (Social Security Edition) might be just the thing we all need to get the bus on the road again.

Read More
creditcardfraudfeaturedIs $35 Billion in Card Fraud the “Cost of Doing Business”?

Is $35 Billion in Card Fraud the “Cost of Doing Business”?

Over the past year, I’ve been speaking with executives at banks and card networks about credit card fraud, and there’s one phrase I hear over and over again.

“Fraud is just the cost of doing business”.

In the banking industry, it seems like this is the “go to” response when someone asks about fraud, and it really got me thinking about how desensitized we’ve all become to the costs of fraud.

A few months back, The Nilson Report released their latest annual survey of the direct losses due to credit card fraud globally.


As if the headline that card fraud losses had reached $16.3 billion was not scary enough, the report goes on to predict that by 2020, losses will grow above $35 billion annually, with $183 billion being lost in between.

The U.S. accounts for about 50% of the losses each year, even though we represent only 20% of transactions (Yeah, we’re number one).

I suppose at some level, if you look at the huge amounts of revenue US banks bring in from credit cards (more than $500 billion), then look at the $8 billion or so lost to card fraud, it can look like just a drop in the bucket.

In the real world, $8 billion is a staggering amount of money to be lost every year. This is a train wreck, a house fire, a travesty… you get the idea.  The worst part is that it’s not even close to the actual amount being lost.

What is the Real Cost of Fraud?

One problem with any study of losses due to fraud is that they often understate indirect costs related to the problem, such as the cost of prevention, and the cost of cleanup after the fact.

An interesting yearly study from LexisNexis tries to pinpoint this multiplier effect for merchants, and recently found that for every dollar in direct fraud losses, the true cost is closer to $3.08.


Another recent study by Javelin Research which looks at the total cost of card fraud in the U.S. places the current domestic losses at around $16 billion and growing quickly to $24 billion by 2018.


So, if the actual losses in the U.S. are 2-3 times higher than the reported losses, does this mean that what currently looks like an $8 billion tax on our commerce system is on its way to grow into a $35 billion catastrophe?

This doesn’t even count the fraud that’s not reported, re-classified, or otherwise swept under the rug to avoid admitting security problems.  And don’t forget about the cost incurred by consumers spending endless hours dealing with fraud on their own accounts.

I’m bringing in the thesaurus now to come up with more words to describe this calamity of cataclysmic proportions.

Who Pays for Fraud?

While I was at a banking conference last month, I sat in on a session where I heard an executive say to the audience, “People outside the industry just aren’t informed. They don’t have to pay for fraud. The banks cover all the costs.”

That comment got me thinking about who really pays for fraud.

Of course, the answer is that we all pay for it, and banks and merchants do a good job of hiding the cost in the form of higher fees, or higher prices.

When someone at a bank says that fraud is just the cost of doing business, it means that they have passed that cost onto someone else, namely their customers, and haven’t lost much business.

To bring the problem home a little more, if you take the $35 billion in real cost for fraud, and divide it by the 100 million or so households in the US, we’ll all soon be paying $350/year to cover up this problem.

Yikes!  If I have to pay $30 each month for something, I should at least get a free tee shirt or something.  Maybe we’ll all get bumper stickers that say “My credit card fees help support organized crime!”

Read More
TiltBackRotate3Chip Shield Ready to Launch

Chip Shield Ready to Launch

Our company and our products have been in “stealth mode” for the past year and a half as we designed and built the Chip Shield device, implemented back end servers and client libraries to support the devices, and built our web sites and mobile apps.

After all these months of secrecy, we’re finally ready to announce our product, and share information about what we do, and how we do it.

Our Solutions section gives a lot of details of what the new device can do: http://new.chipshield.com/our-solutions/

So, I thought I would use this blog post to talk about why we’re doing this, and how we started working to solve the problem of credit card theft and fraud.

The Pervasive Problem of Fraud

When we first started thinking about the problem of credit card fraud the Target data breach was still in the news, and the Home Depot story was just breaking.  It felt like everywhere you looked you would hear reports of fraud, data breaches, identity theft and organized crime.

We started to feel the personal effects of card theft with bank notices and cards being replaced.  My wife and I had 3 cards replaced in just a few months, and then later received a friendly notice that our personal information had been lost in the Anthem data breach.

It wasn’t only us.  It was our friends, our families, and it was starting to impact virtually everyone.  Just this week my dad had another card replaced.

Not long ago, Gallup asked Americans about their biggest crime fears and 85% of wealthier households listed credit card theft as their largest fear.

Also, more than 25% of the people surveyed reported that a family member had their credit card stolen by computer hackers in the past year.


A more recent survey from MasterCard shows a similar level of anxiety, and amusingly 55% of the people surveyed would rather have nude photos of themselves leaked online than have to deal with the theft of their financial information.


A Personal Experience with Fraud

Finally, the problem hit closer to home.

My mom, who is in her mid-70’s and lives on her own, woke up one fine morning to learn that her checking account had been hacked into and more than $1,700 had disappeared in a few hours.

Our family spent the next few weeks trying to unravel the source of the hacked account as it played out a bit like a murder mystery.

Was it because my mom had used the same password for years?

Was it because, like many people, she used the same password for all sorts of accounts?

Was it the sheet of paper on her desk with her passwords written on it?

Was it a virus, later discovered on her computer that had logged keystrokes and sent them to a website in a distant country?

Was it the new housekeeper that had recently started working for my mom, who seemed a bit too chatty?  Did she find the sheet of paper?  Did she install the virus? 

Was it my sister, or me, who took the money, since we both had our own login/passwords to the account?

Were our accounts with the same bank at risk?

Collateral Damage

The worst part of a computer hack is the side effects it can have on people’s lives, and the paranoia it can create around things and people you used to trust.

In hindsight, everything feels like an overreaction, but at the time, my mom was not sure who to blame.

The housekeeper, of course, had to be replaced, because it could have been her.

The computer, of course, had to be replaced, because it could no longer be trusted.

Online banking, of course, had to be permanently disabled and only paper statements used for the accounts.

Other online accounts, of course, had to have new, crazy long passwords created, since they could have been hacked also.

The little piece of paper with all my mom’s passwords on it now had to be written in code, with only hints at what each crazy long password might be.  Of course, we could never remember what the codes meant.

The Bank Handles Everything

I’m sure the folks at the bank do their best trying to fix these issues, but it can be a mess to clean up.

The accounts all had to be closed and re-opened, which was done incorrectly, so they had to be closed and re-opened again, with the process taking more than a week.

The replacement funds had to be deposited into the account, and went into the wrong account, and had to be done again, which took another few days.

All the while, checks written to pay utility bills were merrily bouncing and triggering fees from those companies.

Then, somewhere along the way, the bank decided that the hack had actually come from my sister’s login (although they offered no reason except “its technical”), so they held back part of the funds and re-opened a fraud investigation under my sister’s name.

My poor sister had to endure 90 minutes of what she termed an “interrogation” by the bank because someone in the fraud group decided she was stealing our mom’s money.

Did They Get Away with It?

Of course they got away with it. The hackers are long gone with the funds and probably working on their next victims.

Our bank told us that the funds were drained through fake PayPal accounts, but PayPal wouldn’t provide them any information about where the money ended up.

PayPal had no reason to pursue the matter because they weren’t the ones who had to reimburse the stolen funds.

The police also had no interest in tracking down a small theft that would cost them thousands to pursue, with likely no results.

Son, Just Fix It!

While all of this was unfolding, my mom also had a credit card replaced (she thinks because of the Target hack).

So, my mom told me to just fix these problems, like I had fixed the VCR when I was 10 or the hair dryer when I was 12.

Well, mom, I’m working on it…

Read More