Blog

Links

Five simple steps Visa could take to dramatically improve security

posted: December 15, 2018

tl;dr: Since Visa’s Chief Information Security Officer isn’t doing his job I’ll do it for him...

My primary Visa card has been stolen approximately annually for the past 15 to 20 years. I can’t recall the last time the card actually reached the expiration date and I had to be reissued a new one. As someone with decades of experience in the tech industry who pays attention to securing the systems I work on, although I am not a security professional, it irks me tremendously to see the numerous security holes in the U.S. credit card system.

The thefts have happened in a variety of ways. Usually the card’s information is lifted somehow and unexpected online purchases show up on my statement. A thief doesn’t need the physical card to make online purchases. Last year the card was physically stolen by a sneaky purse snatcher and immediately used to make several thousands of dollars of purchases at nearby stores in the hour or so before we could report the theft to Visa and the police. In the U.S. there is no verification that the person making the purchase is actually the card holder. This year the card info was lifted and sent several states away, where thieves made a duplicate card and swiped for nearly $500 of purchases. The swipe is totally insecure.

What is wrong with this picture, from a security perspective? Everything.

Yes Visa will reverse fraudulent charges, but this process consumes hours and can take weeks. Not surprisingly they omit these hours in their wonderful TV commercials showing how fast it is to make a purchase using Visa. In the purse snatching case, because the purchases were made at stores where we lived, Visa treated us as potential criminals who might have been trying to get free stuff by reporting the card stolen. Two months went by before Visa finished their investigation and sent us a letter saying they had cleared us of responsibility for the charges.

Who pays for all this theft? Consumers do, in the form of higher fees and prices. Visa’s standard response, when your card is stolen, is to reassure you that you will not have to directly pay for the fraudulent charges. The thieves are rarely apprehended, so they don’t pay. The fraudulent purchases become a cost of doing business for Visa, which passes along these costs to consumers and retailers in the form of higher fees.

The fees then get built into the consumer price of retail products. The days of getting a discount for paying in cash are mostly gone, although you should ask when making a large purchase. Everything at retail in the United States costs two to three percent more than it should because of credit card fees. It’s an incredibly one-sided business model in which the costs are hidden from consumers even though they are the ones who are paying; meanwhile Visa mints money.

In the spirit of lighting a candle rather than cursing the darkness, I offer five easy-to-implement solutions that Visa could and should implement immediately. The first three involve doing less rather than more, so they are super easy.

1. Remove printed and embossed account info from the card

The card info (name, number, the silly 3 or 4 digit extra number, expiration date) are pretty much all that is needed to make online purchases or a duplicate card. The zip code you enter when making an online purchase is easily deduced by a thief; in fact there are open source programs that will do this. When you hand your card to someone (a waiter at a restaurant, a cashier, a retailer that wants to hold your card to make sure you pay) you are trusting that person not to be a thief, and not to record the card info. Would you hand your bank account info to all these people? That’s effectively what you are doing. Amazingly Visa has taken steps to hide most of the card info, except for the last 4 digits, on printed receipts; yet Visa still prints the account info on billions of cards and hands those cards out to the general public, who then have to give the plaintext (unencrypted) account info to others. This is a huge security hole that could be fixed by removing the info from the card itself. Millenials probably don't even know why the numbers are embossed: that is due to an archaic, mechanical, carbon-copy and paper-based purchase system from the past century. Get rid of it all!

2. Eliminate the magnetic stripe

The info on the stripe is nothing more than an unencrypted representation of the account info that is printed on the card. Consumers are duped into believing that, because it is “computerized” and you can't see the account info with your eyes, the stripe is somehow secure. In fact it makes it even easier and faster for a thief with a card reader to lift the account info. The stripe also makes it easy for a thief to make a duplicate card that can be used to make purchases by swiping. The stripe is incredibly antiquated technology: it was invented in 1969 by an IBM engineer who came up with a way to secure a short piece of computer tape to a card. It’s another huge security hole.

3. Eliminate the signature

The signature is pure security theater, i.e. something that makes it seem like a step is being taken to make things secure, but which in fact does nothing. The signatures are never verified and never deter a thief. They are a complete waste of time that could better be spent doing the next step.

4. REQUIRE PINs

Now we start to venture into the realm of what we in the business call Two Factor Authentication (2FA) or Multi-Factor Authentication (MFA). PINs are short numbers that are never printed on the card yet MUST be provided by the cardholder in order to make a purchase. PINs are common in Europe for credit cards and have been around for decades in the United States for ATM cards, yet Visa still refuses to implement them for credit cards in the United States. Requiring a PIN would require a thief to steal or deduce another piece of info besides the info that is on the card itself. It wouldn’t solve all theft, because thieves could still steal or deduce PINs, especially on faulty e-commerce sites that allow a user to try to make numerous or unlimited attempts at completing a purchase. But it would help in some cases, especially the purse snatching scenario.

If only Visa obfuscated account info on the card as well as they obfuscate transaction details in their statements...

5. Provide more detailed transaction descriptions

The Visa account statement is another piece of technology that appears to have been pioneered in the 1960s during the mainframe era, when disk space was expensive. The maximum number of characters in the transaction description appears to be 25, even though terabyte hard drives cost less than $50 at BestBuy. There is little information about purchases other than the posting date, the amount, and the oft-abbreviated transaction description. This makes it hard for those of us who actually review our account activity to determine if a purchase is legitimate or fraudulent. Merchant names end up shortened or abbreviated to the point of obscurity. Visa could provide the full merchant’s name, the street address of the purchase, and even a link to a copy of the purchase receipt. Hyperlinks were dreamed up in the 1960s: maybe it is time for Visa to implement them in their account statements.

There are certainly other measures that Visa could take, especially more sophisticated 2FA or MFA methods than PINs. As a tech professional I would love a credit card that was locked down and could only make a purchase by providing a token generated by a smartphone authentication app. But these five consumer-friendly steps would help a lot, and would potentially save U.S. consumers billions of dollars a year. I offer this advice for free, but it is up to Visa to actually implement it.

Related post: A more secure credit card: how Apple implemented these five simple steps in the Apple Card.