Unsafe to Swipe: Credit Cards, Data Leakages and Dinosaur Technology
Pull out your wallet. Take out your credit card. Look at it.
Really look at it.
It has a 16 digit number across the body, a CVC or CVV2 (those three or four numbers on the back you use to authorise online transactions), it has logotype, maybe a colourful design. It’s bendable. It contains outmoded 1950s technology that hasn’t been iterated upon in decades. It has the card expiration date. Simple stuff. It’s your credit card. You think you know it.
Have you ever really sat back and thought about that piece of plastic? Most of us get a credit card to expand our purchasing power. We want to buy things that are just outside of what we can afford right this second. We tell ourselves we’ll hit those monthly payments (and sometimes we scrape it together), we swipe with abandon to secure air miles, we get trapped in that spiral of barely covering the accumulated interest.
This is how most of us think about credit cards. We see them as little plastic financial death traps, or we think about how much utility they offer us – online payments, avoiding cash in hand and being as global as Visa or Mastercard.
We talk about credit cards in abstract ‘can I afford this?’ terms, but we never really talk about their design. Because of this we make a few assumptions each time we swipe. We assume that the transaction is secure and that the weird obeah taking place between credit card machine and plastic is enough to pilot our money to its destination safely. We assume that the system behind all of this is complex, well thought out and as secure as possible.
Nearly every credit card transaction involves at least five parties: you (the cardholder), an issuing bank (they’re the ones that swayed you towards a life of plastic), a retailer that accepts the card, their acquiring bank (the bank that convinced them to begin accepting plastic) and a card network (like Visa or MasterCard). That’s already more mouths at the table than most people imagine.
How does this all work? You’ve just stepped into a home goods store, you’re looking to buy a blender. You pick one out that costs a bit more than you anticipated, but you’re credit card isn’t yet maxed out so you think – why not? When you swipe the merchant runs your card through a magnetic card reader that takes the information that’s stored on that little black strip on the card’s back and bundles all of that payment information as a request to the card network.
The card network then picks this up and takes the message directly to your bank, which checks to see if you have that available line of credit and then responds with a simple yes, or no. The card network then sends approval to the merchant’s bank, the merchants bank then forwards this approval to the merchant themselves. Only then can that sale be approved. Only then do you own a new blender.
This complicated correspondent chain is tedious by design, because at each transaction milestone someone’s exacting a fee. And this is just a consumer transaction, if you’re a merchant there are even more steps with even more fee deductions. Everyone’s got their hands in the pie.
As with all things shrouded in mystery, credit cards have a unique origin story. Magnetic recording on steel tape and wire was invented during World War Two specifically for recording audio. By the 1950’s we’d discovered how to record digital data on plastic tape coated with iron oxide. In 1969, Forrest Parry, an IBM engineer was growing increasingly frustrated by his recurring attempts to secure an adhesive to a plastic card base. Every attempt proved unacceptable – it either warped, or was rendered unusable. That is until his wife recommended he try using their home iron to ‘stick’ the plastic. It worked.
I guess in a way the last three generations of increasing credit card fraud can be attributed to a household iron, and a moment of eureka. IBM secured a patent and rolled this new feature out to financial companies across the planet. The credit card was born.
And there it stayed. Over the past fifty years we have consistently reimagined the world and how we interact with it. The VHS is a child of the 80s, yet the only place they exist is in junk yards alongside Hammer Pants and Fanny Packs. Just think about the evolution in data storage and music over the last forty years – the reel-to-reel, eight track, the cassette player, the Walkman. Polaroid cameras, giant computers, floppy disks, dial-up modems and telex machines. We have wiped these from the human imagination as the march of innovation and miniaturisation quickened.
Voyager 1 got to deep space on less memory than your smartphone, but that doesn’t mean anyone is going to put their faith in rocketships from the 1960s. The magnetic strip on your credit card is a relic of a time-gone. We swipe with a plastic time machine.
It belongs to that strange and distant past, ‘before the internet’. Even in an era without mass communication, or the existence of a 93 peta-flop Chinese Supercomputer, the magnetic strip was still vulnerable.
In the 1960s a retailer would just copy down your number and phone it into the bank at the end of the day. Now, a machine copies down your number and phones it into the bank at the end of the day. That’s the extent of technological innovation. The truth is that all a criminal needs to purchase something as you is a 16 digit string of numbers. You might think that this number is secret. You’ve never actively shown it to anyone, you’ve even gone out of your way to guard it at point of sale systems – but the truth is that in the computer age that string of numbers is probably the most public, most identifiable marker that you exist. It’s probably littered across countless retailer databases. Databases that are essentially a delectable smorgasbord for the criminal minded.
If you have a credit card, assume your number’s already been harvested in some capacity.
Susan Athley, the Economics of Technology Professor at the Stanford Graduate School of Business sums it up brilliantly – “When you pay for something with a credit card, you are giving someone all the information they need to know to buy something online. What an idiotic way to architect a system — that if I pay someone, I tell them everything they need to spend my money. If I’m paying you, you shouldn’t have to know how to buy something with my credit card. You should have to know how to receive something with my credit card. It was a decades ago stupid mistake to make it work that way.”
Credit cards were a flawed design from their inception, but in this digital world what were once slight fissures in the dam have become gaping chasms.
In the United States almost 8% of people aged 16 and older were victims of identity theft in 2014. To put this in perspective, that’s an estimated 8.6 million victims of credit card fraud annually.
Credit card fraud, identity theft, money laundering. These are all realities and almost inevitabilities in this current system. Enter the EMV microchip card (EMV stands for the three companies that pioneered the chip: Europay, Mastercard, and Visa). It’s essentially a computer the size of a thumbnail that’s embedded into your credit card. The chip creates a dynamic, new code for each transaction whereas the magnetic strip contains static unchanging data.
The Chip is less easy to forge, counterfeit or harvest information from.
Additionally, and here’s the big seller for many people, a criminal cannot hack the merchant’s database and use the code provided in the chip to commit counterfeit fraud. The drawback of the chip system? it’s expensive. Very expensive. A cost that the consulting firm Javelin Strategy and Research estimated to be $1.4 billion. The cost is so exorbitant that it outstrips the amount that banks are having to pay to deal with fraudsters. It’s cheaper to patch the problem than it is to rollout the solution.
There’s a deeply systemic problem at play here. The USA has the benefit of really sophisticated online real-time transaction processing coupled with a very well established telecommunication system. It’s why consumers in the 50 states could get direct phone calls wondering why they bought gasoline in Texas, followed immediately by a diamond ring in Utah.
This not-yet-broken system, and the cost of chips, make magnetic strip cards still implicitly viable in the United States – at least to the banks. This might all be changing. Big retailers like Target and Home Depot experience massive data leaks where that old credit card technology starts to become extremely costly for everyone involved.
The Caribbean is pushed and pulled by the developments in these ‘developed’ nations. We don’t really have a global say in the direction that credit card companies take. So how do we go about securing our personal financial data? How do we deal with credit card fraud?
The truth is, absolutely nothing. Credit card numbers are static and cemented – good security is ever changing and responds to technological innovation. The two just don’t sync up.
We live in a world that is based on trust. You trust that the locks you’ve installed on your front door will deter a burglar, but with even the slightest practice (and the right lock-picking equipment), your front door is an open access highway.
Think about your email password, or your Facebook login credentials. How often do you reuse passwords? Or use passwords that can be retroactively mined from your daily life? Do you follow strict guidelines for password creation that involve acronyms and phrases distilled into an assortment of characters – “I love to play badminton becomes, ILuv2PlayB@dm1nt()n”. That’s the only ‘safe’ way to create a password now.
Trust is a dangerous implement in this new, new economy. It actually makes us vulnerable.
In some follow-up blog posts we’ll be talking about the Blockchain, and some technological innovations that are coming to the Caribbean that are ‘trustless’ – they’re designed to do away with that arbitrary system that leaves a lot of us at risk. In the meantime, look at your credit card and begin imagining a world where you’re not at the mercy of technology older than your grandparents to trade what you value most.