Credit where it's due 2015

Credit where it's due

If you’re like me (and if you’re not, don’t worry, it’s not contagious) it’s easy, when writing, speaking or thinking about one topic, to drift to another, then another, and then yet another. Sometimes, it’s hard to follow the thread back to the original subject!

That’s kind of how I felt last week writing about RadioShack. I mentioned that, as a teenager, I’d worked for the local RadioShack store. It was an experience that taught me more about the on-the-ground realities of business than anything before or since. But it’s really the little, flitting memories that cause the distracted reveries: the cash drawer with the bell that would ding if you didn’t know which buttons to push on the underside, the smell of the solvent we used to clean eight-track tape heads, and the fact that after long days in the shop you’d tumble into bed - and still see the outlines of the store when you closed your eyes.

One of the little things that crossed my mind was a book, a book full of numbers. They were credit card numbers, issued by the MasterCard and Visa organizations, and they were all the accounts from whom we were not supposed to accept transactions. The book was updated frequently, I seem to remember about once a month, and if a card number appeared in the book, we were to call the credit card company for further instructions. Most of the time the instructions were to politely decline the purchase. Sometimes the instructions were to retain the card (that was always fun.)

I don’t remember exactly how many pages the book was, but I do remember the type: tiny, agate-sized type that nearly required a magnifying glass even for my young eyes. If the credit card didn’t appear in the book, it was assumed that the card was good: the card went into the imprinter, zip-zap, and the transaction was done.

Notice that we never got “approval” for the transaction - the transaction was assumed valid unless the number was in the book. Later, the book was retired and our instructions were to call an automated number for any transaction over $50. Again, transactions less than this amount were assumed valid!

How could this work? How could you assume that deadbeats wouldn’t wind up with a credit card and just run up transactions without paying? Well, truth is, you couldn’t. Cardholders had a credit limit, but there wasn’t any mechanism to prevent them from running past the credit limit with a series of small transactions. At the end of the month you’d get a statement with an overlimit charge and a demand that you reduce your balance, but there wasn’t much they could do about it. If you were consistently overlimit, they would eventually close your account, and your credit card number would go in the little book.

The banks could afford to accept these losses because issuing credit cards was such a profitable operation. The banks received (and still receive) a transaction fee from the sellers, and collect interest (and perhaps an annual fee) from the cardholders. This, combined with the fact that as of the mid-70’s there was no better alternative, made the book-and-telephone method of authentication practical.

Once authenticated, the transaction was as secure as the armored truck that carried the paper documents from the bank to the data processing center. Sometimes, an enterprising thief might do a dumpster dive and retrieve the carbon paper from the credit card slips, but that was pretty low intensity - the thief would get only a few numbers per dive. Once it became known that dumpster divers posed a threat to one’s creditworthiness, it became common for customers to demand the carbon paper at the end of the transaction. The banks also got wise, and developed forms that would neatly tear the carbon paper when the customer copy was detached, and later, carbonless forms.

As data technologies became ubuquitous and cheap, the imprinter gave way to the card swipe reader. Now, retailers don’t bother to take an impression of your card - they read the magnetic stripe and transmit the data directly to the credit card clearinghouse. The transaction can be approved or declined instantly. You only use the imprinter if the data networks are down, and that happens only rarely.

Everyone’s happier: the bank has tighter control over transactions, the retailer doesn’t have to haul credit slips to the bank every day, the customer spends less time at the checkout stand…

And the thief doesn’t get his clothes dirty in the dumpster.

Instead, the thief quietly invades a data network owned by a retailer, and begins dumping transactions at will. Instead of a few dozen credit card numbers found in the dumpster, the thief has thousands. From there, the miscreant has the opportunity to sell the cache of ill-gotten credit card numbers on illicit markets that have sprung up for just this purpose.

Instead of some guy fishing the trash for a bit of carbon paper so he can buy a new pair of sneakers, we have an organized operation dedicated to the trade of thousands of credit card numbers.

What can be done? “Virtual” card numbers (one-time-use card numbers linked to your real credit account) have been tried, but saw limited adoption because of the convenience factor. Two-factor authentication (you prove your identity with something you have, like a hardware dongle or a particular cell phone, in addition to something you know, like a password) is gaining in popularity, but still represents a hurdle for online transactions where we want everything to happen with one click.

But most recently, the biggest breaches have been at brick-and-mortar stores. Whether by compromising the credit card terminals themselves or breaking into the credit card processor’s back-end system, it’s clear that the physical presence of a retail establishment doesn’t prevent these hack attacks.

But help is on the way: More robust security technologies will make these breaches less frequent - and it starts soon. The credit card industry is moving quickly to eliminate the magnetic stripe and move toward a smart card system. Already, many cards have an RFID device embedded that makes identity theft more challenging (and the security of these RFID devices is improving with each generation - no more lead-lined wallets!), and smart cards with a set of contacts on one end (“EMV” cards) are already in wide use in many parts of the world. Expect to see both of these technologies widely deployed in the United States in the next few years.

And once the front end of the transaction has been nailed shut to intruders, we’ll see how the retailers and banks follow through in protecting the back end. Until these changes are fully in place, best to keep reviewing those credit card statements!

Note: The opinions expressed in this article are those of the author alone, and do not express the opinion of his employer or any other party. So there!