Outsmarting Credit Card Fraud Of The Future
It’s been about two years since U.S. retailers and lenders began converting to chip-based credit card technology—all in an effort to fend off the kind of hacks that stole millions of credit card numbers from big retailers like Target, Home Depot, and Michael’s a few years ago. Those customers were left at risk of fraudsters making duplicates of their stolen card numbers.
The good news: retailers that converted to difficult-to-duplicate chip card readers have seen a 70 percent decrease in fraud attempts. But what about the retailers that haven’t transitioned? Or fraud that takes place online, where a physical credit card doesn’t need to be presented?
Megan Geuss, a staff editor for Ars Technica, explains the good and the not-good-enough of our conversion to chip credit cards, and what the future of fraud prevention may hold.
Megan Geuss is a staff editor at Ars Technica. She’s based in Denver, Colorado.
IRA FLATOW: Now it’s time to play “Good Thing, Bad Thing.”
OK. Remember life before you had that fancy chip credit card? You never had to guess when to insert your card into the machine and when it was safe to remove it, or get beeped at for not removing your card fast– and I never know when to pull that thing out of the machine. All you had to do was swipe it and be done.
You also had more to worry about, fraud-wise. It’s much harder for someone to make a copy of your credit card with that chip now, and according to new numbers from Visa, retailers have made the switch to chip card readers, and they’re seeing much less fraud. But according to my next guest, it’s not quite time to celebrate the end of credit card fraud in the US. My guest is Megan Geuss, staff editor at Ars Technica.
MEGAN GEUSS: Hi Ira, thank you very much.
IRA FLATOW: So good news for us, those fancy card chips, the chip readers are really doing their job?
MEGAN GEUSS: Yeah, so Visa released some numbers last week saying that merchants who upgraded their terminals to accept chip-embedded cards saw fraud drop by 70% September 2017, compared to December 2015. I mean, that’s a lot, and it indicates something we already knew– that chip-embedded cards are less prone to fraud than the magnetic stripe swipeable cards we have used for so long.
IRA FLATOW: Wow, what makes the chip so safe?
MEGAN GEUSS: Well it’s– basically, it’s a chip that’s embedded in a credit card that effectively acts as sort of a mini-computer. The EMV card creates a unique code for each transaction, and ideally it requires the customer to enter a PIN associated with the card. In the US right now, we’re still relying on chip and signature.
Signature’s a lot less secure, because if somebody mugs you and steals your credit card they can still go use that credit card somewhere and sign your name, and it won’t, you know– card companies won’t catch that for a long time, unless you catch it. So in Europe and other countries in the world, having– you would enter a pin, essentially, to sort of authenticate that code. That’s a lot more secure.
But we’re still using the chip-embedded card, and that that chip creates a unique code, which does make it harder for fraudsters to sort of steal credit card numbers and then reuse them.
IRA FLATOW: Yeah.
MEGAN GEUSS: Yeah.
IRA FLATOW: I’ve been there. Of course, the bad news is that that doesn’t help in stores that haven’t switched to the chip card reader, does it right?
MEGAN GEUSS: Right. Yeah the less-than-great news is that it seems that only 59% of US storefronts can accept chip cards right now, and that’s more than half, which is good. But two years ago another separate survey had said that 37% of storefronts were able to process chip cards. So in two years, that seems like a slow transition, compared to Europe where 95% of stores are able to accept chip cards according to a 2015 survey. And Canada, Latin America, and the Caribbean also have a rate of like 80% of storefronts that can accept chip cards.
So yeah, we’re lagging behind.
IRA FLATOW: Yeah, and also with all this stuff being bought online, there’s no place to stick a chip card on your laptop. Maybe not yet, but I just thought about it, you know?
MEGAN GEUSS: Yeah. Yeah, a chip-embedded card doesn’t prevent card-not-present fraud, which is basically when you buy something online, or maybe you buy something over the phone, or something like that– order a pizza, give your credit card number to somebody– anybody could steal your credit card number and use it for some other over the phone payment. But it does go sort of a long way to preventing in-store fraud, which is good. There are other ways to sort of prevent card-not-present fraud that companies are working on right now, especially with the increase in e-commerce, which has been increasing and increasing.
IRA FLATOW: Yeah, well, don’t forget you heard that idea about the chip card add-on USB port thingy from me first. Don’t want anybody–
MEGAN GEUSS: Yeah, right now companies are– card networks like Visa and MasterCard are working on something called 3D Secure 2.0, which makes online payments sort of more secure by allowing– there’s many, many parties behind a credit card transaction and that all those parties sort of help to authenticate that transaction based on the perceived riskiness of a person’s purchase. So if you’re making a small purchase in a zip code that’s close to your own, and you know, it’s from a known device, that’s easy. And if it’s maybe from a dodgy IP address and is a huge purchase they’re maybe going to ask for a secondary method of authentication.
IRA FLATOW: Now I know why my cell phone and other cell phones– they sort of make a token, first, right?
MEGAN GEUSS: Yeah, yeah.
IRA FLATOW: Is that the future?
MEGAN GEUSS: Yeah, well, yeah. So 3D Secure 2.0 is definitely sort of a future thing, and it can also work with tokenization. A lot of mobile payment systems are using tokenization, which hides the user’s actual credit card details, including your number and verification– I’m sorry, your–
IRA FLATOW: That little code on your card.
MEGAN GEUSS: Expiration date. Yeah, yeah, right.
IRA FLATOW: Yeah, I know. I know.
MEGAN GEUSS: And it replaces that with a token, which can be passed around and used for specific purposes or in specific instances, yeah.
IRA FLATOW: All right, Megan. Thank you very much for taking the time to be with us today.
MEGAN GEUSS: Thank you.
IRA FLATOW: Megan Geuss, staff editor at Ars Technica.