Credit card fraud?

[paigetheoracle]

Seeing that identity theft is on the increase and that most people have cell phones, would it be possible to marry the two so that instead of asking someone security questions which could be learned about and copied by somebody else, we simply used a cell phone tracking device to find out if the card and person are together and where situated? (E.g. you claim to be me but are using a cell phone not registered to me and are calling from America, when I live in Britain and made a transaction ten minutes ago in London).

 

This will give you the gist of the idea and I know it has flaws but it might be better than simply the card on its own and would catch out obvious liars. Any thoughts on the subject?

[CraigD]

Seeing that identity theft is on the increase and that most people have cell phones, would it be possible to marry the two so that instead of asking someone security questions which could be learned about and copied by somebody else, we simply used a cell phone tracking device to find out if the card and person are together and where situated? (E.g. you claim to be me but are using a cell phone not registered to me and are calling from America, when I live in Britain and made a transaction ten minutes ago in London).

:huh: This seems like a good idea to me – and as of late 2007, I’m “officially” a PCI (payment card industry) “expert”. ;)

 

Vendors taking credit cards would need to pass caller ID info to their payment service (eg:Global), who would pass this to the cellphone user’s service provider, who would reply with location information, which the payment service would compare to the same information for the cardholder’s previous payments, passing an “authorized” or “declined: reason” back to the vendor.

 

This is a good bit of infrastructural work, and would depend on vendors’ willingness to adopt it. The lack of such willingness is one of the major obstacles to implementing schemes like this. Note that the vendor – who isn’t held responsible for card fraud, getting paid by the card’s bank even if the caller was fraudulent – has little incentive to spend effort and money adopting such a scheme, which will involve soft or hard “cables” connecting their webserver or voiceline to their payment service. The bank, who must, in all but the rare cases where they can catch and gain restitution from the fraudster, or the more common cases where the cardholder is too careless to notice and report the fraud charges, swallow the money loss by crediting the cardholder for the fraud charges, has much more incentive to do so, but limited ability to force vendors to coorperate. The various “PCI security enhancement/remediation” projects that have been going on for the past years involve in large part a bluff and a fraud perpetrated on vendors by banks, a dialog that goes something like this:

 

PCI trade organization contractor to vendor: :) “Hi! You need to implement a new system to prevent payment card fraud”

Vendor: :( “Oh, OK. Who’s going to pay for this?”

Contractor: :) “You are!”

Vendor: :phones: “Why should I do that?”

Contractor: “Because if you don’t, Global is going to start charging you a much higher percentage transaction fee. In fact, they might just refuse to let you continue accepting cards at all. Betcha that would hurt your business, eh?” :edevil:

Vendor: :eek: “Holy crap! Is that legal?”

Contractor: “Sure it is. According to … blah blah blah … (banks have way more lawyers than you could ever dream of) … blah blah blah …”

Vendor: “Holy crap! What should I do now!”

Contractor: :) “Fortunately, there are many consulting firms offering auditing of your existing system and guidance in meeting PCI remediation requirements …”

 

The PCI has been pretty successful with this, especially since they got organized into the above referenced council, saving themselves a lot of money in loses with most of the cost born by vendors. Some IT pros are doing pretty well from it, too.

 

The above scenario isn’t being used to shake-down mom and pop lunch restaurants and convenience stores, etc, but is directed at one of the main target of opportunity of large-scale card frauds, vendors who retain payment card numbers to do automatic payments, or provide a “use this account again” feature in a phone or web-based form.

 

My greatest concern about the current course of PCI is that it’s not resulting in truly strong improvements in identity security, but simply fixing the industry’s biggest money loss holes. There’s little technical reason why we couldn’t do away with 16 digit spoken PCNs altogether, and use any of a number of good strong encryption/trusted third party schemes to assure that identities and electronically transferred money simply couldn’t, short of via actual gun-to-the-head theft or brilliant hacking, be stolen. My hope is that this will actually happen and be successful via such things as unembossed smartcards and virtual smartcards imbedded in cellphones, fobs, etc, due to their sheer coolness and convenience, but this is wishful thinking on my part. :)

[Donk]

The big problem is to find a way to prove who you are. In the old days, a handshake was enough. If you didn't know who you were doing business with, you could usually find someone to vouch for them.

 

My suggestion: a microchip identifier implanted in the palm of the right hand. You identify yourself by putting your hand on a scanner plate. It would have many other uses - an intelligent lock would open at the right touch, staying locked for everyone else. No more huge bunches of keys to carry or to lose.

 

And if you meet someone for the first time and want to swap information, no need to carry a business card - just a handshake, like the old days :)

[CraigD]

… And if you meet someone for the first time and want to swap information, no need to carry a business card - just a handshake, like the old days :hyper:

There’ve been a lot of serious efforts to actually use skin-to-skin contact, such as handshaking, to transfer digital information. In the mid 1990s, IBM developed devices in which different wearable computer components – a computer in one’s shoe, a display device as a wristwatch, etc - were connected by ones skin, which is slightly conductive, showing a system in 1996’s Comdex that allowed people to exchange electronic business cards with a handshake. A couple of the arguments offered for why such a system was preferable to radio-based PANs, such as Bluetooth, is that it can be lower power, and because you must touch the person with which you want to communicate, unwanted intrusions are less likely – all you have to do to make an attacker go away is physically get him off of you.

 

Microsoft patented a variation on this idea in 2004, claiming new art because they propose using skin not only for data communication, but also to power devices too small to contain their own power supplies, such as earrings or in-ear headphones.

 

A mention of both techs apperars in Microsoft patents body power - CNET News.

 

For all the promise, major research labs, and hobbyists involved in this tech, it’s not much caught on. Neither have short-range data exchange schemes, such as infrared “beaming” between PalmOS handhelds and the proprietary wi-fi “squirting” (MTPZ protocol) between Microsoft Zune media players. I’ve a suspicion this is because of some kind of psychological wrongness with the basic action of triggering a data exchange with a screen tap, button click, or even handshake. When people exchange data, make a contract, a physical object, such as a business card, cash, a payment card, etc, is a natural, intuitive way to do it.

My suggestion: a microchip identifier implanted in the palm of the right hand.

I’m guessing this would be even less popular than the Zune B) - especially when you consider what a bloody mess - litteraly - it might make of identity theft :)