Chip, but no PIN. Is this technology really keeping our finances safe? Is fraud going down? If my experience is any indication of what’s going on in the United States, chip security has some cracks in it.
Just the other day on my way to work I got a call from my bank. I typically don’t answer a number on my cell that I don’t recognize but that morning I did. And I’m glad I did. It was the fraud detection bureau at Bank of America. They were wondering if I have gone an eating spree that morning. First to Applebee’s for $115 then a couple of trips to Dunkin Donuts for $50 a pop.
Well, since I don’t eat at Applebee’s or Dunkin Donuts, it only took a moment for me to confirm, “nope it wasn’t me.”
Compromised, And Not Forgotten
Now here is the interesting part. I got an email 12 days ago from my bank saying that same credit card had been compromised. They didn’t say how or when, just that it was and that I would get a new card in the mail, but until that time I could still use the “compromised card.” I got the new card last Friday and cut up the old one up. Problem solved.
But why did this fraud happen today, three days after my card was canceled? Beats me.
BoA paid the Applebee’s bill but declined the Dunkin Donuts charges. At a minimum, the bank is out $115. Here’s the kicker. My card has a chip, but no PIN. Unlike the European standard, here in the United States, not all banks require you to set a PIN for the EMV chip. Perhaps if the thieves needed to enter a PIN, this type of fraud would be harder to commit. But so far, since EMV cards were deployed in the United States, incidents of identity fraud have actually increased by 16 percent, according to a study by Javelin Strategy & Research
The United States isn’t alone here though. Even after years of chip & PIN use, Europe saw a large spike in payment fraud in 2015. The UK led the pack with an 18 percent increase in payment fraud, and it is notable that 75 percent of that fraud was from card not present (CNP) transactions. What good is chip and PIN there?
The Missing Link in Chip Security is Strong Authentication
Is a chip alone any stronger than a card without chip security? Is it strong authentication? Think about it. The card is something I have, the PIN code is something I know. Is that enough? Probably not, as both can be easily compromised.
Why aren’t we moving faster to authentication that includes something I am, my biometrics? No question that’s what Apple Pay is pushing forward. I already use it at every merchant that has the capability.
But we also need to ask, is the thumb a strong enough biometric? I think for my $15 purchases at Panera it probably is. But, is it strong enough for my $200 purchases at Whole Foods? Perhaps, but what about my $500 or $5000 purchase at a designer brand in Italy? I think not.
What we need to think about are different types of biometrics that are harder to bypass.
A Better, More Secure, Biometric
Veridium’s 4 Fingers TouchlessID is a step in that direction. There are times that you need to trade off convenience for a bit more security. It might take a moment longer to scan four fingers than to touch your phone with your thumb, but when security matters most that tradeoff might be worth it.
On the call this morning with my bank, the kind woman was eager to point out that I’m not responsible for the fraud. Any charges would be reimbursed to my account. That’s great to know, but someone pays for the x billion dollars in fraud, and you know who it is. All of us. Because the prices of goods and services, banking, insurance, etc., reflect those costs. It’s just not transparent to the consumer.
So if we’re paying for the fraud, we should insist that our financial institutions do what’s possible to reduce it. Perhaps we move to chip and PIN and perhaps we move to biometric authentication. And this time, opt for security over convenience, the security of 4 Fingers.