Forget anonymity, realize what your real problem is

April 2013

    1    2    3    Next >>

U: So credit cards don't work in this way?

SKrobot: No, the credit card system is incredibly complex. Every payment goes through at least 6 different institutions. Again for simplicity let's call them Banks. None of them adds actual value to the process.

U: How so? Don't they secure payments and provide guarantees?

SKrobot: They can decline transactions once it's clear that the credit card was compromised. Most of the time it's the merchant's responsibility to reject suspected transactions. There are many false positives in this process. Whenever your card payment is bounced it may be the result of merchant's fear to accept your payment. They are scared for a reason.

U: Don't Banks provide dispute mediation?

SKrobot: They say they do, but we can hardly call it dispute mediation. Banks reverse payments on cardholder request without actual mediation which would be too expensive. There is also no incentive to do mediation. Since cardholder is their customer they need to compete for, any rejected claim might affect their future sales. Banks often come to terms with the fact that reversal requests are rarely used by genuine customers while being massively abused by fraudulent cardholders.

U: Don't Banks at least verify payer identity?

SKrobot: No, in Card Not Present transactions it's not possible to authenticate cardholder. Authentication requires a secret to be shared between two parties while the information entered during online transaction is effectively public.

Visa and MasterCard provide an optional 3-D Secure scheme which is supposed to authenticate cardholder but it is equally flawed like the rest of the system. It's based on a static password which can be intercepted by a keylogger. It also generates a lot of website redirects which apart from being an additional attack vector and a hassle to a user, are confusing, so users often abandon the purchase and look for an alternative website/provider that does not implement 3-D Secure.

U: So it looks like Banks are trying to do something useful. Isn't it just the difficult underlying problem that has no better solution? Why is credit card so vulnerable to fraud?

SKrobot: Credit card is an outdated 19th century concept. Using individually assigned payment cards was described in 1887 by Edward Bellamy in his novel Looking Backward. Early versions of payment cards were deployed since 1920s in the United States. They were always easy to counterfeit but convenience outweighed the risk. In 1950s the general purpose credit card become popular and the payment processing cost was only growing since then.

For a long time the forgery-prone credit card was tolerable in face to face dealings. Brick and mortar shops required a physical token - the card itself which, while easy to counterfeit, could prevent massive fraud if handled carefully.

With the advent of online shops we gave up that last protection measure - we check only card numbers instead of physical tokens. A single card number is used in multiple transactions in many places which means it is effectively a public information. In such a setup there is no method to prove that the person using that number is the legitimate owner of the card. The idea of using a static 16-digit number to authorize payments is just ridiculous and inherently insecure.

U: So how is it possible that it works?

SKrobot: We still tolerate that absurd and transfer billions of dollars in fees to maintain the system by companies who have vested interest in preserving the status quo.

National Retail Federation estimated that in 2008 credit card companies collected $48 billion in interchange fees. Intercharge fee is usually about 2% of transaction value, which for online payments is only a fraction of the total fee paid directly by merchant and indirectly by consumer.

Credit cards became the mechanism to transfer wealth from genuine cardholders to fraudsters with numerous institutions popping up and eating up larger and larger share of the pie under a veil of consumer protection while lobbying for legislation that prevents consumer to find out the real cost of using credit cards.

The system is not sustainable but it may take decades until it collapses. Having multi billion budget credit card companies can shape legislation to stifle innovation that could reduce amount of fraud. Banks have no incentive to fix the system. The more fraud exists, the more obscure and complex services they can offer and the more effectively can justify their existence and demand higher fees.

    1    2    3    Next >>