Sixteen digits are not enough

About six months ago my Bank called early on Saturday morning. They had been monitoring my credit card and had identified unusual activity. I confirmed some of the transactions weren’t mine and the card was replaced with a new one and new account number.

Naturally I was pleased that the Bank had been looking out for me but it was disconcerting that my card number had been compromised. There were other consequences too. I had to update all the online retailers who held my card number and lost access to my card history on internet banking. (Why can’t banks leave internet account access in place when a card is stolen? – it would help customers identify the fraudulent and genuine transactions).

Sadly that was not the end of the story. This week I was trying to buy a new TV online using MasterCard Secure Code. All went well but a few minutes later I got an email to say the transaction had been declined. I phoned the Bank to find out why.

“We were just going to call you – we’ve been told by the Police that your card details have been compromised”. Well once is unfortunate but twice…

It set me thinking. Where had my card details been captured and why does the loss of sixteen digits mean my account has to be stopped? After all I validated the transaction with Secure Code.

I have my suspicions about one retailer I use near work which colleagues who have also had their cards compromised also use. However it dawned on me that in fact my card details are virtually in the public domain every time I buy anything.

Chip and PIN properly implemented ought to eliminate card present fraud because of the difficulty in replicating cards and the chips. However we have already seen evidence of staff attaching devices to capture card details for misuse elsewhere. Card numbers, expiry dates and CVV details remain valuable to fraudsters because they are still all that is required to debit an account.

The truth is that CVV provides virtually no protection as it is compromised the first time you use it since it’s really a one time code which in practice is used tens or hundreds of times. 3D Secure (MasterCard Secure Code or Verified by Visa) is not much better. Every time I use it I type my password in full making it relatively easy for someone to capture it. (Banks why don’t you ask for a random selection of characters from the password to make it harder to crack?).

Web use is growing but sadly the card companies seem reluctant to crack the inherent weakness in the current system.

Some years ago my MBNA card account had a different account number to the sixteen digit card number making it easy to replace the card without losing access to the card history. Sadly that approach seems to have been dropped. I’m also coming round to the idea that MasterCard and Visa need to drive through a common standard token system for cardholders to use to verify online transactions.

A combination of a universal standard token system (I don’t want one for each bank or card I have but one which works for all of them) such as Vasco offer together with a pass code know to the cardholder could provide a system that would be very difficult to crack. Linked to 3D secure as a trusted and secure communications channel, web fraud could be virtually eliminated.

Implementation costs would be kept down as a result of a common standard for the token and the production volumes required for one per cardholder.

What do you think?