
A simple solution to credit card fraud, and why you won't see it any time soon - lisper
http://blog.rongarret.info/2013/02/a-simple-solution-to-credit-card-fraud.html
======
drucken
Overreacting, shallow, misleading and bait-link article.

Overreacting:

\- the most up-to-date technologies for anti-credit card fraud, namely
variants of smart card/EMV, are already available and widely used by all the
large credit card providers and banks in the EU and Asia (excluding domestic
transactions in China and Japan). There are even US providers who use it in
some situations.

\- in addition, most merchants in those regions have upgraded their PoS
terminals for smart cards and in some cases refuse to accept non-smart credit
cards.

\- he made no case for how HSBC money laundering and subprime crisis have
anything whatsoever to do with anti-fraud credit card technologies. Just
randomly put it out there...

Shallow:

\- Not even a minor reference to the specific technology being discussed is
made, only a vague mention of "public-key cryptography".

Misleading:

\- the credit card industry HAS and IS deploying the most up-to-date
technology. In some regions, e.g. US, there are legal or infrastructure
barriers that take time to overcome.

\- the _key_ moment at which the new infrastructure is rapidly rolled out and
fully enters the public consciousness is associated with the "liability shift"
when credit card infastructure providers push liability for fraud to
merchants, therefore forcing merchants to upgrade their equipment and
processes:

\-- _Mastercard is implementing a liability shift for point of sale terminals
in October, 2015. For pay at the pump, at gas stations, the liability shift is
October, 2017. For ATMs, the liability shift date is in October 2016._

\-- _Visa is implementing a liability shift for point of sale terminals on
October 1, 2015. For pay at the pump, at gas stations, the liability shift is
October 1, 2017. For ATMs, the liability shift date is October 1, 2017._ [1]

Bait-link:

\- a solution is already out there. It is based on "public key cryptography".
Whether it is "simple" or not is a matter of opinion at this point, without
any further clarification by the author. Nothing he has proposed has improved
on the solution.

[1] <http://en.wikipedia.org/wiki/EMV#United_States>

~~~
lisper
Cut me a little slack, OK? This is just the beginning of a long story.

~~~
mikeash
Why...? If he's wrong, surely you can rebut him, and if he's right, then how
does being part of a long story change that?

~~~
lisper
I can and I will but right now I'm on an airplane

------
jarrett
To expand upon the author's idea, the problem is not just that credit card
data is reusable, but that _possession of credit card data amounts to
permission to charge any arbitrary amount to it_. Not _legal_ permission, mind
you, but permission in the sense that the infrastructure lets you do it, and
you have to sort out the consequences through social/legal channels after the
fact.

Not only should future payment systems be based on cryptography, but they
should also require an _affirmative step on the part of the payer_ to initiate
a given transaction of a given amount. In other words, it shouldn't be a
matter of handing over your card number, or even a one-use cryptographic
token, and letting the merchant fill in the details. You should have to
explicitly _send_ an amount of money that you specify. Then, of course, a
smart merchant would verify that the amount is correct before fulfilling her
end of the bargain.

In other words, the process should be that the payer _gives_ money to the
payee, not that the payee _takes_ money from the payer.

Unfortunately, as the author points out, progress on this front has been
almost nonexistent with respect to the established credit card networks. We
may have to hope/work for a totally new system to replace it. (Perhaps
Bitcoin, or something inspired by it.)

~~~
bradleyland
> possession of credit card data amounts to permission to charge any arbitrary
> amount to it

The word you're looking for is "capability", not permission. Permission
requires consent, which is something you give separately from the actual card
number.

A minor point, but I think it changes the tone of that statement.

> possession of credit card data amounts to the capability to charge any
> arbitrary amount to it

I'm not sure anyone is ignorant of this fact though, and yet everyone seems OK
with it.

> Not only should future payment systems be based on cryptography, but they
> should also require an affirmative step on the part of the payer to initiate
> a given transaction of a given amount. In other words, it shouldn't be a
> matter of handing over your card number, or even a one-use cryptographic
> token, and letting the merchant fill in the details. You should have to
> explicitly send an amount of money that you specify. Then, of course, a
> smart merchant would verify that the amount is correct before fulfilling her
> end of the bargain.

Ugh, no thanks. The system you describe is more like cash. I have to actively
dole out the necessary amount, and then receive change that is counted at each
transition. I abhor these types of transactions.

Convenience is a significant motivator in the adoption of credit cards. Any
competing system will have to compete on simplicity. The fact that consumers
and merchants haven't fled from credit card use as fraud rates (and costs)
have increased is evidence that the market is willing to bear them.

The legislative changes that allow merchants to charge a CC-use surcharge will
resolve the significant matter of ignorance. I do agree that consumers are
largely ignorant of the hidden costs of fraud associated with the current CC
model. The question is whether they'll pay these costs once they're brought to
light. I believe they will continue to pay them in exchange for convenience.

~~~
nitrogen
_Ugh, no thanks. The system you describe is more like cash. I have to actively
dole out the necessary amount, and then receive change that is counted at each
transition. I abhor these types of transactions._

Not in this case. There's no reason the merchant can't send a request for a
specific amount, encrypted using your credit account's public key and signed
by their private key. Your credit authorizing device (smartphone, desktop app,
phone call, whatever) then asks you to confirm the amount, and that amount is
sent back to the merchant. I'm sure there's some way of cryptographically
tying the request for funds to the transmission of funds so that it's clear
what transaction the funds are for, that the amount sent matches the amount
requested, etc.

~~~
Domenic_S
Aren't you basically describing the "Request Money" feature of PayPal?

~~~
nitrogen
No, because that only works through PayPal. This is more about a system that
can be automated independently of the bank or service provider and provides
independent cryptographic verification of transactions.

------
tlb
There's a simpler explanation to why merchants don't charge extra for credit
card purchases: The cost of accepting cash is not zero.

The logistics of drop safes and daily deposits plus losses due to
counterfeiting, robberies and pilfering can cost a similar amount to the 3-4%
credit card fees.

That's why merchants aren't grumbling too much.

~~~
Domenic_S
Even simpler explanation: the cost of interchange fees are already priced in
to the retail cost of goods.

In other words, cash buyers are subsidizing the interchange fees, your Rewards
Points, Cash Back deals, etc.

This is evident especially at gas stations. Many have "cash only" prices that
are lower than credit prices; Arco generally has the lowest gas prices but
accepts only cash or ATM (with an _additional_ ATM fee).

It's been policy for a while now that you simply _can't_ charge more for
(just) credit card transactions (you could however discount cash purchases).
That landscape is changing recently [1][2], but we haven't seen its full
effects yet.

[1] [http://www.dailyfinance.com/2012/07/19/3-reasons-why-
credit-...](http://www.dailyfinance.com/2012/07/19/3-reasons-why-credit-card-
surcharges-are-an-empty-threat/) [2]
[http://www.dailyfinance.com/2013/01/24/new-credit-card-
check...](http://www.dailyfinance.com/2013/01/24/new-credit-card-checkout-fee-
starts-sunday/)

------
qeorge
Some banks will let you generate single-use credit card numbers (e.g., Chase).
So you have one CC # for the power company, a different one for Netflix, and
so forth. Then if e.g., Netflix gets hacked you can just cancel that one card
number. You can also generate cards with hard spending limits, cards that only
work for a specific merchant, etc. And of course you can delete them anytime.
Its a pretty good system.

That said, I agree with the author. Signature based debit should have long
since been replaced by something more secure (e.g., Chip and PIN), yet its
much higher fee structure creates a perverse incentive to maintain its use.

~~~
kzrdude
Isn't it pretty easy to envision a system that puts the control directly with
the user? The reseller requests an amount due, you punch that in into your
credit card device, following it up with a pin code and you can now verify
that payment..

But I don't think anyone wants to give customers this wallet-like capability..

------
davidu
I've thought about this "problem" and decided there's no problem. You're
solving a non-problem if you try to solve credit card fraud.

The reason we don't deal with credit card fraud is that there are no
consequences for being a victim, for any definition of victim. If the victims
had consequences, then there would be demand for action. But there is none.
Further, because there are no consequences, the cost to solve credit card
fraud isn't worth it.

Edit: This is a true statement. I feel capable to comment on this topic and
have spent time working with this industry. I've dealt with abuse and fraud
for years on many sides of the transaction (there are more than two). If you
think you have a retort, please think carefully if you really understand what
I just wrote above. There are no consequences for the victims. No matter how
you define victim.

Edit 2: You deserve better explanations. I'll work on a blog post. But one
case of a financially tight victim having to call the bank, etc. isn't enough.
In the aggregate, nobody is inconvenienced. There are no consequences. If
merchants had consequences, they'd stop accepting credit cards, but in the
aggregate, that's a non-starter. Issuers similarly have no consequences.
There's no arbitrage for improvement either.

~~~
xanados
If you think there is no victim I think you may not have a very firm grasp of
economics. In particular, small negative consequences borne by many economic
actors adds up to legitimate negative economic consequences, even if there is
a collective action problem in addressing them. In order to make the argument
that there is no victim, you will have to describe how this fraud is wealth
creating, without appealing to any broken window fallacies. I guarantee this
is impossible.

In reality, the costs of fraud are shared widely, and there are definitely
victims in aggregate. First, the merchants are clearly victims. In a
counterfactual universe that contains no credit card fraud, merchants pay
lower fees to accept credit cards, and make more money for selling the same
amount of goods at the same prices. Second, consumers are definitely victims.
In the same counterfactual universe, consumers pay less for goods by a tiny
margin, and thus are able to consume more and achieve higher levels of
utility. Additionally, in this counterfactual universe, nobody has to deal
with credit card fraud, which is an inconvenience which has both a direct
dollar cost, in cases where people aren't satisfied with their legal
protection or incur legal costs in exercising their protection, and in non-
dollar costs like having to call their bank, stress, broken relationships etc.
Note that _these are real costs and lower standards of living and utility_
even if they aren't dollar costs.

From a macro perspective, it's obvious that fraud has a negative impact on the
economy. All of the effort that is spent by every fraud researcher, fraud
company, credit card company fraud agent etc. is _fundamentally unproductive
effort_ which is nonetheless included in GDP. If these people didn't have to
deal with credit card fraud, because it simply didn't exist, they could be
gainfully employed in other productive fields that work to meet the hedonic
goals of other humans.

I just want you to be aware of the tough row you have to hoe if you are really
planning on going down this path, and if you ignore the above arguments, well,
you aren't making a very compelling case.

~~~
davidu
Collective action problems imply a lack of consequences. QED.

To your point that all the effort to combat fraud implies there is a problem,
you've created a fallacious point.

To your point on unproductive exercise, I believe it is wasted effort and
loss. Perhaps the real victims of fraud are fraud fighters!

To inconvenience as a form of consequence, you clearly already understand the
difference there.

------
snowwrestler
The "solution" to credit card fraud is monitoring and insurance.

I don't worry about credit card fraud because my credit card company does not
hold me responsible for fraud as long as I bring it to their attention in a
timely manner (30 to 60 days). So I just make sure to review my statements
every month.

Yes, in a general sense I pay the cost of this insurance because all
businesses are imaginary pass-through entities. By that standard, let's not
tax businesses either since we ultimately all pay those taxes too.

But, complex technical solutions ALSO have a cost--not only to implement and
maintain, but in the friction they introduce into the commerce of everyday
people's lives. And since businesses exist to minimize costs, we can assume
that they have not implemented complex technical solutions because _they cost
more than the insurance._

In summary: not every optimal solution exists in the space of engineering.
Social and legal structures can help solve problems too.

~~~
com2kid
_But, complex technical solutions ALSO have a cost_

The solution is hardly "complex".

Your CC number never leaves your card unencrypted. Your card details are
encrypted on a server somewhere. A transaction consists of a record of sale
that is signed by the merchant's private key, sent to your card, which then
signs it with your private key.

Said package of data is delivered up to Visa's servers. Your digital signature
is validated with your public key, merchant's key is validated, the order goes
through. Yes this requires an internet connection, yes it breaks offline
processing. It also cuts fraud to 0.

Online purchases get more complicated, sure. Lazy way is to have something
running on client machine that can sign data downloaded from merchant, make it
a browser plugin or even better a standard all browsers implement, so long as
the private key is stored somewhere and can be applied to a message. This is
not exactly a hard problem. Doing it right is tricky, thankfully a good number
of correct implementations already exist. Use one of those.

A more secure solution, especially for PCs, is to have a dongle, everything is
processed on card. Then even if the PC is rooted 50 ways to Sunday all orders
are still secure.

This is no more convoluted (and many would argue less) than the current way by
which credit card orders are processed.

Credit Card companies currently place the entire burden of fraud onto
merchants. They don't really have a reason to care about fraud, other than
that it is bad customer service to have your customer's identity stolen.

The real problem here is how to deal with crap like reoccurring payments. Too
many organizations are used to a workflow where in they store your credit card
number. That is obviously insecure (see: news stories that come out all the
time). I am not sure how to solve that particular problem though. Obviously it
is a big blocker to getting a more secure system implemented!

------
dangrossman
It's easy to envision a future without this inherent problem -- it's PayPal,
it's Dwolla, or any other service where payments are pushed instead of pulled.
If you pay someone with PayPal, online or off, you don't leave them with
anything they (or the hacker that steals the store's DB) can use to charge you
again in the future. For recurring payments, in the background all you're
giving out are tokens you can revoke at will.

Getting stores to adopt these services is a lot easier than getting Visa to
change how their product fundamentally works.

~~~
javajosh
The interesting case will be POS situations where a customer wishes to use
PayPal but they don't have a smartphone. In which case they will need access
to a machine to send the payment. In that case they need access to a browser
to interact with the PayPal site. In this scenario the customer's data (their
username/password for PayPal) is being exposed.

------
olefoo
In a rational world where declaring that government should be responsible for
the foundational services that enable civil society the universal payment
transaction service would be operated by the government as a public utility.

In this hypothetical rational world, you would go to the government office
when you needed to open a new payment account to make or receive payments. You
would show proof of identity, and receive a duly signed certificate bound to a
a hardware token of a standard type that you could then use to make
transactions both on and offline. Since everybody would use the same systems
there would be no questions about _if_ someone could pay you.

But in this world, government securing the currency is regarded as an outmoded
and dangerous idea, unless it's a bailout...

~~~
Domenic_S
> In a rational world where declaring that government should be responsible
> for the foundational services that enable civil society the universal
> payment transaction service would be operated by the government as a public
> utility.

Already exists. It's called cash.

~~~
olefoo
That's one of the points I was alluding to. the .gov already does this in the
physical world; why have they allowed a layer of private interests to insert
themselves into the process when it is performed electronically?

------
jcr
Ron, before you get into the chip-n-pin/smart-card stuff commonly used in
Europe and Asia, you should probably check out the modern "Man-In-The-Browser"
attacks:

[http://www.irongeek.com/i.php?page=videos/derbycon2/3-1-1-da...](http://www.irongeek.com/i.php?page=videos/derbycon2/3-1-1-dave-
marcus-2fa-enabled-fraud-dissecting-operation-high-roller)

As the above shows, crypto is useful, but it's far from perfect due to its
reliance on insecure stuff (i.e. web browsers, operating systems, ...). When
the foundation is flawed, it's turtles all the way up.

Also, don't let HN or the web in general get you down. Writing for those with
a short attention span makes for short stories, not long ones. Being wedged
could be an indication that you have a lot to say, too much to get it going
properly. I've got a hunch you have a nice long story to tell, and it will be
worth reading even if it comes out in a round about fashion. I ain't a crypto
or security person, nor do I play one on TV, but if you want a proof reader
contact me privately.

------
GauntletWizard
If you look at how they were actually deployed in Europe, you'll realize that
it's not much different over there. "Chip and Pin" is if anything worse than
no encryption, because it gives the illusion of security. I don't know about
the situation in Asia.

~~~
lisper
It's far from clear that chip-and-pin has been the unmitigated disaster you
imply it to be. You're right that chip-and-pin has problems, but those are
design and deployment problems, not problems with PKE in general.

~~~
pbreit
"design and deployment problems" pretty much imply problems with the solution
itself.

------
bbuffone
There is no solution for credit card fraud because the credit card companies
do not pay the bulk of the fraud that happens. I have been the subject of
fraud both as a merchant and as a consumer and in both cases i was the one
that paid.

~~~
jemeshsu
Two-factor authentication is a good deterrent but is not available everywhere.
For my card, for some sites, immediately after clicking "Buy" button, the bank
will SMS me an expiring (within minutes) 6 digit code to my mobile phone, and
I will have to enter the code to complete the transaction.

------
mozboz
Feels like over-reactive writing. Of course big business works to protect its
interests and offload costs of business to customers. Big business is also
terrified and highly resistant to change to systems that are generating profit
that may reduce profit, regardless of any social value.

Why is this so shocking to the author?

------
paulyasi
If the the card brand, say Visa, would generate a public key that I could use
on my web server to send them their credit card data, then I, my payment
gateway, and maybe even my even my merchant bank, would never have to know the
card number. VisaNet could decrypt it on their side with their private key and
determine the issuer and account information to process it. Just the customer
and VisaNet and the issuer probably needs the card number itself. Everyone
else just needs to know the result of the transation.

~~~
dangrossman
A large portion, if not most, of the card numbers being bought and sold on the
black market are obtained via phishing or via malware on the end-user's
computer. Better encryption between the computer and online stores doesn't
affect either of those theft vectors.

------
prostoalex
Citi has offered virtual account numbers for its credit cards for a while,
which solves the "Once someone knows your card number they can use it to
conduct any transaction they choose" problem. It's still a hassle to remember
to go to citicards.com and generate a new number, provided that Chrome
helpfully auto-fills your saved number.

------
jeremyjh
EMV is happening in the United States; the industry does recognize the problem
though I agree there are poor incentives to make progress in solving it. It is
late in starting and going to be slow and that is for some of the reasons OP
states.

One thing that is now changing is that responsibility for charge-backs is
going to be moving from the merchants and card issuers (who do bear risk in
ATM transactions, for example) to the acquiring point of sale network,
operator or ATM. In order to prevent that from happening, the operators are
being required to support EMV in X% of devices by Y date. MasterCard has a
write-up of this here:
[http://www.mastercardadvisors.com/_assets/pdf/emv_us_aquirer...](http://www.mastercardadvisors.com/_assets/pdf/emv_us_aquirers.pdf)

You can Google "EMV acquirer risk" to find more on this issue.

------
ChuckMcM
Two, possibly ancillary points:

As someone who was part of a lawsuit involving public key cryptography I can
assure you that the barrier to deploying it in the US rested squarely on RSA
Data Security (patent holder) until the patents expired.

To understand how to deploy better security look at Stripe. Stripe is
displacing (with pre-existing card technology) the connection between card
companies and merchants with a better experience. With an established customer
base they will be in a position to drive the replacement of cards.

No system with as many moving parts as the credit card system has, can be
"quickly" changed (and by quick here I'm talking demi-decades) however it can
be disrupted and replaced.

------
yalogin
I was really expecting a solid article there since he claims he tried to solve
it. Specifically --

\- What exactly are these barriers the industry has set up?

\- What kind of savings be obtained through his solution?

\- What exactly is this solution without going into the crypto part (which I
assume is what he wants to sell)?

\- Any solution involving crypto means at the least both client and server
side changes are needed, which means every merchant needs to upgrade. What is
he proposing that has a better value proposition inspite of the costs
involved?

I am not even questioning his crypto protocol, assuming its good.

------
gtr32x
"The risk of getting caught if you decided to try to commit credit card fraud
was high enough that it was (mostly) an effective deterrent."

Unfortunately the risk isn't as high as the author intended. There are still
many credit card launder groups that take advantage of in-person fake card
transactions. The margin is so high that they would often purchase over a few
thousand worth of items at Wal-mart or such (mostly gift cards) at a single
time and the lack of care from cashiers just doesn't help with the deterrent
factor.

Aside from the big boss, even the busboys would try to snatch up items for
themselves from the store aside from the gift cards to give back to the big
boss. This creates a healthy enough ecosystem that each part of the chain will
have enough motivation to not cause the group to fall apart, because the
margin is just too high.

The credit card itself builds too much on trust and is fundamentally broken.
Trust is a rare quality in human and it is just not present in a criminal's
eyes. Of course, the trust allows a credit card to be used simply without much
additional overhead. If one day we collectively deem credit cards to be
insecure enough maybe we'll consider trading off the easy usability for a more
secure measure such as presenting your id when using credit card. Or perhaps
we should all just wait for the future where we each have biometric chips
embedded in us to scan at a credit card machine.

------
lsh123
Not every problem needs to have a _technology_ solution. In this case, the
non-technology solution is to pass the fraud cost to the merchants (through
fee) who in turn pass it to you (consumer). There is nothing wrong with it as
long as everyone in the chain accepts it. Now, of course as a consumer you
might feel bad about it but the penalty you pay for CC fraud is tiny. So you
probably don't care because in exchange you get the convenience of using a
credit card.

The industry is actually doing a lot of work to minimize the fraud and keep it
under control. But there is absolutely correct understanding that it will
never go down to 0. Even if you deploy super-modern PKI solution, you still
have to deal with fraud like "didn't get an item", etc. Thus the benefits of
not having a credit card number are not that significant in the big picture.
While inconvenience and complexities are pretty high.

------
pbreit
So...what's the solution?? "Use public key encryption" doesn't help us much.
Especially when you claim "it's not hard". Disposable numbers have been tried
many, many times and the user experience stinks. Maybe with the prevalence of
good mobile experiences, their time has come?

~~~
zanny
I think the other thing is that most online credit fraud doesn't come
intercepting credentials over wires but by dupe sites that imitate real
realtors. I think two factor authentication might help with that, if it has to
verify both sender and recipient on some mutual third party server of the
credit card provider, but that costs them money, which gets back to the root
problem, it doesn't cost the companies that would implement these schema
anything now, and any change does cost them, and the market is rigged so you
can't introduce competition.

I think it is much more likely bitcoin takes off as a real currency for
exchange and people just start using banks that facilitates transparent
conversion between the two when buying stuff online. It doesn't help with
using a credit card online from a CC company, but it does skip them entirely.

~~~
pbreit
I think there is zero chance Bitcoin takes off.

~~~
rishimoko
I recall this being said when Bitcoin was at around a dollar and ever since.

------
kjackson2012
In Canada they have a system where you input a PIN number every time you use a
credit card at a POS.

I've heard from my Canadian friend who owns a Shoppers Drug Mart, that it has
cut down chargebacks to almost 0.

Why they haven't implemented this in the US I'm not sure. The only problem is
that if they figure out your PIN, it makes it very hard to fight chargebacks
from the point of the consumer. But we all know that the CC companies don't
care.

The one thing to note is that it's very hard for the CC companies to lose
money with fraud. Usually the merchant or the consumer is on the hook. Then
the issuing bank, etc. They're last in line, so their incentive to make
drastic change is nil.

~~~
ahallock
At most gas stations and some grocery stores, I have to enter my billing ZIP
code before proceeding. I'm not sure how effective it is.

------
parauchf
I worked in fraud prevention for several of the big banks. They definitely
care about it and it is not passed on directly to customers.

There's a strong relationship between card fraud and DDA fraud which very
directly hits the bottom line. Typically credit card fraud is monetized by
making a balance transfer to a DDA.

Chip and pin is on the way. A lot of new cards have it. See below...

[http://www.federalreserve.gov/newsevents/bank_of_america_201...](http://www.federalreserve.gov/newsevents/bank_of_america_20100917.pdf)

Never explain with conspiracy what can be explained by incompetence.

------
jpalomaki
I think it is incorrect to say fraud is not costing credit card companies
money, because they can transfer the cost to customers. If there was less
fraud they could easily keep the transaction costs on same level and pocket
the difference.

Some finnish banks introduced a "verified by Visa" scheme where you need to
verify online transactions with one time password (those are normally used to
log into online bank account). At least for me the result was that now I
choose PayPal whenever possible, since PayPal allows me to pay with just
username and normal password.

~~~
codesuela
I have a German Visa card and for me it works by creating a seperate password
for online purchases (once). This prevents a lot of fraud because the verified
by Visa password resides on the servers of Visa (or the bank, I don't know)
and is not compromised when a shop get's hacked. Also I don't have to enter it
every time I use my credit card but rather I'd guess about 10% of the time.

------
sbov
I assume your simple solution handles common things such as recurring billing
and the ability for websites to re-use previously entered card information
without requiring the user re-enter it.

------
ctdonath
_I learned some things about how the world works that I couldn't figure out
how to write about without coming across like a paranoid loon, and I couldn't
get them far enough out of my head to write cogently about anything else._

Indeed.

I'd like to elaborate on my agreement but...I can't figure out how to write
about without coming across like a paranoid loon. Methinks it has to do with
approaching the half-century mark. "I've seen things you people wouldn't
believe..."

------
scott_s
Planet Money talks about the disincentives for the banks to have better
protection about about 26:20 into this podcast:
[http://www.npr.org/blogs/money/2011/06/16/137181702/the-
tues...](http://www.npr.org/blogs/money/2011/06/16/137181702/the-tuesday-
podcast-inside-the-credit-card-black-market)

Simply, the reason given is that credit card fraud costs them about $3 billion
annually. That's not enough to get them to move.

------
zimbatm
Plastic card are a useless middleman and inherently insecure. You're inserting
your card and password to somebody else's device !

You should be able to the account URI (based on IBAN) and the total, issue the
payment order to your bank with your phone. The recipient gets notified by his
bank in real-time that the payment has been made. Thank you, have a good day.

------
t413
The financial companies are the most technology adverse group out there. They
are risk handling and money moving engines and not interested in innovation.
Every advance in technology is a direct result of legislation (like the recent
addition of check scanning at ATMs) and legislation never follows the cutting
edge.

------
joedev
I'm not convinced of the premise that credit card companies have no incentive
to reduce fraud.

"Fraud isn't costing them money, it is costing you money. [they] pass the cost
on to you, the consumer."

That's true of any business really. Increased costs get passed onto the
consumer. But that doesn't stop other businesses from trying to reduce costs.

------
SlipperySlope
Wow, what an informative comment!

It's clear to me that the advent of push liability opens the lots wider for
no-fraud payment systems, I.e. bitcoins. Evidentially, that situation is only
two to five years away. Which is plenty of time for mobile wallet startups to
help me get rid of my annoying leather wallet!

------
mhp
What are the downsides of making the CVV on your card have to come from a txt
message to your phone? It seems like this could piggyback on the existing
system that exists and would work with all current implementations. (It
doesn't solve the subscription stored card problem I guess...)

------
dobbsbob
Banks and card corps want a fool and his money to be able to push a button and
buy something with as little hassle as possible. They are more than willing to
use their trillions in profits to write off and eat some fraud if it means
easy use for customers

------
dreamfactory
The author seems to be referring to chip and PIN - but this isn't used in
Europe for card not present transactions, which the author says accounts for
nearly all fraud.

------
wmf
No mention of SET?
<http://en.wikipedia.org/wiki/Secure_Electronic_Transaction>

------
yalogin
What are these crypto based solutions that Europe and Asia are using the
author talks about? Can some one point me to those?

------
gigantor
In other words, redirect each credit card transaction to your bitcoin wallet?

------
cooldeal
I think he's taking about a solution similar to the RSA key cards typically
used for VPN login at some big companies.

[https://encrypted-
tbn3.gstatic.com/images?q=tbn:ANd9GcSP3PxS...](https://encrypted-
tbn3.gstatic.com/images?q=tbn:ANd9GcSP3PxS1xDwxA_Wdhu2WNo_o-R9HJU5LSti6z_SStZe505gPLx4)

~~~
erock
this place is close, but i bet they are running into the same issues. it's a
shame, because it really could stop a lot of fraud using it.
<http://dynamicsinc.com/Corporate/products_dynamic_cc.php> (note, they only
now offer one type of card via one bank, they seem to have been sidelined)

