In today’s advanced technological age, there is no legitimate excuse as to why we still have credit and bank card victims everyday in the United States. Anyone who holds a debit or credit card should be worried and the reason for the lack of security should be frightening. In today’s day and age, we have the capability of securely “tunneling” data between endpoints, or in other words, ensuring data integrity and privacy between Point A (the consumer) and Point D (the bank). This tunneling can ensure that no one between Point B and Point D can steal or alter the data being exchanged. (Think of Point B as the Merchant and Point C as the Credit Card Processor.) However, today’s banking network is completely unsecure, essentially allowing what is known as “Man in the Middle” attacks. To pull this off, all one needs is an open system, exactly what we have today. When a consumer swipes their card at the grocery store, the data is shared with the merchant, which is then handed off to a credit card processor and subsequently handed off to the consumer’s bank and back. Although the data is encrypted along the pipeline, the data is unencrypted at the merchant. That means that merchant knows your account information and can save it to a database. That is exactly what thieves did at the Hannaford Bros. grocery store in Vermont. Once thieves have the account numbers, they can then exploit it, leading to billions in losses for banks as well as months of recovery time for the victims.
The truly sick part about all of this is that it is easily fixable with today’s technology. If we implemented what is currently available, we would eliminate “Man in the Middle” attacks as well as eliminate thieves from cashing in when they find or lift a wallet. The basic premise would be to switch to payment tokens. Tokens would provide access for up to 5 different debit and credit accounts, all issued by different banks or the same bank, and would plug into the USB port of payment terminals and/or computers. What is cool about this technology is how it works. In order to access the data on the token, the consumer would need a PIN code. Without the PIN code, the token would be worthless. In addition, if the wrong PIN is entered after 5 different attempts, the token would become useless. Once the PIN is entered, the user can select what account they want to use. After this is selected, the merchant opens a tunnel to their credit card processor. The credit card processor then reads the public information about the consumer’s account (i.e. such as a bank routing code) and authorizes a tunnel to the consumer’s bank. The bank then interacts with the payment terminal to exercise a special “private key” on the token, all through a private tunnel that only the payment terminal and the bank have access to. Once the private key is verified, payment is authorized. What is great is that the private key never leaves the token and because the tunnel is secure between the token and the consumer’s bank, it cannot be stolen. In this scenario, the consumer’s private information never leaves their hands — the merchant doesn’t get to see it, nor does the credit card processor. The only information that the merchant and credit card processor could pick up is a bank routing code, which would be useless. Another beautiful part of this is that it works online too. Consumers can plug their tokens into their computers in order to buy goods from merchants like Amazon.com and Best Buy in just as secure of manner. Imagine a world where it is not only convenient, but secure. Why is that too much to ask; the best of both worlds?
Given that we can do this, the question must be asked: why aren’t we doing this? The answer is that someone, somewhere decided that it would be cheaper to deal with the fraud than to implement a secure system. In my opinion, nothing could be further from the truth. Credit card fraud is big business in the United States and is only getting worse. It accounts for billions upon billions of lost money to merchants, consumers, and banks alike. The truly worst part about it is the negative impacts it has on the consumer. Not only does the consumer end up paying more in the form of higher costs for goods, it can take months and cost hundreds or even thousands of dollars for someone to recover from being victimized. In order to deal with this crisis, the U.S. Congress, Treasury, and FTC are going to need to intervene. A law will need to be passed requiring a secure system and that law will need to be renewed year over year to keep up with the technology and threat changes. It is unfortunate, but given how big the banking system is and how many players are involved, it will literally take an act of Congress in order to require it. I encourage anyone reading this to urge their U.S. Congressional Representative and U.S. Senators to pass the “Secure Banking Transactions Act of 2010″.
Steps You Can Take To Protect Yourself Today
1. Never use a debit card at a merchant. Debit cards are for ATMs and banks only. When you use a debit card and enter your PIN, you could be giving your PIN to thieves. Even if you use your debit card as a credit card, you are in danger as there are fewer protections for consumers who use debit cards. Banks will take much longer to credit your checking account when there is fraud and you will likely be without your funds for up to six (6) weeks. Since most of us are not independently wealthy, this could spell real trouble. As a result, use credit cards at merchants, even if you intend to pay the balance off. Hey, you’ll get some airline miles in the process. And, if your credit card number is stolen, you won’t be out a dime. Your credit card company will suspend payment while they investigate, negatively impacting you not at all.
2.Watch your accounts like a hawk. Login and check your accounts daily. Always look for any charges and/or authorizations that you do not recognize. Scrutinize any authorization for “.01″ or “1.00″. Thieves will often “ping” an account to see if it is valid by authorizing a charge for one dollar or one cent. Some of these authorizations can be legitimate. If you enroll for AUTO PAY, for instance, this kind of charge can show up. If you are like me and can’t check your accounts daily, setup alerts. Many banks offer to send alerts to your cell phone and/or email address for FREE. Setup alerts to monitor for new charges at or under $1.00 as well as anything over $100 or 25 miles outside your ZIP code.
3. Change your PIN numbers regularly. Most of us change our passwords every 45-90 days, why not our PIN numbers? Some banks allow PIN numbers to be changed over the Internet or over the Telephone. However, most banks require the PIN number to changed at an ATM or with a teller. No matter what, regularly change your PIN number.
4. Use PayPal for online transactions. One of the great advantages of PayPal is that your bank information is never shared with the merchant. All the merchant gets is paid. They don’t see any of your personal information, except for what you decide to share such as Name and Address (for shipping).
5. For those who must use a debit card, setup a second checking account. If you must use a debit card, setup a second checking account and link the debit card to that account only. Then, keep just a small amount of money in the second checking account, transferring money into it when you are ready to spend. This will ensure that thieves will get very little. Most thieves are going to go for the big payoffs and if you only have $50 in your checking account, they’ll just move on when they get a “DECLINE” message from the bank. Doing this is a pain, but it will protect you. It will also ensure that your primary checking account will never be shared with anyone but your bank and perhaps your employer (for direct deposit).
6. Overall, be smart and trust no one. It is unfortunate that we, as a society, can’t trust each other, but the plain and simple truth is that we can’t. When it comes to your personal information, be extremely careful with it. Never share it unless you need to and never assume that your bank, doctor, or anyone else isn’t sharing it with a third party. The grocery store in Vermont may not have known they were sharing customers’ personal data with a third party, but they were. Always assume the worst and hope for the best, you’ll never go wrong.