Jan 29, 2006

Addressing contactless security concerns

The Orlando Sentinel reports on a debate between consumer advocates and Chase, following the recent launch of Blink contactless cards in Orlando, Florida. Some consumer advocates think the new technology makes card fraud easier, since no signature or PIN is required.

"I consider what Chase is doing irresponsible on many levels," said Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego-based watchdog group. "The fact is they are adopting and promoting a technology that could actually exacerbate fraud."

"It's certainly a big concern when companies make it easier for thieves to use stolen credit cards," said Mark Ferullo, Florida director for the Public Interest Research Group, a watchdog organization based in Washington, D.C. "No matter how good a bank says its detection systems are, fraud still falls through the cracks."

Chase says that's not true. The company argues that its nationwide anti-fraud system can detect and curtail the misuse of Blink cards as quickly as fraud involving regular credit cards.

"The fundamental safety and security of this card is the best in the industry," said Tom O'Donnell, a Chase senior vice president. "And we also have the most sophisticated fraud detection and prevention systems. More than 75 percent of the time, when a card is lost or stolen, we find out about it long before the customer does."

25% is a pretty big crack. Perhaps a stronger metric could have been used instead. One that provides results closer to 99% so that customers are totally assured that they don’t need to worry.

What about when the card hasn’t been lost or stolen, but transactions magically appear out of nowhere? Just last week, the Seattle Post reported that Bank of America customers in Seattle have experienced a sudden increase of illegal cash withdrawals from checking accounts apparently coming from foreign automated teller machines and debit card purchases. The card details were apparently stolen without the customer's knowledge. If these cards had been equipped with EMV chips in addition to the magnetic stripe, this would probably not have happened.

We can’t have people feeling that they need to spend more time looking through their monthly bank statements to verify all of their credit and debit card purchases. This will become more and more tedious as the statement increases in size due to an increase in low value payments.

The Orlando Sentinel article also explains how contactless cards use encryption technology that is “three times more secure” than earlier contactless cards that experts have been able to compromise. I think I know what this means. I assume they are referring to triple DES encryption. But to most people, it sounds like a complicated, mysterious and somewhat evasive answer that doesn’t really eliminate fears.

And more and more Americans are afraid. Just a few days ago, the Federal Trade Commission announced that identity theft, consisting mostly of simple credit-card theft, topped its list of consumer complaints for the sixth year in a row in 2005.

There is a growing perception that banks are not doing enough to protect consumers. This perception needs to be addressed head on and killed very quickly. I don’t see how US banks will be able to continue avoiding the global trend to much more secure EMV chip cards that require PIN codes.

New 'blink' credit card has critics concerned
B of A customers hit by thefts, Increase seen in overseas cash withdrawals, debit card purchases
ID theft again tops list of FTC complaints

Prior posts:
Contactless opportunities and challenges


Jane Adams said...

I recently heard the chief exec. of Visa Europe Hans van der Velde comment that contactless payments 'are not a success' in the US - something that is quite opposite to the official associations' lines on the subject. Do you think that these security concerns are the reason or is Visa just griping because it feels it has fallen behind MasterCard? Or another reason?

Aneace Haddad said...

I'm not sure exactly why Visa would say that contactless is not a success in the US. I imagine that they would define success as lots of cardholders wanting to have the card, lots of merchants wanting to accept the card, lots of cardholders using the card more often than usual, etc. Lack of adequate results in any of these areas could cause them to say that contactless is not a success. We'll have to wait and see what is made publicly available in the next few months.

Thanks for leaving a comment!