Feb

4

(2007)

Identity Theft Hits Home

Filed under: Uncategorized. Tags: ,

I just got a phone call out of the blue from a representative at the Royal Bank Visa credit centre, asking me to verify some recent suspicious purchases.

My visa was just used to purchase $4 worth of something in Czechoslovakia, then $1500 worth of diamonds in Spain. Holy crap. She said it's nothing that I've done wrong, that the Evil Thieves are able to get credit card numbers from literally anywhere (like, for instance, the huge database theft that hit the parent company of HomeSense, where hundreds of thousands of visa billing records were stolen, likely a few of mine in there as well).

So, she's nuked my visa. Cancelled the charges. And is issuing me a new card. In the meantime, I get to live on cash or Interac (which is what I normally do anyway).

What I find really scary is that someone can get a visa number and go ahead and place charges on it. There is absolutely no security built into the transaction, and we're left to rely on eagle-eyed monitors like the one who called me today.

I think it's time to redesign the credit card / interac / debit system so that the only security checks aren't made from essentially public information (I have to assume that both my full name and now visa number are in the public domain, so neither is a valid part of a security challenge).

Surely we can do better than this in the first part of the 21st century… Biometrics? Secure ID? Rotating cypher keys? Quantum encryption? Something! 

Comments

12 Responses to “Identity Theft Hits Home”

  1. Brad on February 4th, 2007 3:01 pm

    At least this seems to have been caught quickly before it could balloon into more of a problem.

    What bugs me about the system is that your credit card info is indeed public information. You give it out to anyone you purchase things from. Even your bank account number is written on your checks. You have to trust anyone you do a transaction with that they won’t turn around and steal your money. Doesn’t seem like a very good system.

    Instead of system that are based on sharing numbers that represents sources of money to be drawn from, maybe it should work with numbers that represent account to be credited. So, instead of sending a check to the guy who painted my house, He gives me his acct number and I send instructions to my bank to transfer money to his account. This account number can only be used to accept payment, no withdraw. Communication between me and my bank do not run through a third party every time I make a purchase. Technology would have to be developed to make this all seamless and instant.

  2. Sami Khan on February 4th, 2007 4:01 pm

    With the billions that banks make out of hidden fees, you’d think that this would not be a problem in the world anymore. I would be extra vigilant with my bank account for the next few months, D, they may have more information than _just_ your credit card. Biometrics is ideal, but then again they can steal your finger print or hack a device to transmit it or the hash or whatever… PayPal is coming out with a new device to help with the security somewhat.

  3. chris garrett on February 4th, 2007 4:11 pm

    This is so annoying, I’m glad they caught it before they could have caused you more trouble. The only time my cc has been misused was a computer parts salesman trying to boost his end of year results in order to grab a bigger bonus.

    I think the best idea would be for us to move to the system of generating one-off credit card numbers that expire when they have been used. Although there is still the problem of what happens if somebody steals the number generator … biometrics is all well and good so long as the system is 100% proof against the thief cutting the body part off ala hollywood …

  4. dnorman on February 4th, 2007 8:01 pm

    The solution could be as simple as not providing the full transaction information to any individual vendor. Like PGP, with a public key and a private key. Both are needed to complete the transaction, but vendors are only provided with the public key. Not sure how the workflow would work for such a thing - we’re all addicted to the seamless ease of the current transaction system, so adding much to that would be problematic.

    It doesn’t need to go as far a biometrics - it could be just a smart card that never leaves your possession, and the vendor doesn’t get the full key.

    Part of the problem we just had here in Canada was the theft of hundreds of thousands of credit card transaction records from a parent company’s database. They should have no reason to store that info in the first place, but we should have no reason to give them (or anyone who gains access to their database) cart blanche to process further transactions.

  5. Sami Khan on February 5th, 2007 7:57 am

    It would make a lot of sense for them to use something like PGP or a hash even (simple) instead of the credit card number, etc, and then perhaps a bit of salt from your personal information to create the hash for your card… That could be securely stored without any additional information. I do think though they’ll get on it once they realize how much more money they could pocket when they introduce better security.

  6. dnorman on February 5th, 2007 8:18 am

    The only reason they have the level of security they have now is to protect the credit card racket. If people don’t have at least nominal trust in the system, they’ll stop using credit. Then the whole house of cards crumbles.

    So… their question is, “what’s the least we can do in order to keep this game running?” rather than “what’s the right thing to do to protect customers, vendors, and ourselves?”

    Currently, it’s cheaper to hire a few bodies to monitor the transaction stream. If that stream became threatened, they might step up the security a bit.

    It wouldn’t take much. Interac also requires a PIN. Credit cards do not. Even that simple 4 or 6 digit string would stop the majority of fraud.

  7. davidicus on February 7th, 2007 9:51 pm

    .

    open source currency! no more theft.

    um, forget it. bad idea.

    .

  8. dnorman on February 7th, 2007 10:25 pm

    d - the other solution is to just make everything REALLY crappy. no more theft.

    also a bad idea :-)

  9. Dave F. on February 8th, 2007 4:47 pm

    D’Arcy –

    Nothing but empathy from me… first the frustration of the theft, then the continuing uncertainty over charges still in the pipeline, then the nuisance of cancelling the account and replacing it.

    I had a similar experience, though the thieves were stupider: after stealing my Visa number, they ordered a laptop computer — from a site that shipped to the mailing address associated with the card.

    I spent three weeks thinking that someone near and dear had splurged on a computer for my birthday (which fell the week after the computer arrived)… until the credit card statement arrived, with charges not only for the laptop but for subscriptions to three or four porn websites.

    My credit union was extremely helpful in getting the charges taken off. Of course, I did have to return the laptop.

  10. Chuck Baker on February 8th, 2007 4:52 pm

    I keep a close eye on my cards with my online banking and an eye on my credit report through my Identity Theft Shield.

    If someone is using my card number or looking at or changing my credit report I know about it right away.

  11. SK on February 20th, 2007 2:47 pm

    http://www.computerworld.com/blogs/node/5026

    Seems like the companies pass the buck onto the merchants. No wonder the mechanisms suck!

Leave a Reply




Creative Commons License
This work is licensed under a Creative Commons Attribution 2.5 Canada License.