More Banking System Incompetence

Payment processor Global Payments has been hacked and data about 1.5 million credit cards has apparently been released, including the “Track 1 and Track 2” data needed to re-create the magnetic stripe on a credit card. The goal of the hack was probably to get enough information to clone those cards so they can be used for fraudulent transactions.

Visa has dropped Global Payments from its registry of providers who meet security standards, which means nothing since Global Payments will still be processing Visa transactions. Since the credit card companies have to eat fraudulent transactions, this will be a lot of hassle for them and for affected card users, but hopefully nobody but the banks will pay directly for fraud (though we’ll all pay indirectly, of course).

I wonder if the media freakout will mention a couple of facts about the payment system. First, we’re way behind Europe in the use of smartcards, which are much harder to clone than the 60’s-era mag stripes on US cards. Second, the use of your cell phone as a means for payment has been working for almost a year in the form of Google Wallet, but that hasn’t been rolled out officially anywhere but on the Sprint network, because the rest of the cell carriers have grouped together to create their own standard to allow them to take a cut of transactions made using your cell phone.

I have Google Wallet on my non-Sprint Galaxy Nexus (officially unsupported and installed via a work-around) and it’s fun because the sales clerks treat me like Dumbledore every time I use it. Besides that, it has the potential to be more secure because I have to enter a PIN on my phone before any payment can be made. I’m sure everybody will have it in five years after the free market of a few huge cell providers, phone makers and banks all decide how we’ll all be charged more for the privilege of a secure payment system.

76 replies
  1. 1
    Schlemizel says:

    Yeah, I have wallet on my android phone too. As much as I trust Google it will be a while before I actually use it. The odds of having my card stolen verses just giving to to Google still seems better to me at this point.

  2. 2
    geg6 says:

    You know what is a lot cheaper, more secure against hackers, and impresses store clerks?

    Cash.

  3. 3
    jo6pac says:

    @geg6: Thanks :))))))

  4. 4
    Belafon (formerly anonevent) says:

    With Google already having released it, and Sprint using it, it’ll actually be kind of hard for the other companies to try to get any money out of it. If I were a company that will be taking these transactions, I would make sure to make it obvious why there is an extra fee if the user is not on Google.

  5. 5
    Villago Delenda Est says:

    Oh, the other cell phone providers won’t go along with a standard that doesn’t involve them taking a cut of each transaction?

    Time to start putting telco execs into tumbrels.

    The Ferengi in this society MUST be exterminated.

  6. 6
    mistermix says:

    @Schlemizel: I had a gift card lying around so I just funded my prepaid Google card from that. When that’s done, we’ll see if I trust Google.

  7. 7
    Violet says:

    @geg6:
    I especially love using cash when I am shopping at a locally-owned store. Nothing like keeping all the money in the community. The person manning the register, frequently the owner, smiles ear to ear.

  8. 8
    Interrobang says:

    In Canada, everybody uses debit, because someone was quick off the dot about 20 years ago and created a universal standard backed by an association of financial institutions, retailers, and payment companies. It’s ubiquitous, the fees (if any) generally go to your home bank, and it cuts Visa out of the picture. Our debit cards are chip-and-pin so they’re pretty safe and much more theft-proof than a credit card.

    I’m so used to essentially living in a cashless society that when I went to Israel in November, I was caught short by my need for large amounts of cash.

  9. 9
    liberal says:

    @geg6:
    I think the claim is that cash seems costless to us, but also has costs as a payment system.

  10. 10
    bootsy says:

    OT, but well, pretty relevant if we’re talking about breakdown of society, ie: Terrorism:

    Explosive device (Bomb) found at Planned Parenthood in Wisconsin

  11. 11
    PeakVT says:

    @mistermix: Have money laundering types figured out to use these new payment architectures yet?

  12. 12
    Belafon (formerly anonevent) says:

    @geg6: You mean those people who have to count change?

  13. 13
    patrick II says:

    @mistermix

    In a restaurant I normally hand the credit card to the waitress and she returns a bit later with a receipt to sign. How does that work with your phone?

  14. 14
    MikeJ says:

    @bootsy: Mitt did say he wanted to get rid of them.

  15. 15
    ET says:

    Credit cards have become ubiquitous and no one really thinks about them and the “security” that moves these transactions though the system but as thieves/hackers focus on them more and more will people stop having confidence the system? Banks need that confidence.

    I sometimes wonder if the occurrences of hacking, identity theft, etc. will undermine confidence in credit cards to the point it become a problem for card issuers.

  16. 16
    sloan says:

    When I moved back to Canada a few years ago I got one of those smart cards. Like interrobang said, everyone uses debit here for everything. Go to a restaurant and they bring a remote handheld chip reader debit thing to your table that prints a receipt on the spot.

  17. 17
    g says:

    Spent some time in London last summer, and was surprised at how backwards our American cards are. There are a lot of things Brits/Europeans can do with their cards thatcan’t be done with ours. Lots of merchants sighing in resignation as they had to process our card by hand.

  18. 18
    ThatLeftTurnInABQ says:

    Since the credit card companies have to eat fraudulent transactions

     
    This is not true. Under almost all circumstances the merchant eats it on a fraudulent transaction, not the bank or the cc processor. Seller beware is how it works in the cc industry. Which means that the cost of fraud is passed on to us the non-fraudulent consumers in the form of higher prices at the store.

  19. 19
    Roger Moore says:

    @patrick II:
    I assume the long-term solution is giving the server a little gadget they can bring with them to the table. In the long-run, that will probably be faster. They bring the gadget, which pops up the bill on your phone. You type in the tip, possibly using a built-in tip calculator, and validate the transaction with your pin. Then the server’s widget prints out your final receipt. It should be faster than having the server go back and forth with your card, and gives the restaurant one less piece of paper to worry about.

  20. 20
    mistermix says:

    @patrick II: Google Wallet only works at places that take MasterCard PayPass, which is mainly drugstores, grocery stores and convenience stores, so I don’t know. For chip & pin, the European system, I believe the server uses a portable pin pad device to get the payment, and that could work here, too.

  21. 21
    Villago Delenda Est says:

    @ET:

    I sometimes wonder if the occurrences of hacking, identity theft, etc. will undermine confidence in credit cards to the point it become a problem for card issuers.

    There are an abundance of urban legends about some guy (this was riffed on in Office Space) who figured out how to accumluate some small missable fraction of each transacton in a special account known only to him. The bank discovered this, and rather than prosecute the guy (with all the attendant publicity) they hired him as a security consultant.

    I worked for a small local telco in which the executives were basically robbing the place blind, the owners of the telco found out, talked about prosecuting the execs, but then decided not to because they didn’t want the scandal public. Bad PR, you see. So these guys didn’t pay for their crimes, other than losing their jobs and being exiled from the state.

  22. 22
    Schlemizel says:

    @ThatLeftTurnInABQ:
    I was part of a major network redesign for a major American discount retailer (if you think you might know who you are probably on target). The deal was they used satellite networks that were unreliable and lost data in rain or snow. They bought insurance that charged a premium for every cc transaction. If the card was approved (via network link to insurer) the cost was a fraction of a cent, if the card was not approved it was 5 cents. By providing a reliable network the retailer was able to more than pay for the upgrade to land line based networking in savings on insurance.

  23. 23
    mistermix says:

    @ThatLeftTurnInABQ: Hmm, one of the stories I read mentioned that the last time there was a major theft, the company from whom the card info was lifted had to pay $110 million so I thought the merchants didn’t get dinged for organized fraud like this.

  24. 24

    @g:

    When first got my ATM card in England many moons ago I was delighted to discover that I could go to the Nat West Bank Affiliated branch in Hong Kong and pull money out of my account in England. Three years later (1991) I moved here and discovered that our local North Carolina Bank ATM card would not even work outside of the State. I was gobsmacked and hated having to load up with cash before going on an out of State trip.

  25. 25
    jibeaux says:

    Simple question: why don’t credit cards just require a pin like debit cards? Would that not help a good bit?

  26. 26
    Gin & Tonic says:

    The other thing that’s widespread in Europe, at least (even in former Soviet-bloc countries) is direct transfers for individuals. In other words, you give me your bank account info, and I can transfer funds into your account from mine at essentially no cost. It is common and as far as I can tell cost-free. People there are confused when they give me their info, ask me to transfer money to them, and I say I can’t do it because my bank charges me $35 for a wire transfer. In the Eurozone everybody does it all the time.

  27. 27
    Culture of Truth says:

    it’s fun because the sales clerks treat me like Dumbledore

    Stupefying

  28. 28
    Schlemizel says:

    @Villago Delenda Est:
    The legend is based on a true story from the early days of computer banking. The bank program saw that the computer computed interest out several decimal points and then either rounded or chopped of anything less than a cent (I forget which). The programer simply altered the program to drop those fractions into an account he set up for himself. The only way he got caught was by going on vacation & the fill-in guy had some problem that caused him to dig into the program & accidentally discover the trick.

    My dad got a billing statement from a major retail outlet they had an account with in the mid-60s. It said he owed $0.00 so he ignored it. The next month he got notice he was overdue $0.00, he ignored that too. When the notice came that he had better pay up on the $0.00 or lose the card he sent them a check for $0.00. The next month’s statement was that his account was now credited in his favor for $0.00. He kept that letter on his desk for years! It was years later when I had a programing class that I figured out the folks who set up the stored computer didn’t account for what to do with a zero.

  29. 29
    Violet says:

    @Gin & Tonic:
    This is common in the UK too. It’s baffling to my English relatives that we can’t just transfer money from bank to bank over here.

  30. 30
    Roger Moore says:

    @mistermix:
    The $110 million probably wasn’t for any fraudulent transactions, but for the cost of issuing millions of new cards to replace the ones that had been hacked. I’ve had this happen to me once. I got a new card, with a different number from the old one, in the mail unexpectedly, together with a letter explaining that the old one was part of a data breach and couldn’t be trusted anymore. It was much less painful than dealing with fraudulent transactions on the old card would have been.

  31. 31
    Culture of Truth says:

    @mistermix: Heartland was sued by all the credit card companies, banks and consumers. I believe they settled the claims by the card companies for around $100 million, but only after extensive litigation.

  32. 32
    ThatLeftTurnInABQ says:

    @mistermix:

    the merchants didn’t get dinged for organized fraud like this

     
    Yes, that is the exception to the rule. The problem from the merchant’s point of view is how do you even know that a given chargeback was due to a systematic data loss like this, much less prove it to the satisfaction of VISA, et. al. during the chargeback appeals process. A large merchant might be able to do that using trend analysis but few medium-sized or small businesses have the internal resources to pull that off, and typically end up eating the loss instead (I say this on the basis of having 20 years of experience working in this industry segment on precisely this issue).
     
    Unfortunately the deck is stacked against the merchant in the cc chargeback (this is the term for a merchant being refused the money due on a previously approved charge) claims process. For example depending on the laws in the applicable juristiction, in almost all cases the bank or cc processor are legally required to notify the card holders that their data has been compromised, but they are not under legal obligation to inform the merchants who have recently been given approval codes against those same card#s. So the merchant has to play a game of Go-Fish when contesting the chargeback, not knowing if the card in question was one of those which was compromised or not. As a result the percentage of succsessful chargeback appeals (i.e. outcomes in which the merchant is granted the money due) is very low.
     
    I’m hoping that at some point there might be a nasty class-action lawsuit to tip the scales, but for now this is the landscape we have, at least here in the US.

  33. 33

    What do you get when local law enforcement starts tracking your cell phone without a warrant? Why a lovely new profit center for AT&T and Verizon, of course!

    It’s your modern surveillance state, now for fun and profit! Can’t imagine WHY the Tea Party isn’t rallying about this … oh wait. Never mind.

  34. 34
    Mnemosyne says:

    @Roger Moore:

    I’ve probably had my card replaced by my bank about half a dozen times in the 15 years or so that I’ve been with them. Which may also be the reason I’ve never had an identity theft problem — any time there’s an incident where some of their customers’ cards could potentially have been compromised, they automatically replace everyone’s card.

    This is why I stick with my regional bank (Union Bank of California, if anyone cares — no relation to the bank in Switzerland, my bank is Japanese.)

    ETA: The other reason I stick with my bank is that if I make a deposit and have charges/debits on the same day, they process the deposit first and then process the charges/debits after the deposit, unlike those dishonest fucking weasels at Bank of fucking America.

  35. 35
    jibeaux says:

    @Schlemizel: Also, as they note in Office Space, it is the plot of Superman 3.

  36. 36
    KSH says:

    You are 10 times as awesome as you already were because you have a GNex. I need to get Goggle Wallet on mine…

  37. 37
    mistermix says:

    @ThatLeftTurnInABQ: The card associations are so very ripe for breakup on anti-trust grounds but it’s not happening.

  38. 38
    mistermix says:

    @KSH:

    You are 10 times as awesome as you already were because you have a GNex.

    I hope you are joking about this.

  39. 39
    KG says:

    @mistermix: yeah, but you know: FREE MARKET BITCHES!!!

  40. 40
    Culture of Truth says:

    NY Times:
    “Amy Corn, a spokeswoman for Global Payments, said the company expected to be reinstated, but she did not indicate how long that would take.”

    “We continue to process transactions for our merchants and customers with the same efficiency and care that they have come to expect,” she said.

  41. 41
    geg6 says:

    @liberal:

    Whatever the cost is, it’s not going to be the cost of some scum of the earth hacking my bank account.

  42. 42
    Judas Escargot, Your Postmodern Neighbor says:

    @Violet:

    The person manning the register, frequently the owner, smiles ear to ear

    …presumably as s/he thinks of the taxes she won’t have to claim (or fees to pay) on this particular transaction.

  43. 43
    geg6 says:

    @Mnemosyne:

    THIS.

    I would never use a large bank for anything, ever. I like my relatively small, regional bank for everyday things and my credit union for saving. I also like carrying cash. I’ll never use my ATM card at national stores like Walmart, Target, Macy’s, etc. ever again, having been the victim of fraud because TJMaxx got hacked. I use it at the grocery store and their gas stations and that’s pretty much it. If I’m buying anywhere else, they get cash or they get nothing.

  44. 44
    Some Loser says:

    Every time discussion like these comes up; we hear all the neat things Europe and Canada has. It makes America feel like a decade late about everything. Like the rest of the world is passing us by, asking why we haven’t solved some of this shit half a century ago.

  45. 45
    Clime Acts says:

    I’m sure everybody will have it in five years after the free market of a few huge cell providers, phone makers and banks all decide how we’ll all be charged more for the privilege of a secure payment system.

    Oh, you don’t have to worry about this happening, MM. President Obama and all of our other good, progressive Democratic elected officials will surely prevent such skullduggery, as they are not in the least beholden to the financial sector.

    Have a nice day.

  46. 46
    Clime Acts says:

    I’m sure everybody will have it in five years after the free market of a few huge cell providers, phone makers and banks all decide how we’ll all be charged more for the privilege of a secure payment system.

    You won’t have to worry about this happening, because the president and our other good, progressive, elected Dems will surely prevent it.

    What?

  47. 47
    ThatLeftTurnInABQ says:

    @Some Loser:

    Every time discussion like these comes up; we hear all the neat things Europe and Canada has. It makes America feel like a decade late about everything.

     
    Look on the bright side: we lead the world in MSM advertising for boner pills. Tells you what is really important in this country, doesn’t it? Erections have consequences.

  48. 48
    Roger Moore says:

    @Mnemosyne:
    My bank is actually one of the big ones, so I doubt this is a significant difference between a regional bank and one of the majors. They’re both doing the same calculation: it’s much cheaper to issue new cards than to deal with fraudulent transactions. Sending out new cards is largely automated and probably costs no more than a few dollars. You could eat up that cost and more by having one long, drawn out argument with a minimum wage customer support person. Besides, issuing new cards when it’s somebody else’s fault is a good PR move; it makes them look as if they take security seriously even if they don’t.

  49. 49
    Martin says:

    Mistermix is gonna hate this, but I’m pretty sure the NFC thing isn’t going to succeed in the US until Apple jumps in – and my guess is that they’re going to tell Visa and MC to shove it, use the same NFC protocols that Visa and MC are using, but back the purchase system into your Apple account.

    By doing this, you gain a few things:

    1) You can hook any payment system into the back end. Credit cards, debit cards, paypal, and so on. That includes gift cards and Apple’s allowance system – so you can open up NFC payments to kids by hooking it to their allowance and letting them swipe their iPod. The current proposals aren’t set up to handle that. And if you change your credit cards, you just change it in your account and everything else works the same.
    2) By Apple serving as an intermediary, they can feed your transaction information into your financial software – something that I don’t think the current systems are going to be able to achieve very well due to competing software and control. So if you have a Quicken for iPhone type of software, the transaction could dump straight into it (if you so choose).
    3) Apple would bundle your transactions as they do now for other purchases through their stores and only send one transaction per day through to Visa/MC. Everything is still itemized on there, but only merchant fee per day gets paid. Apple would charge a comparable merchant fee to pay for the system, and then provide some kind of incentive back to the merchant to participate. Apple would likely run this as a break-even business as they do now with music and whatnot. Apple would use their cash reserves to back the daily transactions.

    The problems with the current arrangement is that the card companies are only interested in getting their merchant fees, and they’re not going to provide any interoperability or services past that point. They don’t care if their system locks you into their card (that’s a feature) or if the transactional data flies right past the software you most want it to interact with – like your financial software. And the big 3 credit/debit card companies are going to actively discourage any other participants to this market like Paypal.

    The solution most other countries came up with is the carrier serves as this intermediary. You buy stuff, it gets billed to Verizon or ATT, and you pay that bill with your Visa/MC/check/whatever. That never caught on in the US because a) the carriers in the US are greedy motherfuckers that won’t coordinate b) everyone here had a credit card when cell phones came around, so we already had an easy way to buy stuff. In most other countries, that wasn’t the case – phones distributed faster than credit cards, so it made more sense to do that.

    The US lacked a natural intermediary between the consumer and merchant and the credit card companies. Our banks could have done it, but they suck, and it’s not really their thing anyway. Google/Apple aren’t the most natural intermediaries, but they’re both motivated to do it. I don’t think Google will have an easy time getting there, though, because they won’t force the carriers and OEMs hands to support it. Further, they don’t have a lot of account information to build off of, nor do they have much retail experience. Apple, however, has 250 million credit cards already tied to accounts, they’re one of the nations largest retailers, they have complete control of what services/software wind up in your hands if you buy an Apple product, and they are too big of a merchant themselves for Visa/MC to fight on this. If it is the direction Apple is headed, I think it’s an inevitability that they become the standard for retail purchases in the US.

  50. 50
    Dirk says:

    @Some Loser: Um, sorry to make you feel bad, but even in South Africa we have this. All the major banks offer free internet banking. My credit card has a pin and each time it is used the bank sends me an sms saying how much has been used, where it was used and how much remains in my account.

    I must say I’m kinda shocked the US is so backwards when it comes to banking.

  51. 51
    Ridge says:

    I hate to burst the techno banking bubble as seen here, but many rural places in the US, including southern WV are basically cash economies. Many middle aged and older folks don’t have bank accounts. They would not pass muster and get a credit card. As an area merchant, I am quite familiar with it.

    By 2015, all govt disability and social security checks are going to be stopped and deposited directly into bank accounts, forcing them to sign up. As they won’t have a check or money in hand, they will be on the phone the first day of each month to see if its been deposited. If so, they will be in line to withdraw all of it.

    Of course, the banks won’t provide this service out of the goodness of their hearts, so there will be a service fee. Plus, they will have billions and billions of dollars to loan out overnight in sweeps getting a nice sum for that service as well.

    Is this slowly changing? Yes, but it will be years and years.

    Also don’t act surprised that banking capabilities vary in location to location. Each state has its banking laws, as well as federal. Each state is unique in needs and technical infrastructure. Hell, I can’t even get consistent cell phone service in many areas. doing whizzbang cell phone wallet stuff….yeah right.

    *But the most troubling thing about this trend are the many, many vulnerabilities smart phones/devices exhibit. To place a direct link to your credit or bank account on one of these shows a supreme faith in their security.*

  52. 52
    Some Loser says:

    @Dirk:

    I must say I’m kinda shocked the US is so backwards when it comes to banking.

    I get the feeling America is backwards when it comes to anything that deals with Big Money.

  53. 53
    elm says:

    They shouldn’t retain track data at all after an authorization is complete. For the short duration that they are allowed to store data, it is supposed to be encrypted.

    The first commandment of PCI-DSS compliance is Thou shall not store track data. There should be no doubt or question that this data was not disclosed (certainly not in such quantities).

  54. 54
    Martin says:

    @Ridge:

    But the most troubling thing about this trend are the many, many vulnerabilities smart phones/devices exhibit. To place a direct link to your credit or bank account on one of these shows a supreme faith in their security.

    Um, more vulnerable than having every element of an existing card being human readable? Or that with off-the-shelf parts you can easily make a barcode skimmer?

    The advantage of the smartphone systems, while far from perfect, I agree, is that a properly designed one will require you to approve every payment on the screen of your phone – a device which you control, vs not doing it at all. Or had you not noticed that merchants can process credit card transactions without requiring your signature or even an “I agree” indication.

    With the NFC ones, that wouldn’t be possible. Each transaction is two-stage – the merchant sends the transaction request, the confirmation comes to your phone, and you confirm it on your device. That’s actually quite a large step up from the current system.

  55. 55
    Brachiator says:

    @mistermix:

    I have Google Wallet on my non-Sprint Galaxy Nexus (officially unsupported and installed via a work-around) and it’s fun because the sales clerks treat me like Dumbledore every time I use it. Besides that, it has the potential to be more secure because I have to enter a PIN on my phone before any payment can be made.

    Did you miss all the stories about google wallet being hacked?

    Google Wallet Hacked Again
    __
    That’s twice in two days. Yesterday, security firm Zvelo discovered a potential exploit against rooted phones. Today, tech blog TheSmartphoneChamp discovered how to accomplish the same feat on non-rooted phones.
    __
    While yesterday’s exploit required you to crack encrypted files, today’s requires you to simply clear the data in the app settings. Doing so forces Google Wallet to reset itself and prompt the user for a new PIN. Once that’s done, the attacker ties in a Google PrePaid card to the account and presto—all previously available funds are once again accessible. The method has been tested by multiple sources and confirmed by Google itself.

    Nobody has any super strong forever tech mojo that will prevent security breaches.

    This is one of the reasons why google pays hackers to find exploits. The best companies can ever do is to react as quickly as possible and improve their systems.

  56. 56
    BrianM says:

    Spending all my time in Europe telling people “no chip” when they presented the terminal for my PIN certainly added to my sense of being a provincial rube.

    Almost as much fun as the time (maybe five years ago) when I said I wanted to be paid by check, which made them look at me as if I’d just asked to be paid with a pig’s carcass, four arrowheads, and a flagon of mead.

  57. 57
    Robert Sneddon says:

    Japan is an interesting mix of up-to-the-minute and behind-the-times. The Suica and Pasmo non-contact swipecards are used by most commuters to pay for train journeys, just swipe them over a reader at the turnstiles on your way in and out of the station and the fare is debited automatically. In addition many city shops like the konbinis (convenience stores) have readers that allow you to pay for small items using the same card in the same way — just swipe your card, even if it’s still inside your wallet over the reader at the till and that’s it done and dusted. Topups are easy too, just feed coins or notes into a till at a railway station, a bank or an ATM and load up the card.

    On the other hand a lot of businesses including quite a few hotels and such don’t accept credit cards although things have improved on that score over the past few years. The other side of this preference for cash is that sales staff at a konbini don’t blink when you proffer a 10,000 yen note (worth about $120 US) to pay for a purchase costing a few hundred yen.

  58. 58
    ThatLeftTurnInABQ says:

    @elm:

    They shouldn’t retain track data at all after an authorization is complete.

     
    Since this is a processor we are talking about, they would have to store the track data for any open transactions. That includes anything in a batch which hadn’t been setttled yet (most merchants settle at the end of the business day so this could be up to 24 hours worth of data) as well as any pre-authorized transactions which had not yet been captured, and the latter can stay open for as long as 2 weeks. That sounds to me like enough to account for the 1.5 million cards that were compromised. Obviously they fucked up on the encryption.

  59. 59
    mistermix says:

    @Brachiator: I agree that every payment scheme is a hacking target. But that exploit is for a single phone that has been stolen. If somebody leaked 1.5 million Google Wallet numbers, it wouldn’t be possible to make 1.5 million Google Wallets. In the case linked here, 1.5 million cards could be created. That’s the theory behind any chip and PIN scheme, of which Wallet is an example (there’s a “security device” in the phone and the user enters a PIN to unlock it).

  60. 60
    ReflectedSky says:

    I work in the financial world. Cash costs quite a bit to the banking system. They are heavily incentivized to avoid both cash and checks. Unfortunately, because of their capture of the federal government, their way of moving to electronic activity for all is to make merchants pay at the transaction point and the consumer pay at every possible other point. I always find it hilarious when a bank or card company wants to charge me money to go paperless, as it saves them a ton a money. So does all electronic activity — payments, deposits, whatever. Using an ATM saves them an enormous amount of money, yet they managed to establish a system where it’s a revenue stream for them. Anything they’re marketing as a convenience for you is a thousand times more convenient and inexpensive for them.

    I used to work with a non-profit devoted to getting robust financial access for people without having to get a bank account. It should be the case that those government payment cards will have fully functional, account-like wallets. It’s possible the non-profit world got bought off by the banks after the downturn; that’s when I left, and there were hints that was happening.

    I thought Google wallet was porous, so I have avoided dealing with it. Any links demonstrating that I’m wrong? I’m interested, if so. Also, I really do not want to see targeted ads based on what I buy IRL. Does that happen?

  61. 61
    Ridge says:

    @Martin:

    “a properly designed one”

    Good luck. Hell they can’t keep thieves out of mainframe credit card databases.

    When you just have Mom’s phone number, kid’s photos, and how many widgets Joe’s Machine shop ordered on the phone… the attraction is limited; but, when they become an adjunct to your wallet, trojans, rootkits, and keyloggers will be rampant. Lovingly embedded in that latest neat app you jail broke into your Android or iPhone. Maybe that QR code you scanned in led to a compromised web site that pushed a zero day hack onto your system.

    They are out there now.

    While there are skimmers, its much harder to do any of the other on the customer/merchant level with the stripe cards.

    As for NFS, that again is problematic. A secure channel is necessary using DH or ECC key exchange or that guy with the briefcase beside you looking at the watches will scoop up the transaction. Will it be properly implemented to a recognized standard at each store station or will they short cut it like they did with the various early attempts at WLAN security with their own brew of crypto security?

    There is limited account owner liability for fraud, but the money is still gone.

    Right now, I see NFS like everyone leaving $30-50.00 on their car seat, in the open, in a mall parking lot. The doors are locked but the window is cracked a few inches. Most wouldn’t take the trouble to try and squeeze their arm in and grab the money. But some may rig a mechanical arm to go through and snatch it. going from car to car, unseen.

    And that’s just passive reception. What about trying an active man in the middle attack? Are we going to start loading x509s into the phones? Are they in the current browser stores now? Hmmmmm. Lots of potential trouble there. Activate a separate transaction at the same time as the store’s with a more powerful transmitter? etc…..

    All of this takes time and preparation. But the pay off could be in the thousands. Each day.

  62. 62
    pseudonymous in nc says:

    I just had to cancel a debit card last week because of some dubious transactions: now wondering if it’s part of that breach.

    A local credit union offers chip+PIN cards, which is useful for foreign travel, but not so much in the US where the tech to read them is rare. Chip+PIN isn’t a perfect solution, but it’s a better one, and I’m nudging my SO into switching.

    The US banking/payment system feels like it’s 20 years behind the rest of the developed world. That’s not necessarily all bad — the US has many regional/local banks and CUs while Canada and Euroland is much more consolidated — but it’s possible to sustain that while getting beyond the crappy payment and clearing systems.

  63. 63
    ericblair says:

    @ThatLeftTurnInABQ:

    That includes anything in a batch which hadn’t been setttled yet (most merchants settle at the end of the business day so this could be up to 24 hours worth of data) as well as any pre-authorized transactions which had not yet been captured, and the latter can stay open for as long as 2 weeks.

    Is there a reason processors still do batch transactions, besides obsolete back end systems? Or do they design the systems not to be able to handle real-time processing loads? You’d think the data-at-rest and data staleness problems with batch processing would be enough encourage them to upgrade.

  64. 64
    Roger Moore says:

    @Martin:

    Um, more vulnerable than having every element of an existing card being human readable? Or that with off-the-shelf parts you can easily make a barcode skimmer?

    Potentially, yes. Reading the information off a card lets you get information about one card. Installing a code skimmer lets you read tens or hundreds of cards a day. Finding a vulnerability in a smartphone credit application would potentially allow you to compromise millions of cards in one fell swoop. The potential rewards are big enough that it would provide an enormous target to the kind of organized criminals capable of taking advantage of that kind of thing.

  65. 65
    Brachiator says:

    @mistermix:

    I agree that every payment scheme is a hacking target. But that exploit is for a single phone that has been stolen. If somebody leaked 1.5 million Google Wallet numbers, it wouldn’t be possible to make 1.5 million Google Wallets.

    The larger point, though, is that google Wallets, and any system that supports it, will become another point to be attacked. I don’t see any point in trying to contrast “banking system incompetence” with potential google or general techie superiority.

    As an aside, since the google wallet depended on a prepaid card, it’s not clear that fraud prevention rules that apply to credit cards would apply to a stolen or hacked google wallet.

  66. 66
    Roger Moore says:

    @pseudonymous in nc:

    The US banking/payment system feels like it’s 20 years behind the rest of the developed world.

    A big part of that is that we’re playing leapfrog. We haven’t adopted the latest greatest because our system is good enough and too expensive to replace for the level of benefits the newer technology would give us. Maybe the next generation technology will be a big enough step forward to make it worthwhile.

  67. 67
    Ruckus says:

    @jibeaux:
    In most of the rest of the world they do. But here we pay higher charges for a signature rather than a pin.
    It’s all about the money.
    It’s the same reason when your card is swiped the money comes out of your card within seconds. It takes 2-5 days to get into the merchants account. Where is it in between? All the players make money on the float time, that’s where. So as well as set fees and percent charges they get to use your money for a small period of time. That’s for every transaction, every where, every day, every night. It is a lucrative business. And it is all mostly hidden from view if not from your wallet.

  68. 68
    Ruckus says:

    @geg6:
    I used to be asked occasionally if I accepted cash. My reply was “Cash is always an acceptable form of payment”
    The major problems were having to go to the bank with cash and having to keep proper change in the cash drawer. I figured I could live with that.

  69. 69
    Martin says:

    @Ridge:

    but, when they become an adjunct to your wallet, trojans, rootkits, and keyloggers will be rampant. Lovingly embedded in that latest neat app you jail broke into your Android or iPhone.

    And Apple will likely disable the system on jailbroken devices, as they have done in the past. But if you want to know one of the benefits of Apple serving as a gatekeeper for all apps that can reach low-level data, you’re looking at it. How many trojans, rootkits, and keyloggers are there for un-jailbroken iOS devices? None? It’s a hell of a big target – a third of a billion devices. 250 million credit cards, all just one-click away. All of those address books and emails. Surely it’s a big enough target that we should have seen at least one successful penetration, if motivation was all that was driving this. I think Apple has slightly more credit card data than Mastercard does.

    And how many security violations has Apple suffered on those App Store accounts? They’re in California, so by state law they must report them. So far, none, so even on the mainframe side they’ve been secure. And they have no subcontracted services (which everyone keeps complaining about) to defer security to. They run their own data centers, run their own services.

    I’m not saying that online security hasn’t overall been porous, but Apple’s the 3rd largest online retailer after Amazon and Staples. They’re one of the largest mobile device makers – and they hook their commerce directly to the mobile devices. Maybe the problem isn’t online commerce security so much as who is doing the online commerce security?

  70. 70
    Ruckus says:

    @Judas Escargot, Your Postmodern Neighbor:
    Actually it’s probably because they don’t have to pay 2-4% in card fees for the transaction. For some retail business that is a pretty big part of the profit margin.

  71. 71
    Martin says:

    @ericblair: At least in the case of Apple, batch processing was key in making it possible to sell $.99 products online without losing money on each one. If you’re incurring $.18 per transaction, and you can reduce that to $.13 to open the transaction plus $.05 per appended item, and the average person buys 4 items per 24 hour period, then you’ve gone from $.52 against a $3.96 charge to $.33. Multiply that by 5 billion transactions per year and you’ve gone from an unprofitable retail system to a profitable, at no cost or inconvenience to the consumer.

    The systems can handle the volume – but in this case it’s purely a byproduct of how the system is paid for.

    The other reason for doing batch transactions is the case where you lose connectivity. The merchant can still process the transaction locally (the system still allows for this) and complete it later when they can connect to the processor. So it’ll never be removed because it’s an important fallback provision.

  72. 72
    ThatLeftTurnInABQ says:

    @ericblair:

    Is there a reason processors still do batch transactions, besides obsolete back end systems?

     
    A bit of both. Partially it is that there are still a lot of obsolete back end systems; you’d be surprised/appalled to learn how many 2400 baud modems are still out there screetching away processing cc transactions, on both ends of the phone call.
     
    Also batch processing ’tis a feature, not a bug. Most smaller merchants really aren’t equipped to do anything other than batch transaction processing in which the authorization is obtained in real time but the approved transactions aren’t settled until the end of the day. The authorization debits the credit limit on the card but the transfer of funds is not initiated until the settlement is performed. Some small merchants don’t even settle every day, which is why sometimes on your cc statement you’ll get a transaction listed as a day or two later than when you actually used the card to make a purchase.
     
    Also, you can’t void a sale if it has already been settled, so merchants with a non-trivial level of voids have a financial interest in postponing settlement, because merchants don’t pay points on voids, whereas they do pay the points both going and coming on a sale followed by a refund. The number of points paid by small businesses is a non-trivial part of their cost structure, on the high side of 2 points is not unusual, and if the merchant only has say a 10 percent profit margin that means they are giving up one-fifth of their gross profit just to credit card processing fees alone.

  73. 73
    Martin says:

    @Ruckus: Oh hell yes. Small retailers get completely fucked on merchant fees, because they can’t negotiate the super-low rates that someone like Amazon can. Amazon has even negotiated with the processors to deliver the data exactly as they want, and they get a discount for doing that. But the corner bodega can’t pull that off.

    There are other pressures at the high and low end. If you’re paying 2.5% and you sell $2000 TVs, that’s $50. That’s real money. When I buy a car, I have a credit card with a high enough limit, and I pay cash. I can pay for it any other way, but the prospect of losing $500 to merchant fees is usually enough for me to get the price reduced or mud flaps or some damn thing.

    At the low end it’s the fixed cost that gets you. There’s a fixed fee for the transaction and a % fee for approval (I think that’s the setup). At the low end, like buying a $.99 song, the % is nothing, but the fixed fee kills you. That could be 25% if you aren’t a high volume merchant. This is why businesses discourage you from buying low-value things on a credit card. In case anyone was wondering why coffee costs $1+, they’re probably spending as much money processing the debit/credit purchases as they are on the coffee itself.

  74. 74
    Rob says:

    Since the credit card companies have to eat fraudulent transactions

    No the merchant eats it.

  75. 75
    Ruckus says:

    @Martin:
    As I’ve posted here before I owned a small bicycle shop. Closed now. Between the economy and my business plan/acumen it just wasn’t working. As much as a lot of small business people say we are in business to provide service, we have to make a profit at that service to stay in business. I had a number of great customers. I needed more than that. Anyway.
    You are right about coffee or other small items. I paid a small fee per transaction and a percentage of the total transaction. Which is an issue for me. All the risk is on my end, not the bank, why should I pay a percentage? I mean I know the answer but still. It costs the bank the same to process a $2 transaction as a $20,000 one. Why the difference in cost? The sig card vs the pin card is another area. The pin card is much more secure but we are forced to use sig card. I think the only reason is that it puts all the risk of a fraudulent customer on the merchant rather than the bank.

  76. 76

    […] and payment companies. It's ubiquitous, the fees … … Read the original here: Balloon Juice » Blog Archive » More Banking System Incompetence ← Canadian Government Won't Block RIM Sale if It Comes – Mobile […]

Trackbacks & Pingbacks

  1. […] and payment companies. It's ubiquitous, the fees … … Read the original here: Balloon Juice » Blog Archive » More Banking System Incompetence ← Canadian Government Won't Block RIM Sale if It Comes – Mobile […]

Comments are closed.