Why hasn't public key encryption or one time password been introduced to battle online card fraud?
With all the identity theft and card fraud in the world. Even though some One time password measures have been put in place in the banking system where the cardholder verifies the transaction with a code sent to their mobile. Why isn't it widespread and used to verify all transactions online?
(4)4 Comments
Sorted by latest first Latest Oldest Best
Most often these have to do with a cost vs. benefit trade-off.
The banks would be the ones that are setting up these kinds of systems. And at the end of the day, if their IT departments aren't making an analysis of the situation at all... then nothing happens.
If they are making an analysis of the amount of transaction fraud that happens to their customers, (and they still don't have these), then my guess would be that the CIOs that have been presented with these are seeing something like "it costs our bank 0,000 per year in fraud... we could buy this system for ,000,000."
And then, when they make the budgeting decisions there just isn't enough to go around, or they have other projects with higher priorities.
The concept you are describing is generally known as "two-factor authentication". The theory, and potential benefits, are obvious; someone wishing to use your card has to have not only the card, but access to your mobile device. I can think of several potential problems with this system in a point-of-sale situation:
Massive equipment firmware upgrade required - every CC reader in the country will have to be upgraded to support entry of the confirmation code. For some, this is as simple as a firmware upgrade to add another step in the process. Other readers, including some brand new ones, don't have the keypad needed (because CC transactions currently don't require the user to punch in any such code). This is a bigger deal than debit cards were, because debit cards were designed to be used either as ATM cards (PIN) or as credit cards (signature, if that). So, if a retailer didn't feel the need to upgrade to support the debit card process, they didn't have to; they could use the card like a credit card. Now, you're asking retailers to upgrade again for a relatively large process change.
You now need two devices to access your money - In addition to having to have your card, you have to have your mobile device in order to receive the confirmation code. First, not everyone has a mobile device, so requiring a system like this basically requires every U.S. cardholder to have and pay for a mobile device, even if this is the only thing it's ever used for. Second, even if this system is opt-in, your mobile has to be by your side, charged, and receiving a signal in order for you to pay for anything with your credit card. If you're going to go through all that, why not just switch to something contained in your phone, like Google Wallet, or an online banking app that will give you similar scannable one-time codes?
Mobile communications are not 100% reliable - Text messages are notorious for showing up several minutes or even hours after they are sent. When you think of what's necessary to get the text message from one mobile device to another, and how many texts per minute the mobile network has to support, it's mind-boggling that the system works at all. But, the technical marvel that is the U.S. cellular network is little comfort to you when the text message you need in order to close out the credit card transaction isn't showing up on your phone, and the line's getting longer and people are yelling at you to just pay and go.
Two-factor authentication is nothing new, even for credit cards - For big purchases, the ones that are most likely to be fraudulent, you have to have the credit card and your signature. For debit card transactions you have to have the card and your pin. In both cases, the two factors are something you have (the card), and something you know (your PIN< or how to sign your name uniquely). The change you are proposing simply switches the thing you know to a second thing you have.
It's a step backward in convenience - In recent years, credit card issuers and retailers began accepting signature-less credit card transactions under a certain amount. That allows the "swipe and go" transaction which speeds up the checkout process considerably, in turn increasing the retailer's revenues during peak times. Now, you're proposing not only adding a code to the process, but having to wait for that code to be given to you before you can enter it.
There is encryption of data that is sent across the network. The key issue is if the card is lost or skimmed, it can be misused and this is what happens quite a few times.
The one time password authentication is much better, however it cannot be rolled out overnight to all usecases, it takes time for everyone is supply chain to upgrade to a newer system. Hence it will happen overtime. And even with onetime password, there are cases where a SIM card was stolen/cloned, account hacked and onetime password entered ... or the phone number in company's database is hacked and changed to new number, alerts and one time codes received in new number ...
So in today's world its always the fight between what is the best way to minimize fraud and its a battle as always between good and evil
I agree there's a cost, but one imagines that in this day and age, the cost has fallen well below the risk the banks bare.
There's Google 2 step verification which, in theory, should eliminate a high percentage of the simple fraud going on. My wife can have my card and all the details a spouse would know, but without my smart phone in her hand as well, no transaction.
If Google can offer this as a free security measure for one's web site, it would seem a partnership with the major card companies would be a natural evolution.
(On further reflection, this is a comment, as I'm surprised as well that it hasn't taken off.)
Terms of Use Privacy policy Contact About Cancellation policy © freshhoot.com2025 All Rights reserved.