Media around the world are reporting that credit card fraud has dropped for 2010, and in record numbers. A lot of the credit seems to be due to introduction of the chip-and-pin cards, which employ encryption, the same technology that's behind AlertBoot drive encryption software.
Credit card fraud is down in the UK (down 20% from 2009), South Africa (36%), and Australia (45%). While the use of chip-and-pin cards is not the sole reason for the drop in these rates, it seems that most agree that it contributed heavily. Two reasons why the chip-and-pin is more secure than the traditional credit card: the card information, stored on the memory chip, is encrypted. While the cryptography is not as strong as what's used in AlertBoot encryption software, it's better than nothing -- which is what you literally have on the traditional card's magnetic stripe: nothing. The other reason why the chip-and-pin is more secure: it requires the use of a 4-digit PIN to approve sales. Instead of using signatures, which can be forged, it requires the use of a secret PIN. No PIN, no sale -- which is a much better policy than relying on retailers to check the signature every time a sale is done (I know from personal experience that this is rarely checked). I mean, you can always contest the charges afterwards, but why even introduce a victim into the equation at all (somebody always ends up paying, be it merchants or the credit card companies)?
Credit card fraud is down in the UK (down 20% from 2009), South Africa (36%), and Australia (45%). While the use of chip-and-pin cards is not the sole reason for the drop in these rates, it seems that most agree that it contributed heavily.
Two reasons why the chip-and-pin is more secure than the traditional credit card: the card information, stored on the memory chip, is encrypted. While the cryptography is not as strong as what's used in AlertBoot encryption software, it's better than nothing -- which is what you literally have on the traditional card's magnetic stripe: nothing.
The other reason why the chip-and-pin is more secure: it requires the use of a 4-digit PIN to approve sales. Instead of using signatures, which can be forged, it requires the use of a secret PIN. No PIN, no sale -- which is a much better policy than relying on retailers to check the signature every time a sale is done (I know from personal experience that this is rarely checked).
I mean, you can always contest the charges afterwards, but why even introduce a victim into the equation at all (somebody always ends up paying, be it merchants or the credit card companies)?
This is not to say that the chip-and-pin is without criticism or controversy. For example, some claim that this is a move by the industry to shift costs of fraud to the consumers: since a generic string of numbers is used instead of a signature, it's impossible to tell whether there was fraud or not (if the PIN falls into the wrong hands). Then there is the fact that a 4-digit PIN can only hold 10,000 variations, which one could manually run through in a couple of hours. Or the fact that a lot of the frauds committed are "card not present" transactions, such as when ordering via the internet, the phone, or a catalog. All true and valid. But, in an environment where there is no security whatsoever, even the less-than-ideal chip-and-pin was expected to make a dent (at least, I thought so). And it appears that, so far, everything is going according to plan. Encryption cannot cure all data ills, but when one carefully designs a solution that uses it, and understands where the limitations are, it can be a powerful tool, be it chip encryption or laptop encryption. But then again, this is actually true for all tools.
This is not to say that the chip-and-pin is without criticism or controversy. For example, some claim that this is a move by the industry to shift costs of fraud to the consumers: since a generic string of numbers is used instead of a signature, it's impossible to tell whether there was fraud or not (if the PIN falls into the wrong hands).
Then there is the fact that a 4-digit PIN can only hold 10,000 variations, which one could manually run through in a couple of hours. Or the fact that a lot of the frauds committed are "card not present" transactions, such as when ordering via the internet, the phone, or a catalog.
All true and valid. But, in an environment where there is no security whatsoever, even the less-than-ideal chip-and-pin was expected to make a dent (at least, I thought so). And it appears that, so far, everything is going according to plan.
Encryption cannot cure all data ills, but when one carefully designs a solution that uses it, and understands where the limitations are, it can be a powerful tool, be it chip encryption or laptop encryption.
But then again, this is actually true for all tools.
Related Articles and Sites:http://www.databreaches.net/?p=15690http://www.insideretailing.com.au/Latest/tabid/53/ID/9685/Australian-credit-card-fraud-falls-45.aspxhttp://www.ibtimes.com/articles/89339/20101207/credit-card-fraud-declines-but-debit-card-scams-up.htmhttp://www.eyewitnessnews.co.za/articleprog.aspx?id=54030http://www.finextra.com/news/fullstory.aspx?newsitemid=21868