The Chicago Tribune is reporting a story titled “Barnes & Noble warns of credit card, debit theft at 63 of its bookstore” which is once again raising the spectre of card reader tampering and how banks and consumers can protect themselves against skimming attacks. The basic gist of the story is that some very sophisticated criminals, likely an organized crime ring, managed to bug 63 different card readers at different Barnes and Noble locations which were logging credit card information and PIN numbers.
The article is sketchy on details in terms of how the readers were bugged or how long it took for them to be detected. But I figure that because it was basically one card reader in 63 different stores, the tampering more likely happened at the manufacturer or distributor of the readers. But that’s pure speculation on my part.
I am not at all an expert on the payment card industry in the United States, but my understanding is that for credit cards, the cardholder, by law, is not responsible for payment card fraud such as unauthorized transactions except for a relatively minor $50. The banks bear the financial losses related to payment card fraud. As a result worrying about things like tampered card readers becomes their responsibility. The situation with debit cards in the United States is murkier. My understanding is that debit card policy is not dictated by law, but that most banks have nonetheless adopted the same policy of only holding cardholders responsible for the first $50 of fraud. They do this in order to make debit cards competitive so make them seem just like credit cards.
So as a consumer, a cardholder as they say, stories like the Barnes and Noble payment card fraud skimming attack shouldn’t interest me. But they do. They are fascinating to me in part because it makes you realize in a concrete easily understandable way how fragile parts of the system are.
Now, from a risk management perspective, I’m sure that the financial institutions have calculated the risk/likely losses from payment card fraud at retail stores and have baked that into their business plan. Yes, they are going to invest in anti-fraud measures of various sorts to minimize, mitigate, and detect fraudulaent credit and debit card transactions. But almost by definition, they aren’t going to over-invest in those things either. Barnes and Noble doesn’t warrant or want Fort Knox levels of security on their financial transactions.
That means that some payment card fraud is going to happen. And even though we the cardholders aren’t financially liable for the fraudulent transaction, we nonetheless pay a huge price for payment card fraud through the hassle and inconvenience of dealing with it. As noted in the article cited above, financial institutions strongly encourage people to monitor the transactions in their accounts to look for unauthorized transactions and other indicators payment card fraud.
That’s good advice. I know my wife downloads our recent transactions every few days and reviews them for signs of payment card fraud.
Controlling Payment Card Fraud with Checking Account DMZs
The problem is that these are after-the-fact detection. If someone skims my debit card number and PIN from a machine at Barnes and Noble and then wipes out my entire checking account, I’m in deep trouble. Yes I can report it and yes I can eventually get the transaction reversed so I can get my money back. But that can take days and if I don’t detect it soon enough, I coudl start bouncing checks all over town, each creating its own headache to deal with. So even though I’m not financially responsible for the unauthorized transaction. I am responsible for cleaning up the mess.
This lead me to thinking about controls that I have at my disposal to control for debit card fraud. This lead me to draw an analogy to multi-zone IT architectures and the DMZ concept to limit exposure of IT infrastructure to the public internet. Can I create a DMZ to protect myself against payment card fraud? Maybe. It would take work, but I think I could.
They way I would want to set it up is to open a completely separate checking account. Seed it with some cash and get a debit card for that account. In essence the only thing the account is used for is to pay debit card purchases. All other checking account related activity would continue to be done through my “primary” checking account.
How much money needs to be put into the debit card checking account? I’d have to look at my past history of debit card transactions to get a sense of what I’d need to have in there on a month to month basis to cover the transactions. And at the same time, I’d want to keep that amount as low as possible. The balance at any given time is my potential exposure to fraud. Banks typically but a maximum daily transaction limit on debit card transactions, but those could still wipe me out if the payment card fraud goes undetected for several days.
The debit card account becomes my first line of defense against payment card fraud. It lets me control what my overall financial inconvenience is. For example, If I keep $1500 in it to cover debit card charges, that’s the most that I can potentially have wiped out of my account. If I was victim of a payment card fraud attack, I might temporarily lose that amount while I deal with the bank to reverse the unauthorized transactions. But meanwhile, my “primary” checking account is protected and I don’t bounce any transactions because my primary account balance has not been affected.
Like IT DMZs though, the key is the firewall between the DMZ and the rest of the private network. If there are no rules restricting traffic between the DMZ and the private network, the DMZ doesn’t offer any protection. In the checking account scenario, we would want some “firewall rules” to protect my primary checking account from my debit card checking account. What do those rules need to be? It seems to me that the main rule that needs to be in place is that under no circumstances can a transfer of money between the two accounts be initiated from the debit card checking account. Any transfer of money would have to be initiated from the primary checking account. That way even if the attacker gained complete control of the debit card checking account the limit of payment card fraud is still limited to the balance in the debit card account.
Protecting credit cards would have to follow a similar strategy. The main difference would be that I as the payment cardholder, should be able to set lower limits on my cards to reflect the amount of risk/inconvenience I’m willing to tolerate. I know everyone with a credit card likes to have as high a credit limit as possible to contribute to their good credit rating, but if a credit card holder could set daily and monthly credit limits on their account, it would limit the potential payment card fraud on the account. And like the checking account scenario, a key part of the scheme is to set up “firewall rules” for the credit card account such that money transfers cannot be initiated from the credit card account. They can only be initiated from the accounts used to pay the balance.
In the United States we don’t yet have EMV / “chip and pin” credit cards to use for strong authentication of transactions. And in fact the trend seems to be toward less authentication at the low end of transaction amounts. Many places don’t even require signatures for low amount transactions. But any payment card fraud that I experiences has a relatively large cost in terms of inconvenience in terms of reporting the fraud and getting it reversed. So even though I’m not financially responsible for most of the paymentcard fraud I might be victim to, I still have a big incentive to protect myself through a paymentcard DMZ and using stronger transaction authentication whenever possible.