Today's Opinions, Tomorrow's Reality
Partners in Crime
By David G. Young
Washington, DC, June 21, 2005 --
The reported theft of 40 million credit card numbers by hackers who breeched a computer system in Tucson1 has American consumers in a near panic over identity theft and credit card fraud. This was just one of many high-profile security breeches in recent months. Earlier in June, Citigroup announced that tapes containing nearly 4 million account records had been lost in shipment2, and a security breach at Lexis/Nexis in March led to the loss of 310,000 account records.3
The ensuing fallout has politicians and privacy rights advocates screaming for more regulation of the exchange of personal information. They note that when a crook collects enough information about a victim -- a social security number, mother's maiden name, date of birth, etc. -- he can successfully open new credit accounts in the victim's name, running up bills and ruining the victim's credit rating. It is precisely because of the power of such data that they want to tighten regulation about their exchange.
The always noisy Senator Charles Schumer submitted an anti-identity theft bill in April that would severely restrict the way data brokers could exchange information used in consumer credit files.4 Sale of Social Security numbers would be banned, background checks would be required for people viewing consumer data files, and all data brokers would have to register with the Federal Trade Commission.
But these proposed measures won't stop the crooks. It is pointless to attempt to stop transfers of data when technology is making it trivial. A single iPod portable music player has enough storage space for a database with the name and social security number of every single person in the United States. Now that most American Internet users have high-speed access, such databases can be sent across the country by novice users in a matter of hours or even minutes.
Restrictions of data sharing completely miss the fundamental problem. The only reason anybody cares about the secrecy of a Social Security number is because it can be used as a key to open a new account. Why is this true? It's true because the credit card industry is completely out of control.
In an effort to sign up as many customers as possible, they've made it incredibly easy to get new card. Consumers can apply for pre-approved offers arriving by mail. They can apply online. They can even apply for credit accounts while riding on an airplane!
In general this is a good thing. But the rush to attract customers has led the industry to forgo authentication of the applicant. Providing your full name, social security number, date and place of birth may serve to identify an individual, but it does nothing to confirm that the person providing the information has that identity. Traditionally, this step of authentication was handled by requiring (and actually verifying) a signature, checking a photo ID, or in smaller communities by looking the person in the eye and recognizing his face.
How do America's credit card companies handle this critical step? They don't. Because it would complicate and slow the process of obtaining new business, they've decided to skip it. This is so irresponsible that it is shocking that it never gets discussed.
Normally, issuing credit without authorization would be disastrous for a creditor. But the credit card companies have solved this problem by passing the risk off to the merchant. When a cardholder denies authorizing a transaction, MasterCard, Visa and American Express issue what's called a chargeback. This takes the money back out of the merchant account without exposing the credit card company or the issuing back to any losses.
Not only does this insulate the credit card industry from loss, but it actually lets them profit from fraud, since they charge merchants additional fees for each chargeback. This revenue stream is undoubtedly responsible for the industry's lackluster effort to authenticate customers. The advent of Internet sales and automated point-of-sale transactions has meant that fewer credit card transactions have included signatures. The industry's idiotic solution to this problem was to add a three-digit security code to the back of cards -- a system that is completely unable to protect against physically stolen cards or cards obtained through identity theft.
This glaring problem -- the industry's total failure to require authentication of cardholders -- that puts both consumers and merchants at risk. Credit card companies are not victims of identity fraud -- they are partners in it. Since it is the proper role of the government to enforce contract disputes, there is undoubtedly a useful role for it to play. New legislation should be passed forbidding the government from enforcing unauthenticated financial transactions.
The specific means of authentication -- old-fashioned signature verification, fingerprint capture, retina scan, DNA sampling, etc. -- are countless and should be left to private industry, scientific opinion, and the determination of the courts. (And no, asking for a mother's maiden name does not amount to authentication.)
Should the industry move away from unauthenticated transactions, the benefits could be enormous. After a short legal phase-in period, low-cost biometric scanners may begin to appear beside the mouse pads of Internet shoppers and online credit card applicants -- much like the fingerprint scanners currently used to authorize "Pay by Touch" transactions at North Carolina Piggly Wiggly stores.5
Credit card fraud from identity theft and old-fashioned card stealing would be reduced immensely. And as a side benefit, politicians like Schumer would be denied an excuse to expand the scope of government with destructive and useless data exchange regulations.
1. Washington Post, 40 Million Credit Card Numbers Hacked, June 18, 2005
2. San Antonio Express-News, Cover Story: More Vital Information About You Goes Missing Than You Might Think, June 18, 2005
3. Associated Press, LexisNexis Theft Much Worse Than Thought, April 12, 2005
4. Schumer, Charles, Press Release: Schumer Introduces Comprehensive ID Theft Bill Today, April 12, 2005
5. Washington Times, Retailers Testing Biometric Payments, June 10, 2005