Credit cards trapped in archaic security era
Some years back, after finishing a meal and calling for the bill, I handed my credit card to the waiter who returned soon after with the receipt and handed it over for me to sign. I promptly autographed it and gave the receipt back to him.
The waiter glanced at it, then turned to look at my credit card before pointing out politely: "Oh, m'am, you forgot to sign the back of your card."
It was a newly issued card and I had indeed forgotten to ink the "authorized signature" slot located under the magnetic strip. I apologized, signed it, and absent-mindedly returned the card to the waiter.
Almost immediately, I realized what I'd done and laughed in embarrassment. But, just as I was about to suggest that I showed him another card as a form of authentication, I caught him comparing the signatures on the receipt and the card--both of which I had signed just seconds before, and right in front of his eyes.
I looked at him in amazement and he must have realized, too, what he just did because he sheepishly returned my card and walked away in a hurry, without asking for the payment to be reprocessed.
That is a true story, I kid you not, and unfortunately not something that could go down in history as urban legend.
So, I wasn't the least surprised when local English tabloid, The New Paper, this week revealed that in a quick test it conducted on five retail outlets, four didn't check the signatures on the bills against the credit card. None of the outlets asked why a credit card carrying an Indian name had been used to make payment by a Chinese --perhaps the retailers were trying to be politically correct in a multi-racial country.
A representative from the Consumers Association of Singapore expressed disappointment over the security lapses, noting that consumer interest was compromised due to the merchants' lack of diligence.
Equally disturbing is the unwillingness of local banks to assume liability for fraud involving transactions made before the credit card has been reported lost. So, card owners are liable for all fraudulent transactions made before they report their credit cards missing or stolen.
That's not a comforting thought, especially in a country where there are over 5 million credit cards to a population of some 4 million. More unsettling is a recent case where a local HR manager found herself liable for a S$17,100 bill that thieves had clocked after stealing her wallet, before she discovered and reported it missing.
In another case earlier this year, a local bank manager found himself saddled with a S$4,598 bill, charged to a new credit card he was expecting to receive in the mail. The replacement card was stolen en route to his mailbox by a "postal" thief, and used to make payment for a laptop.
Human error is the weakest link in security, we all know that, and IT security firms never fail to remind us of that fact. So why aren't banks and credit card companies focusing more attention on areas where there's greatest propensity for human error to take place?
The security breaches and lapses clearly demonstrate that this very popular plastic mode of payment still has much room for improvement. High on the list of loopholes is the very archaic form of authentication--the smudgy, handwritten signature.
Biometrics are now used as a secondary form of authentication in immigration, enterprise laptops and even home doors. So why not credit cards? Citibank in Singapore tried it, but terminated the service barely two years after its launch when the bank's technology partner filed for bankruptcy protection.
It's a pity because biometric technology has great potential as a reliable security measure. While it may be an expensive and complex infrastructure to support, the level of credit fraud the platform can help mitigate will justify the investment. And if a group of banks banded together to achieve economies of scale, the cost of deploying biometrics can be significantly lowered.
Also, years after chip-based smart cards were touted as one of the most effective way to combat fraud, all the credit cards currently sitting in my wallet are still based on the traditional magnetic strip. So what happened there? Is cost again the issue? I would hate to think that complacency, on the part of industry players, had played a role here.
Or perhaps they are focusing their efforts on the wrong solutions?
Credit card payment is a tripartite pact involving the consumer, merchant and bank, where each party stands to gain from the alliance. Customers benefit from the convenience of being able to make payment easily, giving merchants more sales and that in turn generate the service fees that banks earn from retailers.
It's clearly a lucrative business--why else would banks spend marketing dollars urging prospective customers to sign up for their multitude of credit cards? So, it's absolutely unfair for consumers to bear the full brunt of any fraud and assume all liability, simply because they didn't report the card missing on time.
Sure, absolving consumers from liability can give way to potential abuse, but that's exactly why credit bureaus were established in the first place. To discredit consumers who have bad credit history so banks would know to reject card applications from these customers.
It's time merchants and banks alike step up, and show some diligence in doing right by consumers. Not doing the basic requirement of checking signatures is unacceptable, and banks are choosing the easiest way out by shrugging all liability simply because their customers failed to report a lost card, whether or not they had a valid reason.
According to Javelin Research, in spite of the emergence of new-tech tools including phishing and hacking, most identity fraud still originates from low-tech methods such as lost or stolen wallets, checkbooks and credit cards.
The world's most cutting-edge high-tech security tools will mean naught if we overlook their effectiveness in deflecting the simplest of ways to commit fraud. Signatures can always be forged, some more easily than others, and yet they're the world's most common form of authentication when credit cards are used to seal a transaction.
If we can't stop the daydreamers from misplacing their wallets at least once a month, or dissuade the craftiest of pickpockets from a life of crime, then perhaps it's time to start looking at alternative forms of authentication to replace signatures.