The Apple store in my neighborhood is one of the favorite destinations for people who steal credit cards.
Here is how it works:
- The thief sits at Starbucks or Peet’s Coffee right across the street from the store and steals a card from a nearby table while patrons are busy getting a refill or going to the restroom.
- The thief then rushes across the street to the Apple store, buys something for several hundred or several thousand dollars with the stolen credit card.
- By the time the victim realizes his/her card is missing, it is too late: the transaction took place within minutes of the card’s disappearance.
This is possible because the Apple store does not bother verifying card ownership systematically, even for large transactions. I am not sure if employees just do not follow instructions, or if the store has a lax policy.
In my own business of running prepaid card payments, we are also witnessing increasing amounts fraud taking place at online venues that would be expected to be exemplary and be the most technology-savvy. The recent slew of offenders include Coinbase, Swipe and PayPal.
It seems that the darlings of the tech world are cutting some corners to get more transactions through the door, at the expense of fighting fraud.
This is arguably a small problem compared to the kind of security breaches that took place at Target. End to end encryption (a.k.a. “tokenization“) will prevent further heists from card databases at large merchants, but will not prevent fraud from unverified card transactions.
It might be a good time to revive efforts around the 3D Secure protocol? Or use “big data” to complement user verification in online stores? Or use smartphones as a second factor authentication?