The media may be overhyping the threat of card fraud, but it is time to rethink our reliance on passwords.
Despite a recent report from the House of Lords that painted a picture of the internet as a world full of outlaws, online shopping is going from strength to strength. Precise figures are hard to come by, but it seems certain that a sizeable chunk of the national Christmas overdraft has ended up in the bank accounts of Amazon, Play and the like.
As bank robber Willy Sutton famously pointed out, criminals go where the money is, and go there often. So it should come as no surprise that online fraud is a growing problem. According to the latest figures from APACS, internet-related fraud in the UK reached £150 million in 2006, accounting for 75 per cent of all "cardholder-not-present" fraud.
All of this makes great news copy, so a good scare story about online fraud is sure to please the audience (and the advertisers). A recent story on Channel 4 News highlighted a "serious flaw" in Visa's online security. Visa now has a "Verified by Visa" scheme that associates a secret password with your Visa card details, and participating vendors require the password before completing your purchase.
Channel 4 found out that you could reset the password with nothing more than the credit card number, expiry date, card verification value, full name and date of birth of the owner. Yes, that's right, if you have someone else's credit card in your possession, apparently you can use it fraudulently. This is, of course, a new and frightening development.
Sorry, I can't keep a straight face any longer. It should be blatantly obvious to anyone that you shouldn't give your card to someone you don't trust. Channel 4 also failed to point out that MasterCard's equivalent scheme is equally "vulnerable".
And it missed the point that these schemes are primarily aimed at protecting the merchant, who generally bears the cost of cardholder-not-present fraud; rather than the cardholders, who are fairly well protected by the banking code unless they've been particularly careless.
There is a grain of truth in the story, though. The increasing use of "soft secrets" such as date of birth, mother's maiden name and first school provides little protection against a reasonably skilled crook. The recent rapid growth in the popularity of Facebook, MySpace and other social-networking sites, combined with the ease with which automated data trawling can be performed, has made life easier for the would-be fraudster.
It would be simple, you would think, to adopt a monarch-like attitude and assume a second birthday for authentication purposes. The problem with this is that, ironically, it may set off anti-fraud measures (try giving a false name, date of birth and address to a bank), and also you have the dubious joy of remembering who thinks you were born when.
The more sensible systems will let you choose your own questions, but unfortunately these are often from a predefined list (pet's name, for example, which wouldn't resist a dictionary attack in many cases). You are then left with the choice of producing bogus answers, and remembering them when necessary. As such questions are generally required only when you've forgotten your normal login credentials, this can be problematic.
For the credit-card business there is some hope in the form of hardware devices that generate a one-time password from your card and PIN. These are not perfect, as there's still the risk of man-in-the-middle attacks, but they get around many of the more basic problems. A simpler and non-technical option would be a more standardised and out-of-band verification process for delivery addresses, which would cut "physical delivery" fraud significantly.
There is some good news though. Card fraud is currently running at 0.095 percent of overall card spending, less than a third of its 1991 peak. Far from perfect, but heading in the right direction. A few simple changes by the card issuers could drive this down even further.
Nick Barron is a security consultant. He can be contacted at firstname.lastname@example.org.