Blog article
See all stories »

An article relating to this blog post on Finextra:

Police bust cyber fraud ring

An online criminal forum that was used by thousands of fraudsters to buy and sell stolen credit card and bank details has been shut down following a two year FBI-led undercover operation.

See article

Sixteen digits are not enough

About six months ago my Bank called early on Saturday morning. They had been monitoring my credit card and had identified unusual activity. I confirmed some of the transactions weren’t mine and the card was replaced with a new one and new account number.


Naturally I was pleased that the Bank had been looking out for me but it was disconcerting that my card number had been compromised. There were other consequences too. I had to update all the online retailers who held my card number and lost access to my card history on internet banking. (Why can’t banks leave internet account access in place when a card is stolen? – it would help customers identify the fraudulent and genuine transactions).


Sadly that was not the end of the story. This week I was trying to buy a new TV online using MasterCard Secure Code. All went well but a few minutes later I got an email to say the transaction had been declined. I phoned the Bank to find out why.


“We were just going to call you – we’ve been told by the Police that your card details have been compromised”. Well once is unfortunate but twice…


It set me thinking. Where had my card details been captured and why does the loss of sixteen digits mean my account has to be stopped? After all I validated the transaction with Secure Code.


I have my suspicions about one retailer I use near work which colleagues who have also had their cards compromised also use. However it dawned on me that in fact my card details are virtually in the public domain every time I buy anything.


Chip and PIN properly implemented ought to eliminate card present fraud because of the difficulty in replicating cards and the chips. However we have already seen evidence of staff attaching devices to capture card details for misuse elsewhere. Card numbers, expiry dates and CVV details remain valuable to fraudsters because they are still all that is required to debit an account.


The truth is that CVV provides virtually no protection as it is compromised the first time you use it since it’s really a one time code which in practice is used tens or hundreds of times. 3D Secure (MasterCard Secure Code or Verified by Visa) is not much better. Every time I use it I type my password in full making it relatively easy for someone to capture it. (Banks why don’t you ask for a random selection of characters from the password to make it harder to crack?).


Web use is growing but sadly the card companies seem reluctant to crack the inherent weakness in the current system.


Some years ago my MBNA card account had a different account number to the sixteen digit card number making it easy to replace the card without losing access to the card history. Sadly that approach seems to have been dropped. I’m also coming round to the idea that MasterCard and Visa need to drive through a common standard token system for cardholders to use to verify online transactions.


A combination of a universal standard token system (I don’t want one for each bank or card I have but one which works for all of them) such as Vasco offer together with a pass code know to the cardholder could provide a system that would be very difficult to crack. Linked to 3D secure as a trusted and secure communications channel, web fraud could be virtually eliminated.


Implementation costs would be kept down as a result of a common standard for the token and the production volumes required for one per cardholder.


What do you think?


Comments: (3)

A Finextra member
A Finextra member 19 October, 2008, 12:25Be the first to give this comment the thumbs up 0 likes

I don't know if it's a one-off, but when I've used Verified by Visa, I'm only asked for 2 or 3 random characters...



John Dring
John Dring - Intel Network Services - Swindon 19 October, 2008, 14:51Be the first to give this comment the thumbs up 0 likes


Well I couldn't agree more.  I said similar in my little rant on my 'blog' observation...

I think the processes are outdated, but there is no easy answer. It could be that maybe the 'MasterCard SecureCode' site thingy was a trojan horse - surely it sould only be asking for some of the digits.

Perhaps the best security is not to prevent the theft of credentials, but 'ensure' the likelihood of detection and punishment of those that conduct the online fraud.  For example, every online merchant purchase operation should contain the collection of internet/ISP fingerprints which although they wouldn't catch a specific person, would close the noose pretty quickly.




Nick Green
Nick Green - ISD Consultants - Northampton 20 October, 2008, 20:12Be the first to give this comment the thumbs up 0 likes

I think perhaps you should think about changing your card issuer. A good issuer closes a card number but keeps the account open. You may loose some transaction history but that is because it should have gone to the fraud department to manage and track back on fraud activity. A good implementation of Verified by Visa or MasterCard Secure Code should only ask for parts of your password.

Show your displeasure by moving your business elsewhere or ring and use the 'magic word' - "I wish to complain".

Now hiring