Blog article
See all stories »

People sharing photos of cards online are not idiots...

...they might just be your increasingly rare fans.

A few weeks back a new service started on twitter. @NeedADebitCard collated all the finest photos from the Internet taken by people keen to share their debit/credit card details and design with the world. The instant reaction to this by most sane individuals is ‘what are you doing you idiots?!’ Banking fraud departments across the globe probably tutted and cursed and then smiled as people proved what they already assume every day, the weakest link in online security is the one between the chair and the screen. Online commentators had a field day spouting off about the obvious dangers of this. My initial reaction was the same for about 5 minutes then I realised that these people are just using social media for its greatest use case, sharing everything. They might not be your most stupid customers but your most loyal, your most proud and in these current times banks need all the fans they can get.

The problems associated with sharing photos of your plastic payment device are actually the making of the financial institutions themselves. The Internet has been with us for 20 years. Social media in its current very easy to use incarnation probably 5-7 years old. Payment cards have been with us since the 60s and in that time they have not really changed a great deal. The bottom line is that they are not really fit for use on the Internet.

Outdated payment methods

These physical tokens of my relationship with a bank contain almost every bit of information a person needs to make card holder not present purchase from the web or via the telephone. The industry has tried to bolt on solutions to alleviate this problem e.g. the 3 digit security number on the signature strip (No one is idiotic enough to take a photo of the front and back of their card are they?) but you enter these details into a site every time you need to pay, effectively giving away the keys to your house every time you buy something via remote channels. Should the sites we buy from do more? Do ecommerce sites have PCI DSS compliance badges that they share with pride? ‘We keep your data safe’. Maybe the site owners should take a smiling photo of themselves holding their PCI DSS compliance certificate and put it on Instagram. Of course there are numerous protection standards in place around ecommerce sites I am being a tad facetious to make a point.

What of other solutions such as the universally loved 3D secure methods like Verified by Visa and Mastercard Secure. Yes they stop a certain kind of fraud but how many purchases are cancelled because of these things? How many swearwords are uttered when asked for an infrequently used password? What we need are payment methods designed for the web, designed to be used for one transaction or that just leave the merchant knowing who I pay via but not needing every single piece of detail to make further purchases.

I mean why do credit/debit cards need my full name printed on them? This is about digital identity and you would do well to watch Dave Birch’s recent talk on that subject. Dave is a man who signs his card transactions Carlos Tevez so he knows when people are trying to make fraudulent purchases. 

Social objects of banking.

(Bank) simple have just started sending out invites to their long time registered straining at the leash future customers. The effort and design they have put into their card will mean you will be seeing a lot of photos of these cards over the coming months. They had the foresight to package the cards with a thick blue rubber band holding the card in place but also to obscure the card details making easy to photograph and share the fact they are now proud (bank) simple customers.

Simple realise that the card is an important social object of their customers relationship with them and they wanted to make sure as many of them as possible would share that fact. They also realize the risk and warn their customers accordingly (while still encouraging unboxing photos) Traditional banks would not want you sharing the fact you bank with them online for fear of things like spear phishing yet one of the most used metrics in bank satisfaction is ‘Would you recommend your bank to your friends?’.

I have written about the social objects of banking in the past and I think they are massively underused in an industry that makes talking about your banking relationship and money in general seem massively taboo. This really should not be the case.


So before you go jumping to conclusions about customers who post pictures of their cards on social networks, think long and hard about why they are doing this and why in 2012 the details needed to make a payment online are printed on a small piece of plastic that everyone can see. Who are the real idiots?


Comments: (7)

David Birch
David Birch - Tomorrow's Transactions - London 18 July, 2012, 08:41Be the first to give this comment the thumbs up 0 likes

Attention fraudsters: I've stopped signing Carlos Tevez. Thanks to my unbreakble, Enigma-style algorithm, you'll never be able to guess which South American Manchester City striker I'll be using in future.

A Finextra member
A Finextra member 18 July, 2012, 10:27Be the first to give this comment the thumbs up 0 likes

Dave, I look forward to you having enough room to sign the name Sergio Leonel "Kun" Agüero del Castillo.

Keith Appleyard
Keith Appleyard - available for hire - Bromley 18 July, 2012, 15:29Be the first to give this comment the thumbs up 0 likes

Some years ago a colleague in Arizona showed me that many people had adopted the scheme of not countersigning the Signature Panel, but clearly writing in it "ASK FOR PHOTO ID" - ie ask for a Drivers License to prove you are the rightful owner of the Card.

When I was working in Japan some 20 years ago I was shown how new Cardholders who didn't know how to write their Signature 'western style' would be taught how to form a Signature by the Customer Service people when they collected their Card.

Stephen Wilson
Stephen Wilson - Lockstep Consulting - Sydney 19 July, 2012, 05:58Be the first to give this comment the thumbs up 0 likes

I agree that the problems are of the payment industry's making, but I disagree that cards "are not really fit for use on the Internet".  For the purposes of payments, at a network level, the Internet is just another comms channel.  As we all found in the late 1990s, the decades old MOTO rules and Four Party settlement model {Cardholder, Merhcant, Issuer, Acquirer} extend very nicely from mail orders and telephone to the web.

Let's be very clear about why paying by credit card online is risky, who bears the risk, and what should be done about it. When cardholder details are presented online, a merchant cannot tell if the 1s and 0s are stolen or original.  It's not actually a safety issue for customers, but rather for merchants.  E-merchants could reassure onine shoppers all they like of their PCI-DSS compliance, but that's not the point, and in any case, most stolen card details are taken from big retailer and processor databases, not e-merchants.

All we need to do to make cards safe online is to better protect the presentation of cardholder detals to merchants.  Asymmetric cryptography would do the trick very nicely. If merchant servers were equipped to tell real PANs from stolen ones, then it wouldn't matter at all if the human-readable numbers and photos were posted online. 

One of the deep problems with 3D Secure is that it breaks the Four Party model.  It joins the Cardholder to the Issuer in real time to complete a redundant secondary authentication handshake, complicating not only the user experience but also the merchant's legal arrangements, and slowing the transaction to a crawl.

CNP fraud is just online carding, and could be solved the same way.  Magnetic stripe carding was solved by Chip-and-PIN's asymmetric cryptography.  Each transaction is digitally signed in the chip before being sent across to a terminal, making the transaction specific to both the session and the card, and thus non-replayable. The very same chip could be used to digitally sign CNP transactions sent from browsers or mobile devices over the Internet to a merchant server, to prevent replay attack and thus neutralise the black market in stolen card details. We should be solving CNP fraud the same way as we did skimming and carding, without overturning the decades old settlement processes. The payment card concept has decades of life left in it.

A Finextra member
A Finextra member 19 July, 2012, 12:50Be the first to give this comment the thumbs up 0 likes

Great post Aden. I agree that debit or credit cards are social objects. Often they are the only physical thing that customers have which ties them to their bank. For some it is a point of pride - cards that live in your wallet every day are a very personal item (after your phone!), so they create a sense of identity that you want to share with your friends and community. In NZ we have a bank which issued debit cards that were totally black. Customers loved them - so different, so distinctive - they would display them with pride. If your debit card is the only thing that you carry with you that identifies you with your bank, then hell yes, you should be able to share that on social media - it is not the customers fault that this dated payment method has fraud concerns.

A Finextra member
A Finextra member 20 July, 2012, 12:29Be the first to give this comment the thumbs up 0 likes

Seems to me that although Issuing Banks are clearly experts in managing risk, they also don't mind just waiving the problem of fraud under the carpet.  I wonder what percentage of low value CNP fraud goes undetected and therefore paid by the customer? The rest are disputed and the resulting chargeback is borne by the merchant.  No wonder the banks don't do enough to evolve to better solutions.  Even the 3D Secure pain is simply a way to defer the liability from the Issuing Bank to the Consumer.

A Finextra member
A Finextra member 23 July, 2012, 18:15Be the first to give this comment the thumbs up 0 likes

Great refreshing post. We have often had hard time explaining to the financial industry the importance of emotional attachment to the product/service - it's good to see some companies warming up to the idea. Barclays is also offering card personalization service - and Dave Birch seems to be a huge fan (he spent more time choosing a design for his card than he spent on choosing a drink in a pub - just joiking).

@Stephen - "The very same chip could be used to digitally sign CNP transactions sent from browsers or mobile devices over the Internet to a merchant server, to prevent replay attack and thus neutralise the black market in stolen card details."

That's exactly what our company does. Via a "social object", by the way.

Online payments fraud is not just merchant-related. You could use a legit card online, but if those details are stolen you become a victim of the online payments fraud. 

Member since




More from member

This post is from a series of posts in the group:

Social Banks

Social Banks is a group that aims to discuss trends and debate as the financial services take their first steps into social media. Twitter, Facebook, LinkedIn etc..debate all here.

See all

Now hiring