Folly

Sigh. This is getting ridiculous.

I’ve complained about the stupid things credit card issuers do before, most recently in April. This week, however, they reached a new low.

I got a new card. Nothing new about that, right? What is new is that it wasn’t because the old one had expired, nor had it been compromised. According to the accompanying letter, the new card “has a new layer of protection” and “For added security, your card has a new number and includes chip technology.” It also has a new expiration date.

Excuse me? My old card also had a chip.

The letter goes on to say “This is simply a preventative measure to improve the security of your card. This is not in response to your account being compromised in any way.”

If the old number wasn’t compromised, how is the new number an improvement? The only possible interpretation I can put on this is that there’s some weasel wording going on here: my account hasn’t been compromised–literally. Nobody has broken into the issuing bank’s system and accessed my account. Good to know. But that doesn’t eliminate the possibility that some merchant I used the card at–or Visa itself–has been hacked and my card information potentially exposed.

What makes this truly annoying is that the old card–which had a new number and expiration date–was four months old. What’s the point in giving me an expiration date four years in the future if you’re going to change it every four months?

The really boggling part about this fiasco, however, is that the chipped cards are no more secure than the old unchipped cards. As I said in April:

It won’t do a damn thing for Internet sales. Give ’em the card number, expiration date, and (sometimes) the code printed on the back, and they can charge the card just as they always have. And store the information insecurely, just as they always have. And get hacked, just as they always have.

But even leaving that aside, the chip technology has been thoroughly and repeatedly hacked in Europe. The reason it’s called “chip and PIN” is that the vendors couldn’t make the chip alone sufficiently secure to protect their profit margins, so the previously-optional PIN was made mandatory to provide an additional level of protection.

Lesson learned, right? Nope. When the technology came to the US, the PIN wasn’t made mandatory. None of my chipped cards came with PINs or any documentation suggesting that I create one. Store terminals don’t require a pin, and many don’t require a signature either.

Not that a signature is an effective security measure. It’s not checked against anything–there’s no reference signature stored at the bank for comparison. At most, the clerk might look at the signature on the back of the card, but odds are he or she isn’t a handwriting expert and has no idea which differences are normal variation and which could be signs of an attempted fraud.

If insanity is doing the same thing over and over again, expecting a different result*, then our credit card system is insane.

* A quote often attributed to Albert Einstein, Ben Franklin, and many others. As is so often the case, there doesn’t seem to be any evidence to support any attribution.

Oh, well. See you in four months when this card gets replaced.

Sigh.

That Trick Never Works

I think it’s time we admitted that the credit card infrastructure is incurably broken.

Hey, remember back in January 2014, I was complaining about having to make the rounds of all the vendors whose bills are automatically charged to my credit card? Can you guess what I spent a large chunk of yesterday doing? I’m sure you can; I didn’t exactly make the question difficult.

Yes, once again my credit card information “may have been compromised at an undisclosed merchant or service provider.” So I was again given a new card with a new number. And off I went, updating the autopay information at all of the merchants and service providers. Again.

What’s wrong with this picture?

Well, for starters, since the vendor in question is “undisclosed,” I have no opportunity to take my business to a different company that pays more attention to security. Assuming there is one, of course.

Second, why should I be the one who has to spend hours* updating all of the records? Online payment is a conversation between two computers; it’s not a one-way message. If a charge comes in to the old number, why can’t the bank send back a message that says “The number you are charging has changed. The new number is…” It works for the web–there’s a whole series of codes that say “The URL you requested has changed. Here’s the new address.”–and it could work for the credit card system.

* Yes, it really was hours, even though I only had to update eleven vendors. A few of them made it comparatively easy: log in, add the new card, delete the old card, and log out. Most of them had additional hoops I had to jump through. “Your change will take effect on the next billing cycle.” “Please enter the billing address for this card.” (Can’t you assume that, unless I tell you otherwise, it’s the same as the card you already have on file?) “In order to enroll for auto-payment, use our simple five-step wizard.” (I was already enrolled, but I couldn’t update the card information, I had to cancel and then re-enroll.) “We can’t change the card on a pre-order. You’ll have to wait until the charge is rejected and then give us the new card information.” Only one vendor had no online update function, but there was also one who hid it so successfully that I had to call customer support and have a representative walk me through the menus to find it.

The banks spend millions on fraud detection systems that monitor the pattern of charges we make. They could tie those into the process. It wouldn’t be that hard* for the FDS to say “Hey, this is a recurring charge, and the customer hasn’t filed a complaint about it in two years. We can send the update message.”

* OK, it wouldn’t be hard technically. But it would cost the banks money, so it would be difficult politically.

There was something new in this mini-fiasco as opposed to last year’s. Last year I was able to activate the new card and then update the vendors at my convenience over a couple of weekend days. This time, the bank automatically canceled the old card three days after it arrived in the mail. So much for waiting for the weekend.

But the real problem, and the reason I say the system is incurably broken, is that issuing a new number doesn’t accomplish anything. Remember, this is the fourth time this card has been replaced for security reasons.

The new card is one of the fancy “chip and pin” cards with a chunk of circuitry embedded in it. This will make it safer to use at store terminals. It won’t do a damn thing for Internet sales. Give ’em the card number, expiration date, and (sometimes) the code printed on the back, and they can charge the card just as they always have. And store the information insecurely, just as they always have. And get hacked, just as they always have.

This card is good for more than two years. Anyone want to place a bet on how many new card numbers I’ll get before the expiration date?

Change of subject.

Speaking of things that are incurably broken, I assume you’ve heard about the protests in Baltimore. I’m not going to talk about the protests or the larger issues around them–at least not today. But I did want to say a few words about one of the side effects of the protests.

You may have heard that yesterday’s game between the Baltimore Orioles and the Chicago White Sox was played without spectators in the stands.

I watched the game on TV, and it was an interesting experience. I won’t say that the lack of crowd noise affected the players, but it did seem as though they weren’t as focused as usual. I can’t help but wonder if Samardzija would have given up six runs in the first inning if there had been fans present.

A while back, I said “It makes one wonder if the game would be called on account of disinterest if the last fan left.” We still don’t know, because we still haven’t had a game with no fans present. Despite the security concerns that caused the fan lockout, they still showed up. Portions of the field are visible from outside the stadium, and spectators were lined up along the fence watching the game and cheering the Orioles during that six-run inning.

Despite the chaos and destruction, some people played baseball, and other people watched. Religious fanaticism isn’t limited to destructive impulses.

I’m not going to suggest that baseball solved any of the problems the city of Baltimore is facing. Nor am I going to suggest that it could solve the larger problems facing the entire country.

But for a few hours, baseball allowed some people to take a mental vacation from those problems. And sometimes that’s all you need.