Folly

Sigh. This is getting ridiculous.

I’ve complained about the stupid things credit card issuers do before, most recently in April. This week, however, they reached a new low.

I got a new card. Nothing new about that, right? What is new is that it wasn’t because the old one had expired, nor had it been compromised. According to the accompanying letter, the new card “has a new layer of protection” and “For added security, your card has a new number and includes chip technology.” It also has a new expiration date.

Excuse me? My old card also had a chip.

The letter goes on to say “This is simply a preventative measure to improve the security of your card. This is not in response to your account being compromised in any way.”

If the old number wasn’t compromised, how is the new number an improvement? The only possible interpretation I can put on this is that there’s some weasel wording going on here: my account hasn’t been compromised–literally. Nobody has broken into the issuing bank’s system and accessed my account. Good to know. But that doesn’t eliminate the possibility that some merchant I used the card at–or Visa itself–has been hacked and my card information potentially exposed.

What makes this truly annoying is that the old card–which had a new number and expiration date–was four months old. What’s the point in giving me an expiration date four years in the future if you’re going to change it every four months?

The really boggling part about this fiasco, however, is that the chipped cards are no more secure than the old unchipped cards. As I said in April:

It won’t do a damn thing for Internet sales. Give ’em the card number, expiration date, and (sometimes) the code printed on the back, and they can charge the card just as they always have. And store the information insecurely, just as they always have. And get hacked, just as they always have.

But even leaving that aside, the chip technology has been thoroughly and repeatedly hacked in Europe. The reason it’s called “chip and PIN” is that the vendors couldn’t make the chip alone sufficiently secure to protect their profit margins, so the previously-optional PIN was made mandatory to provide an additional level of protection.

Lesson learned, right? Nope. When the technology came to the US, the PIN wasn’t made mandatory. None of my chipped cards came with PINs or any documentation suggesting that I create one. Store terminals don’t require a pin, and many don’t require a signature either.

Not that a signature is an effective security measure. It’s not checked against anything–there’s no reference signature stored at the bank for comparison. At most, the clerk might look at the signature on the back of the card, but odds are he or she isn’t a handwriting expert and has no idea which differences are normal variation and which could be signs of an attempted fraud.

If insanity is doing the same thing over and over again, expecting a different result*, then our credit card system is insane.

* A quote often attributed to Albert Einstein, Ben Franklin, and many others. As is so often the case, there doesn’t seem to be any evidence to support any attribution.

Oh, well. See you in four months when this card gets replaced.

Sigh.

That Trick Never Works

I think it’s time we admitted that the credit card infrastructure is incurably broken.

Hey, remember back in January 2014, I was complaining about having to make the rounds of all the vendors whose bills are automatically charged to my credit card? Can you guess what I spent a large chunk of yesterday doing? I’m sure you can; I didn’t exactly make the question difficult.

Yes, once again my credit card information “may have been compromised at an undisclosed merchant or service provider.” So I was again given a new card with a new number. And off I went, updating the autopay information at all of the merchants and service providers. Again.

What’s wrong with this picture?

Well, for starters, since the vendor in question is “undisclosed,” I have no opportunity to take my business to a different company that pays more attention to security. Assuming there is one, of course.

Second, why should I be the one who has to spend hours* updating all of the records? Online payment is a conversation between two computers; it’s not a one-way message. If a charge comes in to the old number, why can’t the bank send back a message that says “The number you are charging has changed. The new number is…” It works for the web–there’s a whole series of codes that say “The URL you requested has changed. Here’s the new address.”–and it could work for the credit card system.

* Yes, it really was hours, even though I only had to update eleven vendors. A few of them made it comparatively easy: log in, add the new card, delete the old card, and log out. Most of them had additional hoops I had to jump through. “Your change will take effect on the next billing cycle.” “Please enter the billing address for this card.” (Can’t you assume that, unless I tell you otherwise, it’s the same as the card you already have on file?) “In order to enroll for auto-payment, use our simple five-step wizard.” (I was already enrolled, but I couldn’t update the card information, I had to cancel and then re-enroll.) “We can’t change the card on a pre-order. You’ll have to wait until the charge is rejected and then give us the new card information.” Only one vendor had no online update function, but there was also one who hid it so successfully that I had to call customer support and have a representative walk me through the menus to find it.

The banks spend millions on fraud detection systems that monitor the pattern of charges we make. They could tie those into the process. It wouldn’t be that hard* for the FDS to say “Hey, this is a recurring charge, and the customer hasn’t filed a complaint about it in two years. We can send the update message.”

* OK, it wouldn’t be hard technically. But it would cost the banks money, so it would be difficult politically.

There was something new in this mini-fiasco as opposed to last year’s. Last year I was able to activate the new card and then update the vendors at my convenience over a couple of weekend days. This time, the bank automatically canceled the old card three days after it arrived in the mail. So much for waiting for the weekend.

But the real problem, and the reason I say the system is incurably broken, is that issuing a new number doesn’t accomplish anything. Remember, this is the fourth time this card has been replaced for security reasons.

The new card is one of the fancy “chip and pin” cards with a chunk of circuitry embedded in it. This will make it safer to use at store terminals. It won’t do a damn thing for Internet sales. Give ’em the card number, expiration date, and (sometimes) the code printed on the back, and they can charge the card just as they always have. And store the information insecurely, just as they always have. And get hacked, just as they always have.

This card is good for more than two years. Anyone want to place a bet on how many new card numbers I’ll get before the expiration date?

Change of subject.

Speaking of things that are incurably broken, I assume you’ve heard about the protests in Baltimore. I’m not going to talk about the protests or the larger issues around them–at least not today. But I did want to say a few words about one of the side effects of the protests.

You may have heard that yesterday’s game between the Baltimore Orioles and the Chicago White Sox was played without spectators in the stands.

I watched the game on TV, and it was an interesting experience. I won’t say that the lack of crowd noise affected the players, but it did seem as though they weren’t as focused as usual. I can’t help but wonder if Samardzija would have given up six runs in the first inning if there had been fans present.

A while back, I said “It makes one wonder if the game would be called on account of disinterest if the last fan left.” We still don’t know, because we still haven’t had a game with no fans present. Despite the security concerns that caused the fan lockout, they still showed up. Portions of the field are visible from outside the stadium, and spectators were lined up along the fence watching the game and cheering the Orioles during that six-run inning.

Despite the chaos and destruction, some people played baseball, and other people watched. Religious fanaticism isn’t limited to destructive impulses.

I’m not going to suggest that baseball solved any of the problems the city of Baltimore is facing. Nor am I going to suggest that it could solve the larger problems facing the entire country.

But for a few hours, baseball allowed some people to take a mental vacation from those problems. And sometimes that’s all you need.

Security, Again

Oh, goodie! Something new to be grouchy about.

A couple of days ago I received a new credit card in the mail. Not because the old one had expired. Oh, no, not a bit. The old one was good for another few months. This replacement was because of the old one “may have been compromised at an undisclosed merchant or service provider”. How nice. I can state with absolute certainty that it was not Neiman Marcus, as I’ve never shopped there. It could have been Target. I’m not too proud to admit that I sometimes shop there. For one thing, they have the best price around on dark chocolate M&Ms.

On the other hand, the letter with my new card did say “undisclosed”. News reports suggest that there were at least three other US retailers have been hacked in the same fashion as Target and Neiman Marcus. Despite the laws requiring disclosure, we may never know who those companies are: given the backlash against Target, they may decide it’s cheaper to risk fines for non-disclosure than to go public and have customers go elsewhere.

Not that there’s really an “elsewhere” to go to. Let’s face it, every retailer, online or brick-and-mortar, is vulnerable to hacking. It’s enough to make you want to go back to cash. Or maybe barter.

But I digress. Let’s get back to that shiny new card I got in the mail. I said that the old card would still have been good for a few more months. Guess what the expiration date on the new card is. Give up? It’s the same as the old card.

So I went through my usual routine to dispose of the old card: chopping it up into itty-bitty pieces, and then mixing the bits into the waste removed from the cats’ litter boxes. It may not be any safer than just throwing out the pieces, but I figure it should at least discourage the casual garbage thieves. Having done that, I braced myself to spend the next several days going around to all of the places that I have set up to automatically charge my card. Nothing important, of course, just little things like my cell phone, my insurance, and the home alarm system.

And then, in a couple of months when the new card expires and the company sends me another new card, I get to do it again. Such fun! What a thrill! What a great use of my time!

Now, keep in mind that this is, if memory serves, the third time this particular card has been replaced due to a security breach at a merchant. The whole “update the auto-payment” routine is getting a bit old.

So I called the company to ask if they could please issue me a new card with an expiration date a couple of years in the future. That way, I should be good with all of the auto-payments until the next security breach. I spoke to a gentleman (I use the term loosely) who was terribly sorry to inform me that there is “no tool to change the expiration date,” but that because I had raised the issue, they might someday have one.

I carefully explained that “might someday” didn’t do me any good now. “Oh, yes sir, I understand. You’ll be getting a call back from a manager soon.” On further questioning, it turned out that “soon” meant “in the next couple of weeks”. I pointed out for the second time that they only allowed a week and a half for me to switch to the new card, so a call in a couple of weeks wouldn’t at all. “Let me see if I can get you a firm date for the call back,” the gentleman said, and then hung up on me.

Of course, I swore for a couple of minutes, then called again. This time I got a disgustingly cheery young woman. I explained that another representative had hung up on me, and asked her to check what notes he had put on my account. “Wants to change expiration date” was the entirety of the message. No explanation of why or reference to the urgency of the matter. So I explained the whole thing to the second rep (in four-part harmony). “But that’s not a problem, sir. When the new card shows up in a few months, you won’t have to do anything because it will have the same number.” I pointed out that I would have to do something: update the expiration date at all of the relevant vendors.

“Oh,” she responded. “Let me talk to a supervisor. Don’t go away!” And off she went. Amazingly, she didn’t hang up. She returned a minute later and told me that they do not change expiration dates until there is less than two months remaining on the card.

“So,” I asked, “if this new card is compromised in the next couple of months, I’ll get another new account number with the same expiration date?”

“That’s right! It’s for your convenience!”

I was a bit shell-shocked at that. I didn’t ask her to try to explain how that was convenient for anyone except the credit card company. I just extracted myself from the call and spent the next several minutes banging my head against the wall, then went off to start updating my auto-payment accounts.

Oh, wait, I thought of someone else for whom an unchanged expiration date is convenient: the criminals who now have my old account number. Visa’s account number generation algorithms are well-understood as even a quick Google search will show. For certain types of cards, there’s a fairly small set of valid account numbers that could be assigned. It wouldn’t be that difficult to generate some trial card numbers and have them match up to the known expiration date. That’s all you need for many online vendors.

If you think about it, changing the account number generation process to also update the account expiration should be a minor software tweak. The code to choose a new expiration date already exists: it gets used whenever a card expires or when a new account is opened. Adding a call to that routine to the “change account number” code should be fairly trivial. Unless their code is a truly horrible mess, it would be a low risk change, and easy to test. But it would, of course, cost money. Visa’s net profit for fiscal 2013 was only $4.98 billion. I suppose a small software change like this would seriously imperil their bottom line. Such a shame.

Such is life. If you’ll excuse me, I need to get over to the Post Office. I’ve got some packages of shredded cards and litter box sweepings to send to Visa, Target, and Neiman Marcus. Maybe it’ll give them some new ideas on security.