Whenever I want to access my Dropbox account using their website, I have to use two-factor authentication to login. Two-factor authentication means that in addition to using my username and password, I have to enter a code that comes from my mobile phone. The code is either sent to me via text, or I can use a token generating application such as Google Authenticator. I also use two-factor authentication to access a number of other online accounts – some sensitive, some not. Anyway, it got me thinking, why aren’t we using two-factor authentication to solve credit card fraud?
The problem with the current system
The problem with the current credit card system is that all of the data used to validate the card with the clearing house is included on the card itself. Things such as card number, expiration data, four-digit security code, PIN number, etc. That’s why credit card fraud is such a problem. When a database with credit card information is violated, all of the information necessary to make fraudulent purchases is available to the hacker. Credit card validation needs to require a token that is random and time-based, and that doesn’t get stored with the credit card data.
That’s where two-factor authentication with a mobile device comes in. After thinking about it, I always have my phone with me when I’m making a purchase by credit card, whether it’s in-person, on-line, or by phone. It should be easy to have an app on my phone that would generate a rotating, time-based token that I would provide to the vendor when making a purchase. Even if I don’t have the app, I could have the token texted to me whenever I initiated a purchase. Particularly for online purchases, the delay would be minimal and would not hold up purchases at the point-of-sale.
By using two-factor authentication, even if someone got access to my credit card number, expiration date, and security code, they still couldn’t use it without the time-based token that requires having my phone. In fact, it seems so simple that I feel like I’m missing something.
Possible reasons we’re not using two-factor authentication
Anything this straight-forward makes me feel like that I’m not the only person who has thought of it. So, I started wondering what could be hindering roll-out of such a system. Here are a few reasons that I came up with:
- Adoption – changing to a two-factor authentication system would require a lot of software updates and possible hardware changes to read credit cards. If the cost of upgrading to new hardware was passed onto the retailers, it’s possible (and likely) that they could balk at the adoption of a new system. Therefore, to encourage adoption, retailers who updated their hardware and software to use a two-factor authentication system could be offered lower processing rates in return.
One card payment processor I could see implementing a progressive system like this is Square. Square could update their vendor app to ask for a token-based PIN that the purchaser would provide using a Square app on their phone. Since fraud should be greatly reduced under this system, Square could offer merchants who use this feature a lower credit card processing rate, say 2.0% instead of 2.7%.
- User acceptance – it’s possible that users would balk at the inconvenience of having to enter a randomly generated code every time they used their card. On the other hand, anyone who has ever dealt with credit card fraud (which is probably all of us) knows how painful it is and shouldn’t mind the small inconvenience in return for peace of mind.
I could see how implementing this system a few years ago would be a problem when smartphones weren’t that popular. However, now that smartphones are owned by the majority of cellphone users, technology adoption shouldn’t be an issue.
- Conspiracy theories – here’s where I go a bit off the rails, but could it be that the credit card companies don’t want to completely solve the fraud problem? Are they justifying their processing rates by pointing to high rates of fraud? Are their fraud departments a profit center for the card companies? I would think that the credit card companies would want to come up with a better solution, but sometimes you never know. Maybe the credit card companies don’t have a strong enough incentive to completely eliminate it.
Implementing a two-factor authentication system
I would envision the system being rolled out by the major card producers such as Mastercard, Visa, American Express and Discover. They would make the app that users would download and install on their phones. Then the card holder would have to verify the card through the app by entering in the card details along with some personal identification information like the billing address and/or billing phone number associated with the account. After the card was verified, it would show up in the app and have a time-based, rotating token associated with it. Anytime you used the card, you would enter that token as your PIN when asked for it at the point-of-sale.
As for the hardware, it would either require a software update to the existing credit card readers, or replacement in cases of old hardware. As I mentioned above, the cost of these upgrades would be offset by a corresponding reduction in credit card processing rates.
So my question is, why aren’t we using two-factor authentication to prevent credit card fraud? What am I missing?