Filed Under: Money, Payment systems

It's still worth stealing credit cards, but not for much longer

Leave a Comment

Dgwb blog white border

Technologically speaking, the credit card as we know it should have vanished long ago. It’s surely not got much longer .

Back in 1979, when I was taking a computer science course at Univeristy that involved writing in FORTRAN (*) on an ICL 2900 series behemoth, the computer scientist Christopher Evans wrote a popular book called “The Micro Millennium” in which he argued (correctly, as far as I can see) that the microprocessor-driven information revolution would have more impact than the industrial revolution. In the book, he says that

By the middle of the 1980s, when most [payment] cards are fed directly into a scanning terminal at the point of purchase and each card receives an automatic screening check, their theft will be pointless.

You can see why he would think this. Putting microprocessors into cards would be an amazing step forward for the world of payments. In fact, the first smart card patents (for memory-only cards) were filed a decade before Evans wrote this, the famous Roland Moreno patent had been around for five years and by the time his book came out you could already buy smart cards as we know them today from Bull in France. Evans’ technologival timescale was correct: the first bank smart cards were rolled out in France in 1984. A few years later, and Consult Hyperion were advising not only banks but others about smart cards. I think I’m right in saying that our first dedicated smart card work was around the security of the planned (but subsequently abandoned – because the banks and retailers could not reach agreement) EFTPOS UK scheme in the late 1980s. 

A decade after that first French roll out, in 1994, the schemes (then Europay, MasterCard and Visa, hence the acronym) began work on the EMV smart card standard. Another few years later, when Britney Spears issued a card so that fans could have secure access to part of her web site, even she steered away from the hello-1971 magnetic stripe and went for a smart card (with a USB reader that worked on PCs and Macs, which my financial institution-provided serial port reader did not).

Britney's Reader

Yet despite the essential accuracy of Evans’ technology prediction, his prediction on impact was wrong. Card fraud remains colossal, because the boat anchor of legacy infrastructure has dragged us down. According to the US Federal Trade Commission’s latest figures, credit card fraud is still 40% of all financial fraud there, and this has ramifications far beyond their borders. For example, my newest UK credit card arrived this week. Yes it has a microprocessor chip on it, but it also has my personal details printed on it and it has a trivially-copyable magnetic stripe on the back in case I want to use it in North Korea, Kazakhstan or the United States. (Just joking: North Korea and Kazakhstan went over to EMV some time ago.)

Untitled

That’s not to say my bank doesn’t take security seriously. Yes, they put a magnetic stripe on the card, but on the other hand they do insist you sign it as soon as you get it. The thing is, I don’t even want the stupid magnetic stripe. I have no intention of using this card in the US ever. Since around two-thirds of the fraud on UK issued cards occurs in the US, I don’t know why the issuers don’t just automatically block all magnetic stripe or card-not-present transactions outside the UK as a matter of course. Mind you, even in all-chip Europe, card fraud went up six percent last year (because the chips don’t help with online fraud – Apple Pay please save us!). But that’s by the by.

The big picture is that, basically, about a generation ago the payment industry started to use microprocessor chips in cards. Now, the last redoubt of the magnetic stripe has been breached and the US is rolling them out. A generation from now they will disappear. As Anthony Jenkins, now the CEO of Barclays, correctly predicted at a Barclaycard event that I attended back in 2008, the mobile phone will get rid of the payment card before it gets rid of cash, although with the wisdom of hindsight he might have refined his comments to combination of the mobile phone, tamper-resistant hardware and convenient local biometric authentication as the cash-killer.

Speaking at our annual Tomorrow’s Transactions Forum this year, Andrew Curry won the prize for the best metaphor hands-down. He said that that banks were like sheep, and that Apple wasn’t a wolf trying to pick them off and devour them (that’s Ethereum and its ilk) but a sheepdog herding them together to get stuff done. I think he’s right, and now that Apple has herded them into providing chip and PIN security on the mobile phone (for both local and remote transactions), cards are on their last legs.

Ultimately, then, the smart card chip will do for the plastic card but it’s not the smart card that will do it: it’s that same smart card chip but inside the mobile phone (the secure element, or SE as we call it) that will. Even Christopher Evans didn’t see that one coming!

(*) for our younger viewers, FORTRAN was a programming language invented in the 1950s. When I was using it in the late 1970s to solve complex hypergeometric functions and model the trajectory of a laser beam through moving gas, I wasn’t using the then new-fangled FORTRAN 77 but an early 1970s pre-processor called FLECS that allowed you to write structured code that was translated into FORTRAN for compilation.

Leave a Reply

Your email address will not be published. Required fields are marked *

Tags: , , , , ,