Identity Theft Bust Exposes Need For 'Smart' Credit Cards

When authorities announced Friday that they had charged more than 100 people in a massive identity fraud operation, they did not just blame the alleged thieves. They also blamed the credit card companies.

At a press conference, Queens district attorney, Richard A. Brown, accused U.S. credit card companies of “putting too much money into marketing and not enough into security” and claimed they “would rather take the losses” than invest in proven security measures, according to The New York Times. Deputy Inspector Gregory T. Antonsen, the commander of the New York Police Department’s Identity Theft Squad, told reporters the bust showed the need for computer chips implanted in credit cards to deter fraud.

Experts say the United States is far behind Europe in adopting smart cards, which require cardholders to enter a personal identification number on a keypad, similar to a debit card transaction. Smart cards deter fraud because they contain computer chips that encrypt transaction information and require thieves to not only steal card data but also know the cardholder’s PIN, experts say. The card's computer chip also has the potential to generate one-time-only passwords for more secure online commerce, experts say.

"It makes it much harder to commit fraud," said David Robertson, publisher of The Nilson Report, an industry trade publication.

While European banks have issued millions of smart cards to consumers, U.S. banks still rely largely on credit cards with magnetic stripes, which are more vulnerable to thieves, experts say.

That partly explains why fraud in the United States accounted for a growing proportion of global fraud losses last year, according to a study issued by The Nilson Report last week. The U.S. loses 9 cents to fraud for every $100 worth of credit and debit card transactions, while the global average is 4.5 cents, according to Robertson.

U.S. banks have been reluctant to issue smart cards because it would require retailers to make expensive upgrades to their payment systems, which they have been reluctant to do, said John Hall, a spokesman for the American Bankers Association.

“The chip technology is certainly more secure but if you can’t use your chip card anywhere it doesn’t do anyone any good,” Hall said.

But that may start to change as credit card companies try to compel retailers to accept the new technology. In August, Visa announced that retailers who do not support smart cards by 2015 would be liable for fraudulent transactions. Meanwhile, MasterCard has said ATM owners must accept smart cards by 2013 or they will be liable for fraud stemming from their machines.

For retailers, smart cards are one of several new forms of payment that require expensive upgrades to their terminals, including payment systems that allow consumers to wave their mobile phones over a card reader, according to Joe LaRocca, senior asset protection adviser for the National Retail Federation.

The cost of transitioning about 15 million retail terminals to accept chip-based cards is between $12 billion and $15 billion, Robertson said. Retailers believe banks should help fund the conversion, LaRocca said.

The effort to compel retailers to accept chip-based credit cards represents a significant shift in the attitude of the credit card industry, Robertson said. Historically, card issuers have made such large profits that fraud was viewed as a cost of doing business, he said. But now, the credit card industry is becoming less profitable and fraud is becoming less accepted, he said.

The push also reflects a concern that thieves will increasingly focus on exposing vulnerabilities in magnetic-stripe credit cards in the United States as the rest of the world adopts the more secure smart cards, Robertson said.

Smart cards might have deterred the widespread fraud operation detailed Friday by authorities in New York, Robertson said. The crime ring, dubbed "Operation Swiper," involved thieves who posed as retail workers and used skimming devices to steal credit card data, then programmed that data into the magnetic stripes of blank credit cards, authorities said. The scheme netted an estimated $13 million in fraudulent purchases. New York police called it the largest identity theft bust in U.S. history.

However, smart cards may not be immune to hackers, either. Last year, researchers at Cambridge University found they could make a payment using a smart card without knowing the card’s PIN by using a device to intercept communications between the card and the terminal.

The researchers concluded that smart card technology “is seriously flawed” and “should be considered broken.”