Identity theft is a serious problem and the costs to card holders, merchants and the tax payer (in terms of law enforcement) runs to many millions of pounds each year. I myself have been a victim of identity theft on a few occasions and took it upon myself to research the cause and effect this type of fraud on each occasion. I have spoken to police officers, merchants and people employed by the card companies in their fraud departments.
The sad reality of this type of crime is that it is so prevalent that there is neither the resources or the will to tackle the perpetrators. From a policing point of view they need a victim, a person or organisation that is willing to press charges. Apparently Payment Card companies won't do this as it's "not worth their while" and they can usually recover the money. The person who's details have been stolen is reimbursed and has no basis to press charges. The merchant may ultimately be the victim in terms of a loss of goods but they have no power to persue the perpetrators and can merely report the crime. When you consider that one borough of London alone can be the source of 1000's of fraudulent transactions each month, and the victims could be all over the world, there is not a chance that anything can be done to apprehend the criminals. The reason this situation is getting worse and worse each year is that the criminal gangs that profit from this type of fraud are well aware of the situation and know there is little chance they will be caught or successfully prosecuted. In short this situation has been allowed to get out of hand.
The Payment Card Industry gets together and forms the PCI DSS. This is the Payment Card Industry trying to get to grips with the situation. If you read the literature around this scheme you can only come to the conclusion that is it the merchants and payment service providers are the source of the problems. A lack of security and bad practices allowing primary card holder data to slip into the hands of criminals. So the Payment Card providers get together and form a scheme (PCI DSS) and impose this on their customers with the threat of "fines" for those who fail to comply and/or are compromised. This scheme passes a burden of responsibility to merchants and payment service providers and carries with it increased costs in terms of having to appoint Security Consultants and compulsory scans that carry a cost of £75 annually. Can you imagine every merchant in every country across the world now has to pay a levy of at least £75 to an "approved" security consultant in order to get a scan to be PCI DSS compliant... how much money is this making?
Now there is a system called Remote Cardholder Authentication which alleviates the the issue of primary card data security and places the burden of responsibility onto the card holders and Payment Card Providers. The system is already in use by some banks for online banking authentication but the system is equally applicable to over the telephone and internet transactions.
Currently a card holder has to provide all the information required by a criminal to make fraudulent transactions: Name, Address, card number, card verification number. over the phone or over the internet, neither of which are secure and could be easily stolen by unscrupulous employees or dummy websites.
A remote card authenticator is a small calculator sized device that the card holder inserts their payment card into. With the card inserted they then enter the merchant number provided over the phone or on the web page (this is unique to each merchant), the amount they are paying (this secures the value of the transaction) and their pin number (this verifies that it is the card holder making the transaction). The device then encodes this information to generate a unique transaction identification code which they can give to the merchant over the phone or enter into the website. They do not have to give the whole card number just the last 4 or 5 digits to identify the card, then their details for the delivery of the order and the authoristaion code for the transaction.
Note: With a remote authenticator the transaction is secure from end to end. Even if a criminal gang was to set up a bogus website to steal card information they would need a valid merchant id, they would not get the whole payment card number, the transaction code would be unique to that transaction with that merchant id for that value and would be useless for any other transaction.
It will require the Payment Card Providers to invest in technology and education for their card holders, a significant investment, but it will eliminate the vast majority of fraud. The fact that PCI stands for Payment Card Industry speaks volumes, this body isn't going to turn around to their paymasters and tell them to clean up their act and implement proper security is it? Payment Card Fraud is a blight on society surely it is the role Government to see that society is properly protected? As we have all seen in recent years we should not assume that the banks can be relied on to act responsibly, we need to put pressure on government to bring the banks to account and if necessary take action to stop the banks polluting society with fraud.
I've started a petition on the number 10 website: http://petitions.number10.gov.uk/Identity-Theft/
I have tried talking to the banks and payment card companies and as soon as you bring this up they become evasive and stop answering correspondance.
If you have any thoughts on this subject it would be great to read them.
