Actually that's subjective. If the overall fraud is lower then (potentially, I'm sure this doesn't actually happen) fees, charges, interest rates etc could be lower for all users, therefore they would benefit from security that lowered the overall cost of fraud and the overall number of incidences of fraud, even if individuals that directly experience fraud are worse off.
Yes, in theory it should be more secure, but they aren't passing that benefit onto the customer in the form of a lower fee or anything, so it's pointless to me.
I wasn't commenting on the security, just on the "blurts the magstripe information" comment. Apologies if you meant that metaphorically.
As for the rest of your comment, I don't think you're doing any risk modeling.
I have $0 fraud liability on all my cards. When fraud occurs, it takes a couple minutes to dispute a transaction. Even when it was a debit card, my credit union immediately gave me a provisional credit for the disputed amount while they investigated. The total cost to me for fraud is no more than a few minutes of my time. I have little reason to care about security.
Banks care about profit. What makes you think they haven't considered tighter security measures, and found that the cost of implementing them (including the inconvenience to consumers and resulting lost revenue) outweigh the savings from reduced fraud?
Perhaps, but it's important to actually run that calculation. After all, shutting down web payments entirely would totally eliminate fraud—but also cripple your business in the process.
Personally, I will never use a 3D Secure system these days. If you require it, I'll simply skip purchasing.
> that’s the peace of mind benefit I see: those businesses can slack on security without me getting stuck with a potentially massive bill.
That's a false dichotomy, though: Regulators can mandate merchants and issuers to make fraud less likely without allowing the liability for any remaining fraud to be pushed onto cardholders.
In general that's true, but in this particular case I'm not sure it follows. This is a very infrequent occurrence, which is why it made the news. From a societal perspective, further investment in security here is probably a net drag since all those security measures will also apply to every valid sale and there are vastly more of those. The pot of money that pays out to victims of fraud doesn't make those people whole, but it's enough to solve the problem well enough that it's probably reasonably close to a global minimum in terms of total cost across everyone in society. For those that are concerned about the personal risk, being able to do your own monitoring is a nice enhancement.
Security from credit cards isn't really any better, it's just that they established very strong fraud detection mechanisms and have accepted eating the losses from credit card theft as a cost of doing business. When I lose my credit card and someone starts using it to make purchases, so long as I notify my issuer promptly, they absolve me of being responsible for the fraudulent transactions.
So long as this new system accepts that this is a cost of doing business and implements a customer service policy where the risk is spread among all retail participants, this would be competitive with the status quo.
These merchants aren't going to get out of paying fees, but they should be able to reduce those fees to the cost of providing a competitive service to the credit cards. The benefit is that they won't have to also pay higher fees than necessary to get the benefit of the system.
If they provide this basic safety feature, than upgrading security will be a given since it will reduce a major cost on their balance sheet, which is dealing with fraudulent transactions.
But then the security theatre results in a change of liability that merchants are unwilling to accept, then you are in a position where to get adoption you have to prevent that shift in liability.
Which is why it says in the article that these countermeasures almost always come at a cost to customers as well. It is a trade off.
In some instances it is worth it to make the experience marginally worse for customers because the savings by preventing a percentage of fraud are so large.
The whole point is that system will be stable and secure if cost to fraud X amount of money will be higher than X. Otherwise there will be always a way to scam people - just waiting to be discovered.
Especially when the card providers move the risk, and therefore part of the cost of the transaction onto the bank. It's up to the bank to make 3D Secure, secure by authenticating the user in it's own way.
reply