Jack Wallen thinks banks and credit card companies need to start considering radical ideas to increase their security. In fact, he goes so far as to share such an idea.
How many times have you had your bank account information or credit card number stolen, only to see your accounts drained? When that happens (after the panic finally subsides), you have to not only work with the bank to get your funds back, but jump through all of the hoops when subscribed services start sending you alerts that your payment didn’t go through.
It’s not just the possible loss of money, it’s an inconvenience.
It can happen to anyone–me, my friends, my relatives, you, your friends, your relatives. No one is safe from such loss.
Recently I held conversations with bank and credit card employees–all of which asked to remain anonymous, for fear of repercussions from employers–and had my eyes opened regarding how these entities work.
To sum it up, banks and credit card companies really don’t care to put too much effort into securing the accounts of customers.
The thing is, banks and credit card companies know they have a safety net to prevent them from crashing to the ground. That safety net is fraud insurance. When a customer of a bank has their account hacked or card number stolen, the institution is fairly confident that it will get its–I mean, the customer’s–money back.
But wait, the revelations go even deeper.
These same institutions also admit (not to the public) that hackers simply have more resources than they do. Banks and credit card companies understand it’s only a matter of time before a customer account is breached–these institutions deal with this daily. These companies also understand the futility of pouring too much investment into stopping hackers from doing their thing. After all, the second a bank invests millions into securing those accounts from ne’er-do-wells, the ne’er-do-wells will figure out how to get around the new security methods and protocols. From the bank’s point of view, that’s money wasted.
It’s that near-nihilistic point of view that causes customers no end of frustration, but it doesn’t have to be that way.
A possible solution
The other day, a friend and I were having a conversation about this very thing. From that conversation an idea sprang forth, one that I believe has merit. I brought up two-factor authentication (2FA), which my friend started using after I gave him the standard security lecture a couple of years ago.
When I mentioned how the only really good form of 2FA was one that required the use of an authentication tool, like Authy or the Google Authenticator, and that SMS 2FA was not really a good means of securing an account, a thought popped into my head.
Think about this: With 2FA-enabled accounts, you must have a random six-digit PIN in order to authenticate your account. It works well and adds yet another security layer to your account.
That was kind of the idea behind the CVV code with credit cards, only that number isn’t random. In fact, the CVV number is permanent, and in many cases you read that code off to vendors. For instance, say you call a restaurant and order food. You want to pay over the phone and you have to give the following information:
Card expiration date
Guess what? The person you just gave that information to now has every piece of information they need to use your card.
Now, imagine that CVV code was replaced by 2FA. You would be required to use the app associated with the card’s lending institution or your bank, which would include a 2FA tool to generate a random CVV code for the card. The CVV code would be valid for two to five minutes–long enough for the transaction to complete. As soon as the purchase is done, the code is no longer valid.
That’s the simpler version of my solution.
Let’s make it even more challenging.
One of the biggest issues modern consumers face is having a credit card number stolen. Once that happens, you have to get a new card and start anew, all while waiting for the next instance of theft.
However, imagine that number associated with your account was also random. Every time you go to make a purchase, you’d insert the card into the retailer’s reader. That card would communicate with your bank, via the card’s chip, and a random number would be assigned for that transaction.
Now, say you’re making a purchase online or over the phone. For that, you’d be required to use the banking app associated with the card. That banking app would then assign you a random string of characters (because we’d have to use both numbers and alpha-numerics, to keep from running out of random numbers) to be used for the transaction. Once that random number was used, it was no longer valid. Effectively, there would be no hard-coded number assigned to your credit card or bank card.
Of course, this method causes problems. For instance, what do you do about subscription services, such as Netflix? For that, the infrastructure would have to be created such that subscription services would use that one-time random number to connect the service to the customer’s account. After that, the token saved on the account would be used to generate a random number for the monthly payment. That token would be associated with that service, and only valid for its use.
I realize this kind of solution would require a massive change in the infrastructure banks and credit card companies currently use, but given how rampant theft is in these industries, I would think such sweeping change is warranted. Even if my ideas aren’t feasible for these institutions, hopefully they can at least get those businesses thinking in the right direction–protecting consumers.
It’s time banks and lenders stop leaning on fraud insurance as a means of security. With the developer and security talent found in those industries, there’s absolutely no reason why they couldn’t roll out a game-changing infrastructure that would finally give consumers a much needed break from always having to worry that their accounts will be hacked and their hard-earned money stolen.