I am working hard on entering the Guinness Book of Records for the largest number of credit card cloning incidents in an year. So, pretty trip to the US and one of four locations (Hotel in Cupertino, Fry's, Thai restaurant on De Anza, fishy place on El Camino) politely makes an illegal copy of my card. On Saturday they decide to make a small purchase in the neigbourhood for $2000 which fortunately hits the card limit (ie. they don't get to continue).
Small detail: I am not only physically back in Europe but, according to timestamps, have made an authorised (ie. VISA was called for authorisation) transaction about 50 minutes before the small purchase in the US. Interestingly both swipes (US and EU) are recorded with "card holder present" and required telephone authorisation.
Quick step back: last time they cloned my VISA the exact same thing happened but the other chap was comfortably in a hotel in Spain's Costa del Sol. I was paid back and credit restored but of course in the meantime I had a small debate on the fact that surely they could correlate purchases on my VISA card and notice the fact that I must have broken a number of laws of physics for the double purchase feat. No such luck, I was told that this was "impossible" to do.
So, almost one year on, I really refuse to digest this. I have a UK credit card, the purchase took place in California: this isn't exactly a case of a Yemeni credit card used in Paraguay, is it? Apparently it is: there is no connection between systems in the USA and UK. The card was authorised but not really in "real time" on my account. The transactions had not been processed so there was a pretty "grey haven" in which to work. Eventually the transactions trickle down to the UK from the USA and they do the reconciliation.
But wait a minute: if they are reconciled on the account does an alarm ring since now finally all the data is in the same place? No, it doesn't. Splendid. They just wait for you to query the bill and give them a piece of your mind.
You see, I am prepared to digest the "can't be done, problem intractable" for real -time transactions. Why am I so strangely reasonable: well, if they added 30 seconds per transaction people would complain so either the verification takes place within about 10 seconds or that's just too long. But conversely I am not prepared to digest even remotely the lack of post-mortem batch analysis which could be done once the data is at my bank. There they have both the time and computing power to check that the data is "reasonable".
It is a basic validation problem: order the transactions temporally, normalise timestamps to UTC, add a "distance metric" to cardholder present transactions and then compare. If the distance metric is greater than the time difference between the transactions you raise a Schrödinger exception and someone or something checks it. At the very least your statement is flagged as "suspicious".
Note that I have been extremely careful in qualifying the transaction as "cardholder present". I am not that stupid, I know about mail order and Internet transactions. But those do not carry the flag "cardholder present" in the transaction record.
Now I'll go back in my corner and sulk over the pointlessness of it all. All you need to think about is that if fraud is under 5% of all transactions VISA won't do anything about it as it would cost them more than just pay up. On top you add the lack of consumer pressure: want to give up your VISA? Try MasterCard? Oh, they are run by the exact same bunch of companies, surprise! I guess American Express is the last remaining one but can they really be any better?
Posted by arrigo at December 9, 2002 03:38 PM