[TriLUG] OT: lack of security at BofA

Ed Blackman ed at edgewood.to
Tue Dec 23 14:13:09 EST 2014 

On Mon, Dec 22, 2014 at 06:46:55AM -0800, Joseph Mack NA3T wrote:
>Yesterday I wondered how banks could make money with the costs of 
>fraud (which I estimated were 1% of the transactions).

A quick search on "credit card fraud statistics" turned up a really 
handy page: 
http://www.creditcards.com/credit-card-news/credit-card-industry-facts-personal-debt-statistics-1276.php
which references the 2013 Federal Reserve Payments Study:
https://www.frbservices.org/files/communications/pdf/research/2013_payments_study_summary.pdf

According to that study, the overall fraud rate for general purpose 
cards (including credit and debit, including card-present and 
card-not-present transactions) is $8.27 for every $10,000 in 
transactions, or 0.0827%.  See table 3.3.3 on page 43.

>Now I see that fraud doesn't cost them anything. They push the costs on 
>to the vendors.

http://www.economist.com/news/finance-and-economics/21596547-why-america-has-such-high-rate-payment-card-fraud-skimming-top

In 2012, losses to card issuers were $3.4 billion and merchants another 
$1.9 billion.  So it looks like card issuers take about 2/3rds of the 
total losses.

>Just wait till chip and pin is introduced and the costs will be pushed 
>onto the customers.

http://usa.visa.com/download/merchants/bulletin-us-participation-liability-shift-080911.pdf 
(linked from http://en.wikipedia.org/wiki/EMV#United_States as an 
example) says:

  With this type of liability shift, the party that is the cause of a 
  chip-on-chip transaction not occurring (i.e., either the issuer or the 
  merchant's acquirer) will be financially liable for any resulting 
  card-present counterfeit fraud losses. When a transaction occurs using 
  chip technology, any liability for counterfeit fraud, though unlikely,
  would follow current Visa Operating Regulations.

So if your bank issues you a card with a chip and the backup mag stripe, 
but someone steals the number onto a clone card with just the mag stripe 
and takes it to a merchant that doesn't have a chip reader, the 
merchant's aquirer (credit card processor) will bear the liability, 
meaning that the merchant will pay.  If, on the other hand, your bank 
DOESN'T give you a card with a chip, and someone clones your card and 
takes it to a merchant that DOES have a chip reader, the bank will bear 
the liability.  If both have chip capability (and presumably if neither 
do), the current liability rules stay in effect.

Notice that the customer doesn't bear the liability in any scenario.  
The point of the liability shift is to encourage banks and merchants to 
install chip capability, because it greatly reduces card-present fraud.  
Aside from the legal limits to customer liability that someone else 
mentioned, customers don't have much influence on whether their banks or 
stores switch to chip technology.

-- 
Ed Blackman

More information about the TriLUG mailing list