Counterfeiting isn’t as glamorous as it used to be.
In the book The Art of Making Money, master counterfeiter Art Williams spends months matching wits with a $100 bill, analyzing and methodically defeating its anti-counterfeiting measures.
Counterfeiters like Williams are a dying breed. Counterfeiting currency has become a sucker’s game.
It’s hard to do, and the penalties are severe. No, the real money these days is in credit card fraud.
Our image of credit card fraud, however, is at odds with the facts.
Nurtured by residual fears from the early days of e-commerce, and stoked by high-profile online security breaches, we imagine crooks stealing a bunch of credit card numbers from an online database and going on an Internet shopping spree.
(Maybe there’s a bit of wishful thinking thrown in there, too.)
That happens, but it’s not the most common kind of fraud.
In the last year’s Target breach, for example, thieves stole credit card numbers from the card-reading terminals, not an online database.
And once you have stolen card numbers, sure, you can use it online, but now you’ve left a trail, complete with mailing address.
“I don’t think people always realize exactly how fraud goes down,” says Matthew Goldman, founder of card services startup Walla.by. “Not only are card numbers stolen online and used online, but sometimes they’re stolen online and used in the real world.”
In other words, thieves operate like a digital-age Art Williams: buy a card-encoding machine, run off a bunch of fake cards with real numbers, and go shopping.
“Actually reading and re-encoding mag-stripes of cards is not hard to do today with the right piece of equipment, which isn’t even that expensive,” says Goldman.
We have the technology to prevent this kind of fraud. It’s already ubiquitous in Western Europe. It’s coming to the US next year.
And you might want to get it on your card now. It’s called EMV.
Easy, mobile, valuable
EMV stands for “Europay, Mastercard, and Visa.” It’s better known by the names “chip and PIN” and “chip and signature.”
EMV cards have a visible microchip logo on the surface of the card.
They’re not the same as contactless cards, which have a chip embedded invisibly in the card and don’t necessarily offer the same security features as EMV.
EMV foils thieves in four main ways.
1. The chips are hard to counterfeit.
Magnetic stripes are ancient technology, dating back to the 70s. You can’t buy a cheap machine to make EMV cards.
2. In the Target breach, thieves stole the card numbers while they were briefly stored in unencrypted form in the point-of-sale terminals.
With EMV, card numbers are always encrypted.
You can still steal a card number the old-fashioned way, by reading the printed number off the card, but that’s small-time larceny.
3. “Offline” transactions are safer with EMV.
An offline transaction occurs when your card isn’t verified with the card network in real time.
Anyone remember those clunky machines that make a carbon-paper print of your card number? That’s an offline transaction.
With the advent of cell-phone-based card readers and other wireless terminals, offline transactions are becoming more rare, but they still come up.
4. Many EMV cards, especially in Europe, require a PIN to process a transaction.
A PIN is inherently safer than a signature, for reasons that should be obvious.
When was the last time anyone even looked at your signature when you signed a credit card receipt?
Note that all of these security measures are designed to prevent in-person fraud, or what the card networks call “card present” fraud.
The vast majority of credit and debit card transactions are still made in person, not online, and the industry is focused on reducing this kind of fraud.
Should I go EMV?
Most of the largest US credit card issuers are now offering EMV cards.
So you should definitely get one today and avoid being swept up in the next credit card breach, right?
Not so fast. The cards offered in the US are generally oriented toward international travel. They won’t protect you here.
That’s because it takes two to EMV.
To complete a secure EMV transaction, you need to present an EMV card, the merchant needs to have an EMV terminal, and they need to actually use the EMV reading feature on the terminal.
That’s essentially not happening yet in the US.
In other parts of the world, especially Western Europe, it’s happening, and merchants will scoff at your card if it doesn’t have a chip.
Merchants are also rapidly adopting EMV terminals in Asia, Canada, and Latin America.
So if you’re heading to one of those places, by all means, get chipped.
“If you’re going to travel, it just makes your life so much easier overseas to have the right kind of card,” says Goldman.
You can find an up-to-date list of EMV cards available in the US from the Smart Card Alliance, an association of card issuers.
If you’re staying on American soil, an EMV chip won’t protect you from fraud because most merchants don’t have EMV terminals.
That’s going to change next year because of an upcoming deadline called, ominously, the “liability shift.”
Let’s say you’re a criminal bearing a stolen card.
If you waltz into Walgreen’s (or amble into Applebee’s, or…I could go on) and make off with a bunch of loot, the store isn’t on the hook for the fraud; the bank that issued the credit card is.
As of October 1, 2015, that will change. If you present an EMV card and the merchant swipes the magnetic stripe instead, the store will be liable if the charge is fraudulent.
So expect to see a lot of upgraded point-of-sale equipment and a lot of new cards issued next year.
Meanwhile, if you’re reading this column and you’re a crook, it’s time to up your game.