There are different types of security mechanisms.
- Something Known
A password is a classic example.
- Something Possessed
A house key is a classic example.
- Something About You
Using your thumbprint to unlock your smartphone is fairly common. Retina scans are not yet commonplace.
When credit cards first come into existence, they were secured with something possessed. Basically, if you had the card in hand, you could make a purchase. You signed the back the of the card and signed the charge receipt. The store clerk could check that the signatures matched, so possessing the card was aided by something about you — your signature. The store clerks didn't really scrutinize the signature that thoroughly so it was pretty much a something possessed type of security.
Then along comes the internet. Suddenly we don't have the signature. We don't even have the card. All someone needs is the credit card number. This resulted in a fair amount of fraud. So the industry added the 3 digit validation code on the back of the card. I am not sure how this makes any difference. It seems like anyone who hacks a bank's credit card database would also get this 3 digit code too; however, it might be better than nothing. Even though all internet transactions seem to ask for this every time, maybe this number is only required at time of purchase and is not stored with the request for payment data, which would make it like something possessed. Hackers can't get this 3-digit number by hacking a merchant's database.
This Saturday I helped set up for an Alameda Boys and Girls charity event. My wife, Sheryl, was part of the decorating committee. The committee was short on sand to fill some centerpieces, so I was dispatched to Home Depot to buy some play sand. I purchased the sand with my credit card. I had to insert the credit card into the register instead of swipe it, because my credit card has the chip in it. The chip generates a unique code each time the card is used. This changes the process from something known, the credit card number, to something possessed, the chip in the card. Home Depot then stores the unique code instead of my credit card number to request payment for my purchase. This way if Home Depot is hacked, the thieves don't get my credit card number. The transaction went through with no problem.
After returning to the event and continuing to help out, I got this email from my bank:
No, I did not try to buy any bullets. I don't even own a gun. So clicked on NO which deactivated my card. Though I carefully considered that the email itself was fraudulent, I was OK with this since I did not have to enter any of my information. For example, I did not type in my credit card info. I then called the 800 number on the back of my credit card and verified that this email was legitimate. The agent and I verified that the Home Depot charge was mine but the attempt to buy bullets was not. So my credit card really was deactivated.
Here's the problem. I had preregistered for the charity event using a smartphone application called GiveSmart. This allowed me to bid on items in the event's silent auction. In fact, I was the leading bidder on 11 items. Now the credit card associated with my charitable attempts had been deactivated. Yikes! I was able to contact GiveSmart who helped me switch my account to another credit card. Thank goodness I had a backup card. I almost canceled it because "Who needs two cards?" Problem solved.
But this begs the question, how can we make all transactions that use a credit card on the internet use something possessed security instead of something known? I guess one way would be to leverage smartphone technology. What if each time we made a purchase on the internet, a text message was sent to our phone that we had to reply to? This would mean you would need the credit card number, something known, and your phone, something possessed. This way even if credit card thieves got your credit card number, it would do them no good unless they also stole and unlocked your phone? Would this be too much of a hassle?
My story has a happy ending, but I wish I could have avoided the whole thing in the first place.
Security is alive in the lab.