Saturday, July 10, 2010
Is Dragonpay more secure than credit cards?
Many people do not realize that it is incredibly easy to steal credit card information. They have the misconception that if they avoid using their credit cards to make online purchases, they are safe from prying eyes and fingers and will not get their account used in fraudulent transactions. This is farthest from the truth. It doesn't matter whether or not you use your credit card online. Stealing credit card information can be done easily without even resorting to any high-tech gadgetry!
While credit card security is slowly moving towards the 3D Secure standard (ie. Verified by Visa, Mastercard Securecode), these types of transactions are just a drop in the bucket as far as the total online credit card transactions are concerned. Locally, I think only HSBC, and maybe Citibank, have the capability to offer 3D secure on their cards -- and a huge majority of their cardholders are not even aware of this and therefore have not enabled the feature. Even the large card issuers like BDO and Metrobank do not offer this as far as I know.
So what is the main "security" feature of credit cards -- the Card Verification Code (CVC, or sometimes known as CVV)! This is a 3-digit (for Visa/MC) or 4-digit (for Amex) code printed at the back of the card (usually on the signature strip). Its a static code that remains for the duration of the life of your card. Its printed in plain text for anyone to see. There are no attempts to hide it or obscure it from prying eyes.
Anybody from the gasoline station attendant, to the waiter at the restaurant, or the cashier at the clothing store, can easily copy your card details (card number, expiry and CVV) while you are happily waiting in your car or table. Then when that person gets home, he can easily type in your card at an online store and make a purchase charged to your card!
Of course, when you see your bill, you will most likely file a chargeback citing you never made that purchase. The bank will most likely rule in your favor since online transactions do not have signed charge slips that can be used by the merchant as proof of purchase. So the bank will charge the online store/merchant who may have already shipped the package to the fraudulent customer. The merchant is left with no choice but to absorb the loss.
In other counties, like the US, card companies use the Address Verfication Service (AVS). Using a centralized database of cardholder info, the bank can look at the billing addressed you entered and try to match it with the one registered to your card. Its a crude method and mainly relies only on the numeric info on your billing address (ex. street number, postal code) and does not really bother to parse the alpha details. Besides, getting billing address is also quite trivial with "dumpster diving" (ie. going through someone's trash can). In any case, Philippine-based cards, or Southeast Asia for that matter, do not support AVS.
In contrast, the above scenario is not likely to happen with online bank payments. For one, Internet banking systems usually require complicated user id and password combinations with case-sensitive letters and digits of at least 8-characters long. Some banks even have a policy of expiring the password every 90 days or so. Compare that to the simplistic 3-digit CVC that stays with your card for 2 years or more depending on the expiry date of your card and displayed in plain sight!
Some Internet banking facilities require a second password to perform a transaction. This password is different from the login password. Examples of banks that require this are Chinabank, RCBC and Unionbank. Other banks require a second factor authentication mechanism thats passes through other medium like email or mobile. Standard Chartered sends a one-time PIN via SMS to the accountholder's registered mobile phone when the user tries to perform a transaction like a funds transfer. UCPB gives its users the option to have the transaction PIN sent either by SMS or by email. Banks like HSBC use a physical device that looks like a small pager. It is synchronized with the bank's time servers and generates a unique code for every use.
Regardless of what method your bank uses to authenticate and verify your online identity, it is without a doubt lightyears more advanced than the 3-digit CVC security of your credit card!