« Update on ABI Consumer Bankruptcy Commission | Main | WARN Act Claims after Spokeo v. Robins »

Visa's Maginot Line: Chip Cards and the Equifax Breach

posted by Adam Levitin

The media attention on the Equifax breach has been primarily on consumer harm.  There's real consumer harm, but it's generally not direct pecuniary harm.  Instead, the direct pecuniary harm from the breach will be borne by banks and merchants, and it's going to expose the move to Chip (EMV) cards in the United States without an accompanying move to PIN (as in Chip-and-PIN) to be an incredibly costly blunder by US banks.  Basically, Visa, Mastercard, and Amex have built the commercial equivalent of the Maginot Line. A great line of defense against a frontal assault, and totally worthless against a flanking assault, which is what the Equifax breach will produce.  

Consumer Harm

Let's start with consumer harm before getting to the Chip issue.  The consumer harm here is real, but it's complicated.  Assuming that the hackers use/sell the stolen information, I would expect them to do one of two things (these aren't the only possibilities, but they're probably the easiest). First, they can open up new accounts by pretending to be a different consumer. I would expect this to be primarily credit card accounts, as it's possible to apply remotely, and no bank account needed to pull off the fraud.  Many card issuers verify consumer ID on applications primarily using credit report data, and that data source is now utterly compromised. 

It's possible that fraudsters will borrow money on other types of loans, but they will generally need to have bank accounts into which the disbursed funds can be deposited and/or appear in person, and that will just make the fraud more difficult. Getting a real credit card issued based on someone else's credit is by far the easiest way to monetize the data.  The second thing hackers can do is file fake tax returns and get tax refunds that aren't owed to them.  In other word, the hacking is only the first step in a two-step crime.  First the data is stolen, then it is monetized through fraudulent transactions.  

Notice who gets defrauded in both situations.  It's not the consumer.  The consumer is not liable for an account s/he didn't open, and has no liability to return a fraudulently induced tax refund. Yes, both situations can create a lot of hassle for the consumer, as the card issuer or the government might believe that the transactions were legitimate and that the consumer is on the hook. And the fake credit card account will effect the consumer's credit score and thus the consumer's future cost of credit, cost of insurance, and possible employment opportunities. There's plenty of consumer harm here (and this isn't to mention emotional suffering and anxiety). But there's unlikely to be direct pecuniary losses to consumers. Pecuniary losses for consumers will be in the form of having to pay for credit freezes (and unfreezes), for credit monitoring, etc. But these are expenses that the consumer chooses, not which are forced upon the consumer, even if most sensible consumers would incur at least some of these expenses (namely credit freezes).    

Allocation of Fraud Losses:  the Chip Card Maginot Line

So who bears the pecuniary costs of the fraud enable by the hacking?  With the fake tax returns, it's the government, be it US Treasury or state and local tax authorities.  With the credit cards, however, it's more complicated.  Federal law provides that consumers are not liable for unauthorized credit card transactions beyond $50. Card network policies (which are probably not specifically enforceable by consumers, but which would surely be UDAAP/UDAP violations if not honored) generally waive all consumer liability.  So this means consumers aren't on the hook.  Instead, losses fall on card issuers and merchants, with card network (Visa/MC/Amex) rules determining the allocation.  

Card network rules prescribe that for card-not-present transactions, such as all on-line transactions, the merchant generally absorbs fraud losses.  Since 2015, card network rules in the US have also prescribed that for card-present transactions, when a physical card is presented, the bank bears the loss unless the card is a Chip card.  If the card is a Chip card and the merchant does not use a Chip reader, then the loss shifts to the merchant.  But if the card is a Chip card and the merchant does use a Chip reader, the loss shifts back to the bank.  

Most cards being issued in the US are now Chip cards. The whole purpose of Chip technology is to make it difficult to physically counterfeit credit cards.  It's easy enough to make a fake magnetic stripe card.  But Chip cards include a microchip that is much more difficult to forge.  In this regard, Chip cards are like the Maginot line.  They are built to withstand a direct assault by a fraudster Wehrmacht.  But they have a huge vulnerability—they rely on issuer only issuing the cards to the right consumers.  If a Chip card is issued in the name of a real consumer to a fraudster, the issuing bank is stark naked. The card is a real, legitimate card.  That's exactly what the fraudsters should be able to get with the Equifax data.  The use of such a fraudulently issued card use may not even trigger any antifraud alerts, and if it does, it will be the fraudster who is contacted, not the consumer in whose name the card was issued.  So just as the Maginot line turned out to be rather useless because it wasn't extended all the way to the English Channel, allowing the Wehrmacht to flank it through the Ardennes, so too is Chip by itself vulnerable to this sort of "flanking" attack. (To be fair, there are some other vulnerabilities for Chip cards--if the Chip is disabled, for example, the card then falls back to a magnetic stripe use at most merchant terminals, and that allows for old-fashioned type counterfeiting fraud.) 

Now if we were in the pre-Chip world in the US, the situation would be the same:  the card issuer would be liable for card-present fraud. But now after a major investment by issuers and merchants in new security technology, we see the result being sort of like the huge expense of building the Maginot line. Yes, it prevented the Wehrmacht from rolling through Alsace.  But all it meant was that they had to side-step it through Luxembourg and Belgium.  

KYC/AML Issues

Where the direct pecuniary losses fall will depend on whether fraudsters use fake accounts for on-line transactions (probably safer for them as they aren't going to have to appear in person) or for in-person, card-present transactions.For the card-present transactions, though, the issuers will be eating the fraud losses, but the merchants will absorb the card-not-present losses.  This seems quite unfair to merchants--they have no ability to prevent this sort of fraud loss, yet they will be the ones absorbing the costs for the card-not-present fraud, even though the card issuers are the least cost avoiders of the harm because they could better screen card applications. Given the number of consumers' whose data was involved, the potential losses for both merchants and banks are staggering and potentially systemic. 

All of this leaves me wondering what bank regulators are advising about know-your-customer compliance for card issuers in the wake of this data breach. Can card issuers that rely on data from CRAs for consumer ID verification actually be said to have verified their customers now?  I can't see how, although I also don't see regulators doing anything about it because the alternative would seriously upset the card issuer business model. What we're likely to have, then, is a regulatory bailout of card issuers by virtue of inaction and nonenforcement of KYC rules. Let's just hope that there isn't a fraudulently issued card that ends up being used for terrorism finance.  This is something about which Congress should really press the prudential regulators:  how are they going to ensure that the banking system is protected against massive fraud and how are they going to ensure that the fraud isn't used for terrorism finance or other nefarious purposes?  

Comments

Well you state "The consumer is not liable for an account s/he didn't open" which may be true but not necessarily the actual outcome. Look at the Wells Fargo fraud (committed by the bank, not external) where Wells Fargo employees opened up bogus consumer accounts using consumer information they had access to. The consumers are not supposed to be liable for an account the consumer did not open. But Wells Fargo had an arbitration requirement on those accounts. Incredibly, COURTS held that the consumers who did not open those accounts would nonetheless be forced into arbitration (e.g., see
https://www.nytimes.com/2016/12/06/business/dealbook/wells-fargo-killing-sham-account-suits-by-using-arbitration.html?mcubz=3

... and arbitration is not limited by the rules of evidence nor the rule of law.

Your statement that "the consumer is not liable for an account s/he didn't open" boggles my mind and shows a total disconnect from reality.

Our trial court dockets are stuffed to the gills with credit card issuers (and their assignees) suing consumers on defaulted credit cards. As has been well documented, most of those consumers don't have the means to defend suits. Or if they do show up, the creditor requests written pleadings, the consumer can't get it together to file written pleadings, and the creditor wins anyway. Once a suit is reduced to judgment, the creditor begins to garnish, and "it wasn't my card" becomes a completely irrelevant issue.

Not to mention the fact that where a pro se consumer DOES show up to say, "it's not my card," pro-creditor judges essentially (unlawfully) place the burden of proof on the consumer, and it's nearly an impossible burden to meet.

There is no doubt in my mind that most fraudulently opened cards will ultimately result in judgments against consumers, not just a delinquency on their credit reports.

IC_deLight is absolutely right about the problems with arbitration. My read of SCOTUS caselaw is that if the consumer's argument is that there was never an agreement of any sort (including an agreement to arbitrate), the question of whether there was an agreement is supposed to be decided by a court, not by an arbitrator. But SCOTUS has so muddied the waters on this, that I am not surprised if some cases are wrongfully shuffled to arbitration.

SYSM--you're picking a fight with me on a separate issue where there's no disagreement between us. There's a huge problem in the debt collection industry with collection of time-barred or simply fraudulent debts. As a formal legal matter, the consumer doesn't have any liability. That obviously changes when there's a default judgment (perhaps because of sewer service). But it's really hard to talk about that as a _legally_ cognizable consumer harm from a data breach because it would require treating lots of court judgments as illegitimate.

For credit card accounts opened by fraudsters, why is Chip-and-PIN any better than Chip-and-Signature (since the fraudster would be the one who receives or sets the PIN in the first place)?

David Sorkin--It ain't. As much as I think Chip is inferior to Chip-and-PIN, the additional of a PIN wouldn't help an iota in this situation. That's why this didn't turn into a pro-Chip-and-PIN rant. : )

I'm interested in the concept that "card issuers are the least cost avoiders of the harm because they could better screen card applications." That wasn't my experience when my existing debit card number was stolen and used with several online retailers (resulting in some liability, as opposed to the zero liability offered with most credit cards).

When that happened, I felt strongly that the retailers were the least cost avoiders in that situation. I had a number of angry calls with these online retailers (mostly online providers of pornography), who had opened accounts for John Smith in California, even though he used a card belonging to Jane Jackson across the country in Michigan (changing names to protect the innocent/never prosecuted). It seems like low-hanging fruit for retailers to check that the purchaser has some sort of connection to the individual named on the payment card used to make the purchase. Of course, this wouldn't be a problem for a criminal who uses my name to open up a new credit card account, but evidently not all criminals are that smart.

Credit card fraud and identity theft are a trade-off between convenience ("anonymously" opening an account online) and security (e.g. requiring accounts to be opened in person). So long as a criminal can open an account and spend thousands of dollars knowing only a person's name and a few numbers, identity theft and fraud will only increase.

In the past accounts had to be opened in person. Mail order was a 1-2 month process while the check cleared, and we didn't hear identity theft horror stories. I'm sure identity theft happened but I'm guessing not at today's level.

This is not to say we should return to past practices but we need to acknowledge the trade-off.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Contributors

Current Guests

Follow Us On Twitter

Like Us on Facebook

  • Like Us on Facebook

    By "Liking" us on Facebook, you will receive excerpts of our posts in your Facebook news feed. (If you change your mind, you can undo it later.) Note that this is different than "Liking" our Facebook page, although a "Like" in either place will get you Credit Slips post on your Facebook news feed.

News Feed

Categories

Bankr-L

  • As a public service, the University of Illinois College of Law operates Bankr-L, an e-mail list on which bankruptcy professionals can exchange information. Bankr-L is administered by one of the Credit Slips bloggers, Professor Robert M. Lawless of the University of Illinois. Although Bankr-L is a free service, membership is limited only to persons with a professional connection to the bankruptcy field (e.g., lawyer, accountant, academic, judge). To request a subscription on Bankr-L, click here to visit the page for the list and then click on the link for "Subscribe." After completing the information there, please also send an e-mail to Professor Lawless (rlawless@illinois.edu) with a short description of your professional connection to bankruptcy. A link to a URL with a professional bio or other identifying information would be great.

OTHER STUFF

Powered by TypePad