« Forget the "Foreclosure Investigator"--File a Lawsuit! | Main | European Commission Rules MasterCard's Interchange Fees Are Illegal »

Your Free Lottery Ticket: Credit Card Truncation and Identity Theft

posted by Adam Levitin

You might be holding a litigation lottery ticket without knowing it. Take a look at your most recent credit card receipt. The receipt likely shows your credit card account number—but with everything except the last

Confused? The explanation lies in a strange little federal statute and tells us some very important things about the root causes of a key consumer credit problem--identity theft.

[Bear with me through some of the more mundane technical stuff--I promise there's an interesting payoff at the end...]   

In 2003, Congress enacted the federal credit card truncation statute, 15 U.S.C. § 1681c(g), as part of the Fair and Accurate Credit Transaction Act (FACTA). This law, which was intended to help prevent identity theft, forbids anyone who accepts credit or debit cards from printing more than the last 5 digits of the card number or expiration date on any electronically printed receipt given to the cardholder at point of sale. The law became effective for all new cash registers as of Jan. 1, 2005, and for those registers already in use, as of Dec. 4, 2006. There is a private right of action for violations. If the merchant was negligent, then the merchant is liable for actual damages and attorneys’ fees/costs. But if the violation was willful—and this is key—meaning—meaning knowing or intentional, not malicious—then the merchant is subject to statutory damages of a minimum of $100 violates, plus punitive damages, and costs/attorneys fees. $100 doesn’t sound like a lot, but multiply that by every transaction made at that register since the truncation statute’s effective date and potential damages are huge.

Not surprisingly, a cottage industry has emerged in credit card truncation class action litigation (centered in NJ and CA). To date, every suit filed so far has survived a motion to dismiss. Merchants’ attempts to defend themselves through counterclaims of bad faith filings have been unsuccessful.

Many of the merchant defendants in these suits have been fast food or quick dining restaurants—Chuck-E-Cheese’s, Subway, In and Out Burger, El Pollo Loco. Fast food stores are newcomers to credit card acceptance. They weren’t accepting cards when the truncation statute was adopted, but began to take cards between adoption and the effective date. It seems that some of them purchased register software that wasn’t updated for card truncation. One would think that they could turn around and sue the register software providers, but often the register software providers offered to “upgrade” the software for free, on the condition of a release, the significance of which was not

So, what about that lottery ticket? Get to the point, Levitin… OK. If the numbers match, you’ve got two potential payout options.  One is to get yourself to a class action attorney. But that only gets you $100 and maybe punitives. The other option is to go talk to the merchant’s general counsel. Maybe you get a bit more than $100 for a release—you can capture part of the attorneys’ fees and potential punitive damages for yourself.

And what does this possibly tell us about the roots of identity theft?   Card truncation statutes say that 5 digits can be printed, but not 6 or a full 16. But is the problem really how many digits are printed on the receipt? Isn’t the problem that I can pretend to be you simply by getting 16 numbers which are embossed on plastic and listed on your monthly statement? I don’t even have to forge a physical card to commit the fraud; I can just do it on the Internet or over the phone.

Card truncation statutes are meant to protect consumer from identity theft. While 5 digits is better than 16, truncation just misses the point—physical card technology isn’t very secure. Is it any wonder my cousin Boris in Odessa (privyet Boris!) has gotten rich selling card numbers and making fake credit cards? We’re talking about 1970s technology—a piece of embossed plastic and a magnetic stripe. It’s a lot easier and cheaper to forge a credit card than it is to forge a $100 bill, and far more lucrative. One fake credit card leads to a credit limit that could be in the thousands of dollars.

All of this raises a much more serious question—why is credit card technology so dated? Why hasn’t the market encouraged innovation? Is something amiss in the card market such that proper incentives do not exist for card issuers to insist on better card technology? The card industry's joint PCI security standard requires merchants to keep card data much more securely, but the very medium of the card itself seems to be a large part of the problem and one that card issuers could fix fairly easily, either through two-stage encryption or through biometrics or PINs.

Perhaps, let me suggest, the problem is that card issuers bear very little of the cost of fraud. This is a complex subject for another post, but ultimately a lot of what is reported as “fraud losses” is recovered from other parties in the card system. And with low fraud costs, there is little incentive to change the system.  That is to say, card issuers might be the least cost avoider, but they do not bear the cost of the harm. It is important to emphasize that identity theft is primarily consumer credit fraud—what used to be called unauthorized account charges—and how to correct misaligned incentives should be a major part in our thinking about it.

Comments

Adam-- Here's my thought on the credit card truncation requirement: why does the number have to be shortened only on the copy of the receipt given to the cardholder? Why does the full number get printed on the other copy? If it's already been processed electronically, why does the merchant need a paper copy of my full card number.
When I heard about the new statute, I thought it would be useful to prevent the following identity theft scenario: I eat at a restaurant. I pay with a credit card, and sign the duplicate receipts. I put my copy in my purse and head for the door. The other copy of the receipt is left sitting on the restaurant table. Identity theft masquerading as patron walks by and takes the restaurant copy of my receipt and has my full credit card number. But the staute still permits this exact scenario, right? The truncated copy is the one given to the consumer; why does it matter? That's the copy that is always in my control; that I can shred or keep secure in my wallet, etc. It's the copy sitting around the restaurant or left on top of a store counter that I want truncated numbers on. What am I missing here?

I don't think you're missing anything. As I read the card truncation statute, it does nothing to protect you in the scenario you describe. It also doesn't cover handwritten or imprinted receipts. I don't know if the card networks' joint PCI standard helps patch the holes in credit card receipt security issues.

But focusing on receipt security misses the point. We shouldn't have a system whereby obtaining someone's full card number is sufficient to permit fraud. This should be easy enough to fix--why not require two-factor identification, at the very least? So why haven't we done it?

(On a related note, I'm now wondering whether someone could commit ACH fraud if they simply knew my name, my bank's routing number, and my DDA number, all information obtainable from one of my checks. If so, that's much, much scarier than identity theft. Any Frank Abnagale's out there who know? It'd be great to hear from you.)

Re: ACH fraud

Friends from South Africa report that bank wire fraud is so bad that everyone maintains two bank accounts: one account with minimal balances used for electronic transactions and another to actually hold one's cash until one moves funds to the transaction account to cover activity.

There is a new type of credit and debit card fraud, thanks to the advent of the new contactless payment systems.

These cards, over 50 million of which were issued last year in the United States alone, are embedded with a miniature micro-processor and an antenna that broadcasts the account information of the card holder at 13.56 MHz. These contactless pay stations use a system that is not only inexpensive to duplicate on the home hobbyist's workbench, but quite inexpensive, as well. In fact, $20 and a trip to your local Radio Shack will give you all you need to become a thief of this sort.

They call themselves "Cloners."

The reason for the name is the process they use. They set their antenna, which fits easily into purse or pocket, to "ping" for cards that are RF (Radio Frequency) Enabled. The card responds by transmitting all necessary information to charge the account. This is, after all, what it was programmed for. The laptop or PDA gathers, or "Harvests" the data received. They do this in the most public of places, and it is absolutely undetectable when occurring.

From that point, the thief will then carry the information home or to another suitable location and begin the cloning process. Another wave of the antenna over a blank card, which can be purchased for two or three cents, and they have a form of payment that is electronically indistinguishable from the original.

Sadly, Organized Crime and Terrorist organizations such as the LTTE out of Sri Lanka are using credit card fraud like this to fund their destructive activities.

Does that scare you? It should, and it did us. To respond to this threat, Wisteria House Products of Phoenix Arizona has developed the Armadillo Dollar. It is a simple, low-cost device you slide into your wallet that blocks the transmission of these radio waves.

If you decide you want to put another layer of protection between you and the wireless thief with our product, use the code “TopDog” when ordering. That’ll take $5.00 off the regular $25.00 price, at least while we’re introducing it to the market.

It is, quite simply, the BEST RF-Shielding product of its kind in the world.

You have my word on it.

I am Ron Hatton.

We are www.ArmadilloDollar.com and proud to be All-Americans!

Are credit card issuers not responsible for all fraudulent transactions in the US? They certainly are in the UK, and that has driven quite aggressive anti-fraud measures.

Marcin--US law limits cardholders liability to $50 for unauthorized transactions. Most issuers waive even that $50. The card networks then allocate the losses for unauthorized transactions between issuers and merchants. If no physical card was presented (e.g., internet or telephone transaction), then the merchant bears the entire risk. If a physical card is presented during the transaction, then the card issuer bears the liability...unless the merchant violated the PCI security standards, in which case the merchant is liable for the unauthorized transaction and for any other unauthorized transactions made on the card at other merchants.

The comments to this entry are closed.

Contributors

Current Guests

Follow Us On Twitter

Like Us on Facebook

  • Like Us on Facebook

    By "Liking" us on Facebook, you will receive excerpts of our posts in your Facebook news feed. (If you change your mind, you can undo it later.) Note that this is different than "Liking" our Facebook page, although a "Like" in either place will get you Credit Slips post on your Facebook news feed.

News Feed

Categories

Bankr-L

  • As a public service, the University of Illinois College of Law operates Bankr-L, an e-mail list on which bankruptcy professionals can exchange information. Bankr-L is administered by one of the Credit Slips bloggers, Professor Robert M. Lawless of the University of Illinois. Although Bankr-L is a free service, membership is limited only to persons with a professional connection to the bankruptcy field (e.g., lawyer, accountant, academic, judge). To request a subscription on Bankr-L, click here to visit the page for the list and then click on the link for "Subscribe." After completing the information there, please also send an e-mail to Professor Lawless (rlawless@illinois.edu) with a short description of your professional connection to bankruptcy. A link to a URL with a professional bio or other identifying information would be great.

OTHER STUFF