Visa's Maginot Line: Chip Cards and the Equifax Breach
The media attention on the Equifax breach has been primarily on consumer harm. There's real consumer harm, but it's generally not direct pecuniary harm. Instead, the direct pecuniary harm from the breach will be borne by banks and merchants, and it's going to expose the move to Chip (EMV) cards in the United States without an accompanying move to PIN (as in Chip-and-PIN) to be an incredibly costly blunder by US banks. Basically, Visa, Mastercard, and Amex have built the commercial equivalent of the Maginot Line. A great line of defense against a frontal assault, and totally worthless against a flanking assault, which is what the Equifax breach will produce.
Let's start with consumer harm before getting to the Chip issue. The consumer harm here is real, but it's complicated. Assuming that the hackers use/sell the stolen information, I would expect them to do one of two things (these aren't the only possibilities, but they're probably the easiest). First, they can open up new accounts by pretending to be a different consumer. I would expect this to be primarily credit card accounts, as it's possible to apply remotely, and no bank account needed to pull off the fraud. Many card issuers verify consumer ID on applications primarily using credit report data, and that data source is now utterly compromised.
It's possible that fraudsters will borrow money on other types of loans, but they will generally need to have bank accounts into which the disbursed funds can be deposited and/or appear in person, and that will just make the fraud more difficult. Getting a real credit card issued based on someone else's credit is by far the easiest way to monetize the data. The second thing hackers can do is file fake tax returns and get tax refunds that aren't owed to them. In other word, the hacking is only the first step in a two-step crime. First the data is stolen, then it is monetized through fraudulent transactions.
Notice who gets defrauded in both situations. It's not the consumer. The consumer is not liable for an account s/he didn't open, and has no liability to return a fraudulently induced tax refund. Yes, both situations can create a lot of hassle for the consumer, as the card issuer or the government might believe that the transactions were legitimate and that the consumer is on the hook. And the fake credit card account will effect the consumer's credit score and thus the consumer's future cost of credit, cost of insurance, and possible employment opportunities. There's plenty of consumer harm here (and this isn't to mention emotional suffering and anxiety). But there's unlikely to be direct pecuniary losses to consumers. Pecuniary losses for consumers will be in the form of having to pay for credit freezes (and unfreezes), for credit monitoring, etc. But these are expenses that the consumer chooses, not which are forced upon the consumer, even if most sensible consumers would incur at least some of these expenses (namely credit freezes).
Allocation of Fraud Losses: the Chip Card Maginot Line
So who bears the pecuniary costs of the fraud enable by the hacking? With the fake tax returns, it's the government, be it US Treasury or state and local tax authorities. With the credit cards, however, it's more complicated. Federal law provides that consumers are not liable for unauthorized credit card transactions beyond $50. Card network policies (which are probably not specifically enforceable by consumers, but which would surely be UDAAP/UDAP violations if not honored) generally waive all consumer liability. So this means consumers aren't on the hook. Instead, losses fall on card issuers and merchants, with card network (Visa/MC/Amex) rules determining the allocation.
Card network rules prescribe that for card-not-present transactions, such as all on-line transactions, the merchant generally absorbs fraud losses. Since 2015, card network rules in the US have also prescribed that for card-present transactions, when a physical card is presented, the bank bears the loss unless the card is a Chip card. If the card is a Chip card and the merchant does not use a Chip reader, then the loss shifts to the merchant. But if the card is a Chip card and the merchant does use a Chip reader, the loss shifts back to the bank.
Most cards being issued in the US are now Chip cards. The whole purpose of Chip technology is to make it difficult to physically counterfeit credit cards. It's easy enough to make a fake magnetic stripe card. But Chip cards include a microchip that is much more difficult to forge. In this regard, Chip cards are like the Maginot line. They are built to withstand a direct assault by a fraudster Wehrmacht. But they have a huge vulnerability—they rely on issuer only issuing the cards to the right consumers. If a Chip card is issued in the name of a real consumer to a fraudster, the issuing bank is stark naked. The card is a real, legitimate card. That's exactly what the fraudsters should be able to get with the Equifax data. The use of such a fraudulently issued card use may not even trigger any antifraud alerts, and if it does, it will be the fraudster who is contacted, not the consumer in whose name the card was issued. So just as the Maginot line turned out to be rather useless because it wasn't extended all the way to the English Channel, allowing the Wehrmacht to flank it through the Ardennes, so too is Chip by itself vulnerable to this sort of "flanking" attack. (To be fair, there are some other vulnerabilities for Chip cards--if the Chip is disabled, for example, the card then falls back to a magnetic stripe use at most merchant terminals, and that allows for old-fashioned type counterfeiting fraud.)
Now if we were in the pre-Chip world in the US, the situation would be the same: the card issuer would be liable for card-present fraud. But now after a major investment by issuers and merchants in new security technology, we see the result being sort of like the huge expense of building the Maginot line. Yes, it prevented the Wehrmacht from rolling through Alsace. But all it meant was that they had to side-step it through Luxembourg and Belgium.
KYC/AML Issues
Where the direct pecuniary losses fall will depend on whether fraudsters use fake accounts for on-line transactions (probably safer for them as they aren't going to have to appear in person) or for in-person, card-present transactions.For the card-present transactions, though, the issuers will be eating the fraud losses, but the merchants will absorb the card-not-present losses. This seems quite unfair to merchants--they have no ability to prevent this sort of fraud loss, yet they will be the ones absorbing the costs for the card-not-present fraud, even though the card issuers are the least cost avoiders of the harm because they could better screen card applications. Given the number of consumers' whose data was involved, the potential losses for both merchants and banks are staggering and potentially systemic.
All of this leaves me wondering what bank regulators are advising about know-your-customer compliance for card issuers in the wake of this data breach. Can card issuers that rely on data from CRAs for consumer ID verification actually be said to have verified their customers now? I can't see how, although I also don't see regulators doing anything about it because the alternative would seriously upset the card issuer business model. What we're likely to have, then, is a regulatory bailout of card issuers by virtue of inaction and nonenforcement of KYC rules. Let's just hope that there isn't a fraudulently issued card that ends up being used for terrorism finance. This is something about which Congress should really press the prudential regulators: how are they going to ensure that the banking system is protected against massive fraud and how are they going to ensure that the fraud isn't used for terrorism finance or other nefarious purposes?
Well you state "The consumer is not liable for an account s/he didn't open" which may be true but not necessarily the actual outcome. Look at the Wells Fargo fraud (committed by the bank, not external) where Wells Fargo employees opened up bogus consumer accounts using consumer information they had access to. The consumers are not supposed to be liable for an account the consumer did not open. But Wells Fargo had an arbitration requirement on those accounts. Incredibly, COURTS held that the consumers who did not open those accounts would nonetheless be forced into arbitration (e.g., see
https://www.nytimes.com/2016/12/06/business/dealbook/wells-fargo-killing-sham-account-suits-by-using-arbitration.html?mcubz=3
... and arbitration is not limited by the rules of evidence nor the rule of law.
Posted by: IC_deLight | September 16, 2017 at 05:55 PM
Your statement that "the consumer is not liable for an account s/he didn't open" boggles my mind and shows a total disconnect from reality.
Our trial court dockets are stuffed to the gills with credit card issuers (and their assignees) suing consumers on defaulted credit cards. As has been well documented, most of those consumers don't have the means to defend suits. Or if they do show up, the creditor requests written pleadings, the consumer can't get it together to file written pleadings, and the creditor wins anyway. Once a suit is reduced to judgment, the creditor begins to garnish, and "it wasn't my card" becomes a completely irrelevant issue.
Not to mention the fact that where a pro se consumer DOES show up to say, "it's not my card," pro-creditor judges essentially (unlawfully) place the burden of proof on the consumer, and it's nearly an impossible burden to meet.
There is no doubt in my mind that most fraudulently opened cards will ultimately result in judgments against consumers, not just a delinquency on their credit reports.
Posted by: SYSM | September 18, 2017 at 09:11 AM
IC_deLight is absolutely right about the problems with arbitration. My read of SCOTUS caselaw is that if the consumer's argument is that there was never an agreement of any sort (including an agreement to arbitrate), the question of whether there was an agreement is supposed to be decided by a court, not by an arbitrator. But SCOTUS has so muddied the waters on this, that I am not surprised if some cases are wrongfully shuffled to arbitration.
SYSM--you're picking a fight with me on a separate issue where there's no disagreement between us. There's a huge problem in the debt collection industry with collection of time-barred or simply fraudulent debts. As a formal legal matter, the consumer doesn't have any liability. That obviously changes when there's a default judgment (perhaps because of sewer service). But it's really hard to talk about that as a _legally_ cognizable consumer harm from a data breach because it would require treating lots of court judgments as illegitimate.
Posted by: Adam Levitin | September 18, 2017 at 09:36 AM
For credit card accounts opened by fraudsters, why is Chip-and-PIN any better than Chip-and-Signature (since the fraudster would be the one who receives or sets the PIN in the first place)?
Posted by: David Sorkin | September 18, 2017 at 01:38 PM
David Sorkin--It ain't. As much as I think Chip is inferior to Chip-and-PIN, the additional of a PIN wouldn't help an iota in this situation. That's why this didn't turn into a pro-Chip-and-PIN rant. : )
Posted by: Adam Levitin | September 18, 2017 at 02:17 PM
I'm interested in the concept that "card issuers are the least cost avoiders of the harm because they could better screen card applications." That wasn't my experience when my existing debit card number was stolen and used with several online retailers (resulting in some liability, as opposed to the zero liability offered with most credit cards).
When that happened, I felt strongly that the retailers were the least cost avoiders in that situation. I had a number of angry calls with these online retailers (mostly online providers of pornography), who had opened accounts for John Smith in California, even though he used a card belonging to Jane Jackson across the country in Michigan (changing names to protect the innocent/never prosecuted). It seems like low-hanging fruit for retailers to check that the purchaser has some sort of connection to the individual named on the payment card used to make the purchase. Of course, this wouldn't be a problem for a criminal who uses my name to open up a new credit card account, but evidently not all criminals are that smart.
Posted by: Jane | September 20, 2017 at 02:55 PM
Credit card fraud and identity theft are a trade-off between convenience ("anonymously" opening an account online) and security (e.g. requiring accounts to be opened in person). So long as a criminal can open an account and spend thousands of dollars knowing only a person's name and a few numbers, identity theft and fraud will only increase.
In the past accounts had to be opened in person. Mail order was a 1-2 month process while the check cleared, and we didn't hear identity theft horror stories. I'm sure identity theft happened but I'm guessing not at today's level.
This is not to say we should return to past practices but we need to acknowledge the trade-off.
Posted by: Thomas Wicklund | September 21, 2017 at 02:18 PM