The next initiative that banks would take in the United States would be to design special computer programs, called expert systems, which would double-check credit cards in a much more sophisticated way. Using information on the cardholders as well as by recording systematically the credit card usage, those programs could detect patterns in the shopping habits of individuals. For example, if somebody had never traveled abroad, a charge showing up from a foreign hotel might be suspicious. In the same manner, if someone only spent small amounts, a sudden big-ticket expense would raise a flag. This system turned out to lower the fraud to an acceptable rate; that is, a rate that led to an amount of global loss inferior to the cost of a potential new system that would lower that loss perhaps even further. So, the United States did not, and still has not moved beyond the magnetic stripe based credit card and card issuers have only improved their fraud detection mechanisms incrementally. For example, rather recently calling centers have been created for human operators to call the client in case the expert system flags an anomaly. This allows the tightening of the rules of expert systems, since now the human call can compensate in case the expert system is too strict, flagging as fraudulent actual expenses by the client that are perfectly legitimate. For example, the person who has never traveled may decide to start going abroad. After all, we all have to start some day.

In France, the story played very differently. Since the French were using cards with a secure core to pay for public phone usage, it was natural for them to consider that secure cores might also be used to mitigate credit card fraud at the merchant’s store. Actually, both United States and French credit cards were first equipped with magnetic stripes to fight fraud. The magnetic stripe contains the card number and other information, and a swipe of the card in special equipment allows the fast and accurate reading of that number for further processing. In time of course, hackers figured out how to duplicate a magnetic stripe, and the measure’s efficacy faltered. However, there was an idea in this process that could be used for migrating to a secure core to fight fraud. If the secure core itself contains not only the card number and associated information, but also secret information that can be seen nowhere on the body of the card, and if the point of sale terminal is able to read all these data confidentially, then a big step is taken toward eliminating fraud. If on top of that, the card is only allowed to disclose its data when the client enters a personal identification number only known to her or him, thus authenticating the transaction as starting from the owner of the card, then fraud should go down considerably. In fact it did; going from being measured in digits towards being measured in fractions. Fraud was essentially eliminated for credit cards equipped with a chip. To avoid fraud from the merchant, the point of sales terminals were also equipped with cards, so that the client trusted core talked to the merchant trusted core. In turn, that trusted core could talk to the bank’s trusted core, or rather to an intermediary institution that would in turn talk to the bank.

What we’ve seen is a detailed illustration of the concept that we saw earlier of the erosion of trust. As the security mechanisms underlying trust are understood and emulated, new fraud mechanisms come in to play to lower that level of trust until it is restored via new mechanisms. This interplay between trust and fraud illustrates how trust is put into question. We saw that the French squelched fraud with the bank chip card; wasn’t that the end of the story? Actually, it wasn’t. Two things happened. The first is the Web; the second is a new need.

One aspect of credit card transactions over the Web is that the client and the merchant are not in each other’s direct, physical presence. While the act of signing the invoice at the actual point of sale has legal value as well as psychological value, there is no de visu verification when signing occurs at a distance. Therefore, a new level of fraud could be expected on the Web, and in fact it happened exactly as expected. As fraud increased, the first action was to again assign liability. The first reaction of the banks was to assign liability to the merchant. The argument was that as

Book available at Midori Press (regular)
Book available at Midori Press (signed)
Book available at Amazon (regular)