Who's minding the Identity store?
by Perry Tancredi, Senior Product Manager, VeriSign Fraud Detection Service
Greg Pierson of iovation recently wrote an interesting blog postabout the idea that the more places your identity information resides, the greater the chance of your identity actually getting stolen. It reminded me of an incident that happened to me recently. I live in a condo and our neighbor's sprinkler system had gone off. There was so much water that it seeped through the walls and ceiling and flooded one of our rooms, which happened to be carpeted. Our landlord, along with the condo association, arranged to have the carpet replaced. When the workers arrived, they insisted on taking my wife's credit card number even though they weren't going to charge us. They took an impression of the card, and then insisted on writing down the CVV2 number (the three digit number on the back of the card, often called a "security code"), not to charge anything, but because it was policy or they couldn't start the work. Of course, recording both numbers is totally unnecessary. It's actually pretty dumb, and most likely against the rules that merchants have to sign up to to be able to take credit cards as payment.
Credit card transactions can be "card present" transactions, when the card is physically present, like at a gas station or when you are physically at the store, or "card not present" (CNP), when the card is not present like when you make a transaction online or over the phone. The presence of the card is usually established by reading the magnetic strip or by taking an impression of the card. Clearly, the risk of fraud is greater for CNP transactions because all a fraudster may need is the card number (something you know). Card companies started to combat this by using CVV2 to validate CNP transactions, so you, in theory need to physically have the card or else you wouldn't be able to turn it over to read those three extra digits. Of course, those three digits are just something else you know, and can easily be compromised along with your card number, especially when written down by unscrupulous or clueless merchants. In practice, it does provide a little more security because those extra digits aren't supposed to be stored with your card number. Of course, when the carpet guys are holding your new carpet hostage and they insist on writing both pieces of information on the same piece of paper, that extra security goes out the window. To make matters worse for me, these particular carpet guys spoke with Russian accents. I don't want to launch a discussion about the merits of profiling cyber-criminals, but it didn't do much to ease my suspicion.
After my wife told me what happened, I considered canceling our credit cards, but then we would be faced with the hassle of updating every subscription and service that has our card stored somewhere for auto-renewal. On the one hand, that's not such a bad idea. Who knows what auto-renewals we'd forgotten about and didn't need anymore. On the other hand, who wants to deal with all that, especially when your liability for any fraudulent charges is capped at $50? The real fear wasn't the charges themselves but of someone establishing a new credit line in one of our names using the credit card. Ultimately, we decided just to keep an even more vigilant eye on our statements and rely on our Equifax Credit Watch to alert us of any suspicious behavior.