Last week we saw a major indictment of 111 individuals from an “identity theft operation” based in Queens, NY. I suppose we will learn more details as the prosecutors make their case, but from the original reads it looks more like a counterfeit credit card operation versus a full identity theft operation. One key difference between the two is someone using your identity to open new lines of credit as opposed to just capturing your card data and making a duplicate to go on a shopping spree.

Many are now citing this case as a specific reason to get moving on their widescale EMV adoption. I’ve already discussed MasterCard’s and Visa’s thoughts, and would agree on principal that an EMV implementation would have prevented much of the success of this operation. You know what else would have prevented it? Good fraud monitoring and good acceptance policies.

Chip, by Declan Jewell

Dr. Hugh Thompson said it best in his RSA EU Keynote last week, “People prefer utility to security and privacy.” He was referring to his mother pushing any buttons necessary just to be able to throw birds at pigs, but this human behavior illustrates why companies do whatever they can to make it easy to do business with them.

Need examples? When was the last time someone asked for your picture ID when paying with a credit or debit card? Did they look at your face and compare it to the picture in the ID? Do they check your ID to see if the holograms and all other anti-counterfeiting features are correctly embedded? Did they watch you sign and compare that with the embedded signature? Did they ask for a billing zip code, or also key in secondary authentication data printed on the card? On the back end, were there any transactional or buyer behavior engines that looked at the purchase before sending it along for processing?

OK, so your experience matches mine.

While at the RSA conference last week, I didn’t even get asked for my ID with my purchases even though I’m using a magstripe and not the more common Chip & PIN. Sure, all I have to do is open my mouth and the cashiers know I’m an out-of-towner, but just because I have an American accent does that mean I shouldn’t be questioned when presenting a card for purchase. My favorite (or favourite, as it were) part of the buying process was that after I signed, the cashier hits a button that causes a “Signature Verified” message to pop up. I don’t know how a cashier could have done that since I maintained possession of my card the entire time.

According to some news reports, the group apparently forged extremely convincing identification to be used in conjunction with the counterfeit cards. That’s going to make some of those above controls a bit less effective, and push training and fraud prevention to the front lines of defense. EMV will help, but in the US you will most likely have to wait a bit before your processor can support these types of transactions, and most importantly issuers put these cards into consumers wallets.

This post originally appeared on

Possibly Related Posts: