Most of you own credit cards and have been using them for a while. Depending on your financial strength you must be having a credit limit of few thousand to few lakhs. The cards typically have a 16 digit number and a 3 digit CVV number and are extremely susceptible to misuse, both online and offline. If a card is lost, the person who finds it can go on shopping without slightest hesitation. If someone can note your CC number and CVV he/she can shop online, the card is also vulnerable to magnetic card readers using which miscreants dupe people. There’s hardly any fool proof control for me as a user to prevent misuse of my card. In this post, I wish to present a set of simple measures, if banks can incorporate, would make credit cards far more safer and reliable.
1. Let users set their limit. Assume my card has a limit of Rs 1 lakh. Probability of me shopping for Rs 1 lakh at once is extremely low. I spend very little, not more than few thousands at a time. So why should I carry a liability of Rs 1 Lakh with me? Can’t the banks give users an option to set their immediately available limit on their credit card. If I have total limit of Rs 1 Lakh, I may wish to set an intermittent limit of Rs 10000. This way, at any point of time, maximum risk/liability I carry will be confined to Rs 10k. In special occasions when I feel the need for higher limit (while buying expensive items/travelling abroad etc) I should be able to login to my credit card account and increase the limit.
2. Don’t print CVV on back of the card. Why is CVV printed on back of the card so that anyone who gets the card can use it for online purchases? I believe customers can afford to remember the CVV or PIN number. Let them store it in their mind and there should be a provision for me to change the CVV/PIN if I fear it has been compromised. This way, if a card is stolen, its online usage will be restricted.
3. Make entering PIN mandatory for offline usage too… The pin shouldn’t be stored on the card (magnetically) and should be retrieved from the bank network for verification. This way, if someone copies card data through a magnetic card reader he won’t be able to use it, without knowing the PIN.
4. Bring in biometric readers-Register the fingerprints of card holders-let them swipe their fingers while using the card. This is a fool proof way to prevent unauthorized usage.
What do you think? Am I wrong anywhere? Is there any technical inhibitions to provide above features? Do you have better ideas? Your thoughts please.
1. Let users set their limit. Assume my card has a limit of Rs 1 lakh. Probability of me shopping for Rs 1 lakh at once is extremely low. I spend very little, not more than few thousands at a time. So why should I carry a liability of Rs 1 Lakh with me? Can’t the banks give users an option to set their immediately available limit on their credit card. If I have total limit of Rs 1 Lakh, I may wish to set an intermittent limit of Rs 10000. This way, at any point of time, maximum risk/liability I carry will be confined to Rs 10k. In special occasions when I feel the need for higher limit (while buying expensive items/travelling abroad etc) I should be able to login to my credit card account and increase the limit.
2. Don’t print CVV on back of the card. Why is CVV printed on back of the card so that anyone who gets the card can use it for online purchases? I believe customers can afford to remember the CVV or PIN number. Let them store it in their mind and there should be a provision for me to change the CVV/PIN if I fear it has been compromised. This way, if a card is stolen, its online usage will be restricted.
3. Make entering PIN mandatory for offline usage too… The pin shouldn’t be stored on the card (magnetically) and should be retrieved from the bank network for verification. This way, if someone copies card data through a magnetic card reader he won’t be able to use it, without knowing the PIN.
4. Bring in biometric readers-Register the fingerprints of card holders-let them swipe their fingers while using the card. This is a fool proof way to prevent unauthorized usage.
What do you think? Am I wrong anywhere? Is there any technical inhibitions to provide above features? Do you have better ideas? Your thoughts please.
Though I dont have/use any credit cards (I believe in prevention better than cure) I take this opportunity to comment here.
ReplyDeleteFlexible upper limit is a good idea. It should be flexible enough to alter it too.
Printing CVV is foolish.
Entering PIN mandatory would make transactions tedious though it brings transparency into it.
Biometrics, is a good options but not foolproof when you take some hollywood movies. =). I guess I've seen an Arnie starrer (may be End of Days, not sure though), where he cuts the hand of a personnel to gain access. Take Bourne Identity where they capture the fingerprint of Matt Damon to stick it onto a crime scene to blame him.
Though such chances are highly impossible, days might come where doing such things is easy.
Nice read!
One more way :
ReplyDeleteEverytime your credit card is being swiped, an auto generated PINCODE will be sent to the concerned persons mobile number(latest mobile number which the customer is currently carrying).The customer needs to tell this PIN to the sales person who will feed this number in his swipe machine to authenticate the user and a valid transaction can be made in this way.
What do you think about this idea?
I think its quite feasible.
1.Flexible credit limit is already there with HDFC bank. Actually HDFC bank has NetSafe, using which one can create a virtual credit card number and use it for online shopping.
ReplyDeletein this virtual credit card, we can set the limit, so that even if some hackers get the virtual card number they cannot make purchase.
But HDFC bank's netbanking is not so secure. If someone finds the netbanking password, then the hacker can do 3rd party money transfer, resetting the password, everything is done without notifying the actual user.
HDFC bank is more concerned about online security and phishing
But the offline security is not there.
2.Printing CVV number should be avoided.
4.Biometric reader is good suggestion and it should be feasible
i think, each and every bank in india has its own pros and cons.
Shrinidhi,
hope you can do a blog on pros & cons of different banks
@ Sandesh
ReplyDeleteEven I resisted taking CC for long time, but had to give in as I couldn't do certain activities without a credit card (for example taking a car on self drive, buying domain names online etc)
We can manually scratch of CVV after memorizing it-that's an option.
Biometrics has its implementation challenges and costs, but I guess the technology is now matured enough for mass implementation. Many training centres already use this (to ensure that someone else do not write exam on your behalf or you don't participate multiple times etc)
@ Surjeet Mishra
ReplyDeleteThat is not feasible. SMSs take few mins to few hours to reach depending on network traffic. You can't wait for hours at the billing counter waiting for your SMS to come so that you can complete the transaction.
@ Vijay Anand
ReplyDeleteI have not used HDFC bank facilities, so not sure.
Also I can not compare multiple banks as I am dealing with only very few. Unless I experience their services I can't compare.
Thanks
I agree with what ever you said. But you need to go behind and see the business model of the CC companies. The same companies also have debit cards. You can use a debit card as credit card but if you use a credit card as debit card(using pin) they will charge you interest from that day itself. The problem in India is that they follow all the systems from US but do not give the same consumer protection they have in US in INDIA. In US if credit card is misused, it is not the responsibility of the customer as long as he notifies within a certain period. But that provision is not there in India, So credit card is a headache in India.
ReplyDeleteThanks Siva for sharing that.. Agree on your words
ReplyDeleteNice post and thoughts.
ReplyDeleteHere I have an idea - Why can't we suspend the credit cards whenever we want and activate whenever we need to use it - using either mobile or using internet. Just like a simple on and off kind of thing.
I think this would be easy to implement and a simple and straight forward solution.
Chandra,
ReplyDeleteGood idea, but that may put too much load on banking networks, if everyone starts activating and deactivating their card every now and then. Also after sometime you yourself will find it inconvenient. It is like, if you have to carry your wallet in a heavily sealed locker box and are required to open the locker box first everytime you need to use your wallet
Since you are asking for other suggestions , i am thinking of many imaginary stuffs ... every bank account should be associated with some biometric feature ! Instead of having any concept like CC one can have the concept of virutal account associated with actual account (like virtual memory - appears more than the actual - one can purchase more than what his/her account has and pay it later!) and biometric machines should be available with the franchises . If the customer can tell the bank name at the time of purchase and the finger print search will be confined to the customers of that bank only...need a deadly algorithm for the same atleast in india..he he!
ReplyDeleteThis concept can easily wait for a decade or two provided India shows as promising growth as anticipated and become a "to-be" economic super-power and people try to stick back their country to give some scientific contribution instead of selling it to US! I hope i get the patent of this idea ... ;-);-) !
As far as online shopping is concerned...the risks are high ...although sites are providing service without taking CVV ... i have personally just seen one... provide CVV number or not ... there are several ways to hack the numbers .. so the user should ensure certain preliminary measures -
1. do NOT use proxy server for banking transactions.
2. Do not use internet cafe's for performing any transaction involving Debit or Credit card number.As they might have devices to note the numbers!
3. Check if the site is secure. You can see a lock symbol in right bottom extreme corner of the screen, and https in the URL.
If anybody has any other precautionary measure..please tell me as i don't know any more !!!!!!