Author: David Choe, swIDch
A cofounder, falling victim to the very problem his company intends to solve. Ironic, indeed. But as I read through my statement: £80 on a gaming site, £155 on a shopping site, £943 on a travel booking site. I realized that I had been a victim of CNP fraud. It was in this moment that I not only realized the need for a better solution, but more so, how deeply the problem actually runs.
It was a sunny afternoon and I was walking near my home when it happened: a teen snatched my phone. I must have been an easy mark: headphones in, face buried in my phone, and wearing sandals.
Although I gave chase, ultimately, I was no match for his bicycle. Annoyed, I took comfort in the fact that my phone was insured. But then I realized that my credit card was tucked in my phone case. I reasoned that the thief would make a few contactless transactions, but without knowing my pin or postcode, there was little more he could do.
I couldn’t have been more wrong. It was only 30 minutes when I contacted my bank, when I saw that he had made £4,000 in transactions online. I had become a victim of CNP, or Card-Not-Present fraud, just another blip in the problem estimated to be up to $40B annually.
Two questions immediately came to mind:
- How could he make online transactions without knowing my postcode?
- How could he make so many transactions in such a short period of time?
I still don’t know the answer to the first question. My only guess is that the merchant didn’t have proper fraud detection software in place, or the perpetrator guessed my postcode.
In terms of the second question, my credit card number had most likely been shared on the dark web, where it was quickly spread and used for fraudulent transactions. Although my bank reversed the charges that very day, these costs that are incurred by the issuer and merchants ultimately trickle down to all of us.
The problem, as described by Andrew Wyld of SOMO Global, is that “a credit or debit card is essentially a means of identifying an account belonging to a specific person. The card, and the numbers on it, are intended to be carefully kept secret, only entered into trusted payment devices. As long as the card is kept securely, this system works.” But for such a valuable and vulnerable piece of information to be 1) easily exposed, and 2) static in nature, is where the risk lies.
The Dynamic Number: Virtual Card Numbers
A virtual credit card number is a randomly-generated card number associated with your actual PAN. By using a disposable, or one-time virtual card number, you prevent anyone from charging your account, even if this number is leaked. Virtual Card Numbers have been around for some time now, but the widespread adoption and application has been limited. While there are several variables in play, a lot of this can be blamed on the expensive infrastructure and network maintenance required for these heavy systems.
swIDch (pronounced “switch”), is a technology company that has an algorithm that generates dynamic authentication codes, even in a networkless environment. With only this dynamic code, systems can both identify AND authenticate a user. In essence, it provides the power and security of tokenization, in a lean solution like the RSA key. By leveraging this technology, swIDch enables payments companies to implement Virtual Card Number solutions quickly and cost-effectively. This solution provides many benefits, even compared to existing virtual card number solutions:
- Reduction in CNP Fraud
- No tokenization infrastructure costs
- No network traffic costs
- Minimal tokenization maintenance costs
It’s one thing to believe in your company’s product and mission, but it’s completely different to fall victim to the very problem we’re trying to solve. After experiencing firsthand the depth of the problem of CNP fraud, I believe that virtual card numbers need to be more widely available and implemented.
For more fintech content and latest industry news, sign up to the FINTECH Circle newsletter.