BrainTrust Query: LLBean.com – No Valid Address Required. Oops!
Through a special arrangement, presented here for discussion is a summary of a current article from StorefrontBacktalk, a site tracking retail technology, e-commerce and mobile commerce.
L.L.Bean will let online customers complete a purchase with only a payment card number and expiration date — no name, billing address match or other authentication required. A number-and-expiration-date-only policy for card-not-present transactions could be a major problem today: With huge numbers of consumers walking around with contactless payment cards in their wallets, thieves can brush up against purses and backsides in any crowd and collect card data automatically.
Contactless backers have always pooh-poohed this as a security threat, pointing out that customer names, security codes and other authentication information isn’t transmitted by the cards. But if retailers are only relying on numbers and expiration dates, with one contactless grab – or one well aimed digital picture snap from a mobile — thieves get all they need. And although the e-tailer’s customer-service department insists that card numbers with the wrong name attached should be rejected, a simple experiment made it clear that at least some transactions are approved that way. (Two out of two media tests had transactions approved and shipped.) If it had been fraudulent, it would have been up to the payment-card holder to notice, complain and get the charge reversed.
For more than five years, payment vendors have been arguing that the data leaks created by contactless cards are not a concern, because they generate insufficient information to make a transaction with a major e-tailer.
Incidents such the leaks of e-mail addresses from Epsilon, non-card personal information from Sony’s PlayStation Network and the discovery of widespread PIN pad tampering at Michaels Arts & Crafts are getting large amounts of attention, even though they required plenty of effort on the part of thieves to steal the data.
But with L.L.Bean, there’s no sophistication required — just information from the face of a payment card. That’s easy to acquire. It might come from a thief scooping up numbers from contactless cards in a crowded place. But a thief could more easily snap a photo of the card with a mobile-phone camera when a customer uses the card in line at the checkout. Or if a customer puts the card down momentarily at an ATM. Easiest of all would be to simply get some card numbers and expiries from a cyberthieves’ site on the Internet.
Without a name or ZIP code match, much less a CVV number, the only authentication is the expiration date. That’s no authentication at all.
At a time when politicians are falling all over themselves to berate retailers and service providers for failing to protect non-financial information like the passwords to a free online games network, and when real-time authentication of payment cards is at the center of mobile-payment schemes, authentication should be a baseline requirement for any online transaction. Why wasn’t it here?
Discussion Questions: How ready is retail for contactless payments from a security standpoint? What particular security issues do you think challenge further adoption?