Visa's Maginot Line: Chip Cards and the Equifax Breach

The media attention on the Equifax breach has been primarily on consumer harm.  There's real consumer harm, but it's generally not direct pecuniary harm.  Instead, the direct pecuniary harm from the breach will be borne by banks and merchants, and it's going to expose the move to Chip (EMV) cards in the United States without an accompanying move to PIN (as in Chip-and-PIN) to be an incredibly costly blunder by US banks.  Basically, Visa, Mastercard, and Amex have built the commercial equivalent of the Maginot Line. A great line of defense against a frontal assault, and totally worthless against a flanking assault, which is what the Equifax breach will produce.  

Consumer Harm

Let's start with consumer harm before getting to the Chip issue.  The consumer harm here is real, but it's complicated.  Assuming that the hackers use/sell the stolen information, I would expect them to do one of two things (these aren't the only possibilities, but they're probably the easiest). First, they can open up new accounts by pretending to be a different consumer. I would expect this to be primarily credit card accounts, as it's possible to apply remotely, and no bank account needed to pull off the fraud.  Many card issuers verify consumer ID on applications primarily using credit report data, and that data source is now utterly compromised. 

It's possible that fraudsters will borrow money on other types of loans, but they will generally need to have bank accounts into which the disbursed funds can be deposited and/or appear in person, and that will just make the fraud more difficult. Getting a real credit card issued based on someone else's credit is by far the easiest way to monetize the data.  The second thing hackers can do is file fake tax returns and get tax refunds that aren't owed to them.  In other word, the hacking is only the first step in a two-step crime.  First the data is stolen, then it is monetized through fraudulent transactions.  

Notice who gets defrauded in both situations.  It's not the consumer.  The consumer is not liable for an account s/he didn't open, and has no liability to return a fraudulently induced tax refund. Yes, both situations can create a lot of hassle for the consumer, as the card issuer or the government might believe that the transactions were legitimate and that the consumer is on the hook. And the fake credit card account will effect the consumer's credit score and thus the consumer's future cost of credit, cost of insurance, and possible employment opportunities. There's plenty of consumer harm here (and this isn't to mention emotional suffering and anxiety). But there's unlikely to be direct pecuniary losses to consumers. Pecuniary losses for consumers will be in the form of having to pay for credit freezes (and unfreezes), for credit monitoring, etc. But these are expenses that the consumer chooses, not which are forced upon the consumer, even if most sensible consumers would incur at least some of these expenses (namely credit freezes).    

Allocation of Fraud Losses:  the Chip Card Maginot Line

So who bears the pecuniary costs of the fraud enable by the hacking?  With the fake tax returns, it's the government, be it US Treasury or state and local tax authorities.  With the credit cards, however, it's more complicated.  Federal law provides that consumers are not liable for unauthorized credit card transactions beyond $50. Card network policies (which are probably not specifically enforceable by consumers, but which would surely be UDAAP/UDAP violations if not honored) generally waive all consumer liability.  So this means consumers aren't on the hook.  Instead, losses fall on card issuers and merchants, with card network (Visa/MC/Amex) rules determining the allocation.  

Card network rules prescribe that for card-not-present transactions, such as all on-line transactions, the merchant generally absorbs fraud losses.  Since 2015, card network rules in the US have also prescribed that for card-present transactions, when a physical card is presented, the bank bears the loss unless the card is a Chip card.  If the card is a Chip card and the merchant does not use a Chip reader, then the loss shifts to the merchant.  But if the card is a Chip card and the merchant does use a Chip reader, the loss shifts back to the bank.  

Most cards being issued in the US are now Chip cards. The whole purpose of Chip technology is to make it difficult to physically counterfeit credit cards.  It's easy enough to make a fake magnetic stripe card.  But Chip cards include a microchip that is much more difficult to forge.  In this regard, Chip cards are like the Maginot line.  They are built to withstand a direct assault by a fraudster Wehrmacht.  But they have a huge vulnerability—they rely on issuer only issuing the cards to the right consumers.  If a Chip card is issued in the name of a real consumer to a fraudster, the issuing bank is stark naked. The card is a real, legitimate card.  That's exactly what the fraudsters should be able to get with the Equifax data.  The use of such a fraudulently issued card use may not even trigger any antifraud alerts, and if it does, it will be the fraudster who is contacted, not the consumer in whose name the card was issued.  So just as the Maginot line turned out to be rather useless because it wasn't extended all the way to the English Channel, allowing the Wehrmacht to flank it through the Ardennes, so too is Chip by itself vulnerable to this sort of "flanking" attack. (To be fair, there are some other vulnerabilities for Chip cards--if the Chip is disabled, for example, the card then falls back to a magnetic stripe use at most merchant terminals, and that allows for old-fashioned type counterfeiting fraud.) 

Now if we were in the pre-Chip world in the US, the situation would be the same:  the card issuer would be liable for card-present fraud. But now after a major investment by issuers and merchants in new security technology, we see the result being sort of like the huge expense of building the Maginot line. Yes, it prevented the Wehrmacht from rolling through Alsace.  But all it meant was that they had to side-step it through Luxembourg and Belgium.  

KYC/AML Issues

Where the direct pecuniary losses fall will depend on whether fraudsters use fake accounts for on-line transactions (probably safer for them as they aren't going to have to appear in person) or for in-person, card-present transactions.For the card-present transactions, though, the issuers will be eating the fraud losses, but the merchants will absorb the card-not-present losses.  This seems quite unfair to merchants--they have no ability to prevent this sort of fraud loss, yet they will be the ones absorbing the costs for the card-not-present fraud, even though the card issuers are the least cost avoiders of the harm because they could better screen card applications. Given the number of consumers' whose data was involved, the potential losses for both merchants and banks are staggering and potentially systemic. 

All of this leaves me wondering what bank regulators are advising about know-your-customer compliance for card issuers in the wake of this data breach. Can card issuers that rely on data from CRAs for consumer ID verification actually be said to have verified their customers now?  I can't see how, although I also don't see regulators doing anything about it because the alternative would seriously upset the card issuer business model. What we're likely to have, then, is a regulatory bailout of card issuers by virtue of inaction and nonenforcement of KYC rules. Let's just hope that there isn't a fraudulently issued card that ends up being used for terrorism finance.  This is something about which Congress should really press the prudential regulators:  how are they going to ensure that the banking system is protected against massive fraud and how are they going to ensure that the fraud isn't used for terrorism finance or other nefarious purposes?