What types of fraud a smart card solves?

Smart Card is a chip card that contains a microship processor, used widely in the Europe as well as in the Asia Pacific. (For those of you who are not familiar with chip card, here is an introduction) Many countries have adopted the technology to counter fraud. The biggest selling point of converting from issuing magnetic stripe to smart card is fraud protection.However, there are many types of fraud. For example:

1. Using a fake card that contains a valid identity.

2. Using a real stolen card with a real identity.

3. Using a stolen identify to apply for a real credit card.

A smart card performs secured authentication with the terminal (ATM machines, or Point-Of-Sale terminals) at the point of contact. Magnetic stripe cards basically are being read at the terminal without authentication. The only time the magnetic card is being verified is when the transaction is sent to the issuer for approval. If the credit card account is a valid account but the card is fake, the issuer or any stand-in processor will not know the difference and will go ahead approving a transaction made by a fake card on a real account. Therefore smart card comes in to play by providing the extra layer of authentication between terminal and the card to verify that the card is not fake. So the next time you happen to find a smart card on the street left by someone, you cannot duplicate the card and try to use the duplicate because the cryptographic keys on the chip card cannot be copied over without damage to the chip.

So problem #1 is solved.

Problem #2 is a little different. The terminal has verified that the card is real, but it does not know it is a stolen card that has not been reported yet. So when the terminal sends the transaction into the network for issuer approval, and if the issuer or stand-in processor does not have record of the card being a stolen card yet, the transaction will be approved. Unfortunate incidence, but happens a lot. The good news is, once the issuer or stand-in processor has been updated about the stolen record, any future transaction will be denied. Hopefully you don’t lose too much money on the first few unauthorized transactions before your card stolen report has taken effect.

Problem #3 is the most difficult fraud to solve, and smart card, unfortunately, DOES NOT solve the problem. If a person uses a real identity to apply for a chip-based credit card, the smart card can be use fraudulently without any red flags, until the real person discovers the identity theft.

Because of the memory and processing capability in the chip embedded in the card, card issuers take the idea and further develop personalized loyalty programs to achieve marketing purposes. Target is one of those early adopters of smart card merchants, but the end results were not as expected.

If we break away from fraud protection positioning, smart card’s potential in the marketing business component is still not very certain yet. Card issuers, processers, acquirers are yet to find the exploitation on the uniqueness and the amount of information that can be stored on a chip based credit card. Therefore, as in Target’s case, building a loyalty program is not a strong business case to do a major roll out. Not in the US.

ATMs – a losing business?

It has been said around in this field that the future of ATM deployment is bleak. It has proven true now. Traditionally, ATM source of revenue comes from surcharge fees. Speaking in operations and management terms, ATM today is more of a qualifier rather than an “order winner” for a retail banking institution. We are very unlikely to open a bank account with a financial institution which does not offer any ATM service. In fact, in North Carolina, credit unions, especially State Employee Credit Unions are particularly favorable because of its fee-free cash access at Cashpoint ATMs.

More importantly, the cost of maintaining an ATM (over $1,400) outweighes the revenue generated by the ATM (over $1,100). Aiming to reduce overhead of having branches with full-time staff, banks are facing difficult marketing decisions on how to use these costly (losing money?) investment efficiently to cross-sell their products. Today we have seen ATM screens with marketing messages such as personal loans information. There are ATM machines that dispense stamps. Banks and ATM manufacturers are likely to come up with more of these new usage for ATMs.

Interestingly, Diebold, one of the major players in the ATM manufacturers field, has decided to go with voting machines instead, but the move has not gone well so far. Another issue that keeps bank managers up at night is the rising of frauds resulting from ATMs. Banks fraud detection policies are so tight that they probably block every foreign ATM transactions nowadays.

Regardless of all the issues above, ATM is here to stay. It is a qualifier in the retail banking industry. The good news is banks can utilize ATM to strategically position themselves in this competitive business environment. There are a few things banks can do to achieve its strategic goals through effective use of ATMs.

1. Improve security at ATMs: Many European countries as well as Asia-Pacific countries are moving towards EMV implementation now to fight against ATM fraud. US banks are still behind in this development even though Visa and Mastercard have made issuing banks responsible for fraud loses if the banks are not EMV-compliant.

2. Make ATMs an strategic investment: A strategic investment will not generate cash/returns immediately. It takes time to build the strategy that include ATMs as part of the planning. Cross selling bank products on ATM screens is the first step, but much more could be done. For example, as prepaid market grows, ATMs can serve as a top-up center for prepaid cards. ATMs can be used for wired transfer (a feature that is not available currently). Bank of America is currently deploying ATMs with check imaging capability to encourage consumers to cash checks at ATMs.

To utilize ATMs as an enabler for generating revenue growth, banks have to make the right decisions early to ensure that they can see the results a few years down the road.

Fun at Eno River State Park

I went to Eno River today with a friend of mine.  It was a nice trip, really.

Fun because he was a good company.  Exciting because we almost got lost in the park and was worried that we could not find our way out before dark.  In reality, we were on the trail all the time, we just feared that we have gotten the wrong way or was circling in the same circle.

We eventually found our way. And it was a relief.  Once we got to the parking lot, it started drizzling.

I just thought that I have not had such an adventure for a long time, if I ever had one. 

More new features?

Software today is full of features. Especially where I work. The product has more features than those of anyone of our competitors in the industry.

In pursuit to keep up with the new feature demand in the industry, I think we lost track of the usability portion. Our tool is great for regression testing, but the sales figure does not come up to our expectation. With regression testing, developers are looking for red flags that are worth paying attention to.

Being able to use a feature is definitely great.  However, being able to use the feature to save developers’ time is another concept altogether.  This is usability.

For example, we have a reporting tool that provide data on all the tests that have run previously.  Some customers use it for Sarbane-Oxley compliance.  However, the report presents literally “data”, not “information”.  The report shows date/time of a specific test being run, the results of the test, verification (pass/fail).  If you have months of data in the database, the report will shows a lot of data (very likely a mix of passed and failed tests).

A report such as this has too much noise. No one, unless circumstances demand, will go through the list of tests and really examine every fail test.  The point to provide the report is for a test engineer at first glance, able to tell what type of tests passes, what type of tests fails.  It should at least be able to tell how many percentage of priority 1 tests passes, and etc.  If you have 20% passing rate on your priority 1 tests, you know you have some serious issues with your system.  If you have 100% pass on your priority 1 tests, you can leave office on time today.  This is “information”.  A piece of knowledge on the overall, high level outcome of the regression test.

Unfortunately, it will take a few more release before we can get it right.

Bad technical decisions

Software industry is probably the most chaotic, unstructured field to date. I hope I am wrong but four and a half years into this industry, no one can prove me wrong.

Today we had a heated discussion on how much corners we should cut (how much less we can do) to make our looming deadline. We delivered software with CLIENT and we have a HOST version as well for internal testing. Under rare circumstances, we ship HOST as well. In all our previous and current release, we have both CLIENT and HOST.

Because of some technical issues with our build system, we have some delay. The delay has thrust us into the spotlight of NOT having things done. Then we tried to cut corners. Hmmm……..maybe we can have our build QAed without HOST. After all, HOST is just a convenience for QA analysts. For the feature we are testing, we can use our current production release HOST setup to test our newer CLIENT. It is fine for right now. Plus………..we are REALLY behind our schedules.

Guess what, we need to cut corners. And I agree, reduce scope, or whatever you call it, but not a price that we all have to live with it.

I forgot where I read it (I thought it was from the book “Writing Legacy Code”), there is a saying that goes “code base is our house, we LIVE in it.”

The saddest part is, we have bad technical decisions made based on influence from certain team members to get out easily (or to get to do their fun, coding tasks) than to get the right things done for the team and company as a whole.

It has been a very sad day for me. Even sad is that we allow other pressures to let us into making decisions that we will have to live with. I said WE because it is a team decision. A broken team that everyone does not know what to do, what policy we have, and sort of free flow of how you want to suggest things to be done.

Software is more than just technical, it is political and it is very touchy because it is the art of design in a technical way.

And identity management is hard to practice in ad-hoc environment.

Worse though, and most common as well, those who make bad decisions do not stay on the job long enough, or usually do not have to live through the consequences of the decision.

I start to love software development, at a point where I dreaded some unrealistic, and inconsiderate decisions. And yes, I hear you, it is just the beginning.