The recent revelation that a website was openly selling credit card records to all comers is hardly surprising. 'Carders', as they're known in security circles, have been selling stolen records online for years, but normally via less popular channels, like IRC.
In this case, the carders are a group known as the Lampeduza gang, an expert team of cybercriminals with a sophisticated back-end operation. They have been linked to the sale of credit card records from the attacks on the Target retail chain late last year.
Unfortunately, credit cards are a known quantity too. When you hand yours over, the retailer knows your card number, expiry date, and name. And when you're making a 'cardholder not present' transaction, the retailer also knows your card verification value (CVV). This is the security code on the back of your card, used to help reduce credit card fraud, which you're normally submitting on their website.
The UK Cards Association, which is the trade body for the card payments industry in the UK, reported fraud losses up 16 per cent to £450.4m in 2013. Fraud from remote card purchases (online, over the telephone, or by mail order) jumped 22 per cent to £301.1m, constituting the lion's share of the losses. Chip and Pin, a technology already used in the UK and Canada and due to be introduced into the US next year, can't really help with the online problem.
In short, credit cards are inherently broken. Point-of-sale systems are broken. Large numbers of websites are broken. The home computers and mobile phones into which people enter their credit card details are often also broken, compromised with malware that would make the owners' skin creep – if only they knew about it. Yes, everything is broken.
We need a better system. Can the new generation of digital payments help us?
Bitcoin is an obvious go-to option here. It is quasi-anonymous, depending on how you use it, and customers can make payments without providing private details that would make it easy for snoopers to steal more of their funds. It also does away with those nasty merchant fees, which plague small businesses.
There are others, though. Apple Pay, which made its way onto the company's new iPhones recently, prevents credit card information from reaching the retailer at all, instead sending a token, and a one-time dynamic number, designed to authenticate transactions securely.
In the US, a group of retailers have snubbed Apple's cash document system, instead opting for their own, called Merchant Customer Exchange (MCX). This will allow customers to pay via their mobile phones, using a new app called CurrentC.
CurrentC uses QR codes, instead of the near field communications (NFC) used by Apple. Instead of supporting credit cards, it supports cheque accounts, store gift cards and merchant debit.
This saves the merchants from having to pay credit card fees, and it also avoids the customer having to relay their data.
Then, of course, there is Google Wallet. This system, which like many of the others is only available in the US at present, doesn't give your credit card information directly to the vendor either. Instead, it uses a 'virtual card', in a system called Host Card Emulation.
The benefit of these systems is that they eliminate the need to give out credit card details in the clear, over insecure channels. They don't eliminate the security risk altogether, though.
At least some of these systems still rely on credit card data being stored somewhere, even if only on the payment service provider's own systems. Even banks have problems protecting credit card data on their own systems, so nothing is completely secure.
The chances are that someone will be along shortly to try and hack these alternative payment systems if they haven't already.
But everything we can do to revamp payment systems with more security gets us a step ahead of the hackers. And as we watch credit card hackers relentlessly stealing customer payment details, surely it's better than lumbering along five steps behind?