Skim and Pump
Every so often there’s a story in the press about contactless payment cards being skimmed and money being extracted from them. Basically someone goes around tapping hapless commuters on the ass with a contactless card reader. Which given the state of the UK’s stupid prosecution service probably puts them more at risk of a charge of sexual assault than being arrested for theft.
This story is a recurring meme, and exemplifies what’s wrong with the state of financial journalism today. And on the way we get to look at real-world conspiracy theories and a bit of behavioral economics. What fun.
So, here’s the latest effort from the UK’s Daily Telegraph: Contactless card owners warned against public transport scanner hack:
"A Facebook post has gone viral after a man ... saw a thief scamming people out of their money in a tech-savvy way".
Which was then followed up by the BBC, no less: Is it possible to pickpocket a contactless card?:
"Just about anything is possible with the right equipment and research"
True, no doubt, but really it’s a classic fear, uncertainty and doubt story, designed to extract the maximum sensation with the minimum research effort. If people took this seriously – and some people do – they’ll start carrying cash rather than using their payment cards. So do we think carrying a contactless card is more risky than carrying $250 about your person?
It is, of course, more risky and more likely to fuel the black economy. It’s all very well complaining about Google and Amazon ripping off the taxpayer by perfectly legal means, but the fact that nearly everyone rips off the taxpayer by paying cash under the counter is ignored.
So, to make this particular scam work the scammer has to get hold of a contactless reader, then register as a valid merchant with a payment processor and then manage to pump a whole bunch of transactions through the system before the banks figure out that the merchant is fake. All of these are possible, but given that I can go and buy credit card details on the dark net for 20c a pop, and that using these to mount a mass attack on online retailers is a lot more effective than going round groping peoples’ bottoms on the metro it’s not really a likely attack scenario for anyone other than a hard-up security consultant looking to extract a few dollars from journalists.
Beyond that, banks generally refund their customers promptly, despite the odd report of something going wrong (more journalistic license for hysterical attacks on big banks). They do this because any customer with a good history is likely telling the truth, because they can’t afford to spend lots of customer service money dealing with small transaction queries and because if someone is scamming them they will eventually spot the pattern, refund the latest query and close the bank account.
This type of article exemplifies all that’s bad about financial journalism. It’s not researched properly because it doesn't stand up to logical analysis. There are (conservatively) 100,000 people working in FinTech around the world. Any one of those people is capable of refuting the arguments: in fact, for this to be true all 100,000 of them would have to be engaged in a mass conspiracy. As we saw in Psst ... Anyone Want To Invest In A Conspiracy? the chances that the FinTech equivalent of Edward Snowden wouldn’t have popped up and spilled the beans by now are minimal.
But it’s designed specifically to excite people, because sensationalizing things makes a good story. My 80 year old parents read this stuff and think it must be true. I mean, let’s face it, some liberal arts journalist who doesn’t know the difference between NFC and KFC is bound to be right about this. Yeah?
But sensationalizing stories is what the mass media does. People are attracted to stories which fit easy narratives – in this case the idea that the banks are deliberately risking our money by investing billions of dollars in systems that allow some idiot with a $20 card reader to access our accounts. Stories like this make the ideas salient; they’re uppermost in peoples’ minds and that triggers changes in behavior such that my ancient parents start wandering around carrying large amounts of cash instead of using their bank cards.
Salience is a specialized form of a behavioral bias known as the availability heuristic. We’re biased because some piece of information is easily retrievable from memory, and that ease of availability drives us to do things we otherwise wouldn’t. If the mention of contactless cards immediately makes the idea of card skimming salient then it will drive people to change the way they make payments.
In fact, the correct way of reading any news story – or, any piece of company research – is to ask the “what if?” question: to try to disconfirm it. We find it difficult to imagine alternative narratives when we’re presented with easy to follow stories, but stories aren’t data. The idea of coming up with alternative narratives – counterfactuals – is one that Adam Galinsky and Gordon Moskowitz analyzed in Counterfactuals as Behavioral Primes:
“We demonstrate that counterfactuals prime a mental simulation mind-set in which relevant but potentially converse alternatives are considered and that this mind-set activation has behavioral consequences.”
This is based on Tversky and Kahneman’s idea of the simulation heuristic, another variation of availability – where people determine how likely an event is by how easy it is mentally visualize it. So people suffer regret when they miss the lottery numbers by one, when the reality is that the odds of winning were still tiny. Galinsky and Moskowitz went further with this and showed that if they primed people with alternative scenarios they were more likely to solve puzzles that require a bit of lateral or logical thinking.
The process of disconfirmation is important for investors, too. Presented with salient stories we need to gather disconfirming evidence and try to see if the narratives stack up. Internet bulletin boards are notorious for groupthink effects where people gang up on any alternative view – when in fact they should be welcoming someone challenging the status quo.
In the context of contactless payment card attacks and leaving aside the technical challenges in implementing them, the articles focus on the absolute risk of an attack rather than considering what the alternative is. But it’s not exactly difficult to follow through the counterfactual; asking the security experts involved whether they would recommend that people start carrying vast quantities of cash rather than using their payment cards is an obvious question for even the most technophobic journalist.
Sadly, stories that the existing payment system manages to successfully process over one billion card transactions every year, and that the very ease of making payments underpins our entire way of life tend to get missed in the rhetoric. “Banks do good job” isn’t an exciting headline. On the other hand, for once, it’s probably true.
Simulation Heuristic added to the Big List of Behavioral Biases