Credit cards are absolutely, shockingly, embarrassingly insecure. Imagine for a moment that, whenever you wanted to pay for something, you handed your wallet to a stranger and said, "Here, take whatever you want." Actually, that's far more secure than credit cards. Imagine for another moment that anybody who's ever even touched your wallet had immediate access to all your money. Even that's a bit generous, because credit cards are actually a little worse than that.
This is the reason that identity theft is a problem right now - there's no security at all when it comes to credit cards. And the worst part is that there's no way for you or I to defend ourselves, because the insecurity is baked into the system. There's no way to use a credit card without handing it to somebody, or typing all the information on it into a website, or doing something equally insecure.
Of course, this is the part of this rant where people sometimes say, "Fine, so you could do better?" I think I can probably do better; I would certainly be hard-pressed to do worse.
First Proposal - Digitally signed transactions
The core of this proposal is an RFID-like device which can compute a cryptographic checksum, and contains a secret key. When a transaction is made using the device, the details of the transaction are fed to the device wirelessly, and it responds with the checksum of the transaction details, plus its own secret key. The details of the transaction can then be relayed to the credit card company by existing means.
Pros: This scheme is cryptographically secure. It guarantees (barring failures of the physical security of the card) that the card was actually present at the time of the transaction. It's also cheap (RFID tags cost pennies), and doable with current technology. As a bonus, it meshes well with ways people currently use credit cards, and is easy for people to use.
Cons: Doesn't really help if your card is physically stolen. Also, doesn't address online purchases.
Second Proposal - Multiple cards
When you go out, you generally have some idea of how much you're going to spend. So why carry more than that? If we had a set of credit cards, rather than just one, with various limitations, then this would be more secure. Limitations could be simple spending limits, such as per-transaction or per-day limits, or it could be something more complicated, like only allowing purchases in the city you live in.
Pros: Completely compatible with existing systems. Easy for people to understand. Cheap to implement.
Cons: Most of the downsides of credit cards still apply; this just mitigates the risks.
Third Proposal - Authorized transactions
It should be possible (if perhaps a little annoying) for your bank to call you and check with you whenever a purchase is made on your account. Since having a person calling you all the time would be a bit much, it could also be an automated calling system, or a text message, or an email if it's not time sensitive, or something else. The main requirement is that it be something that's difficult to fake.
Pros: Compatible with existing systems. Prevents any unauthorized transactions, even those made with a stolen card and all relevant data.
Cons: Kind of annoying.
(Note that nowhere in here have I mentioned biometrics. Biometrics look cool in movies, but they're basically useless for actual security, for reasons that I'll go into more in a future post.)
Security is always a tradeoff, and when it comes to credit cards we've always gone far, far to the extreme of preferring convenience. But it doesn't have to be that way, and if we were willing to give up a small amount of convenience we could make credit card fraud a thing of the past.