Written by We’re told that fraud migrates – push it down here and it goes up over there. The introduction of Chip & PIN in the UK has squeezed out counterfeit, lost & stolen, and mail interception fraud. This is countered by a rise in card-not-present fraud and overseas use of skimmed cards is on the up. This trend has been clear over the last few years. The net result is that overall UK card payment fraud has been flat at £400-450 million for 2001 to 2006.
The release of the latest UK card fraud statistics for 2007, by APACS, the UK payment clearing association, has created headlines. It’s up 25% to £535m, they scream. A quick glance reveals the usual trends, but chip & PIN in the UK has reduced fraud as much as it can whilst the CNP and overseas fraud continue to grow apace. Hence the overall rise.
So, where is this fraud coming from? It may be a blip – it hit £500m in 2004, for example. Or perhaps fraud is migrating from elsewhere. What happens to VAT carousel fraud when it is squeezed, for example? [VAT carousel fraud is a peculiar wealth support mechanism dreamed up by the EU that costs UK taxpayer £8.4bn a year.]
What can be done to stem this rise? CNP fraud is being tackled by 3-D Secure (branded Verified by Visa and SecureCode). To stem skimmed card fraud overseas and skim & PIN fraud (whereby fake magnetic stripe cards are used with a captured PIN to withdraw cash at ATM), UK banks have gone so far – by introducing ICVV and declining technical fallback at ATM.
But they could go further. Why not an opt-in for all but the most frequent travellers whereby my card is automatically declined for all overseas (non-chip & PIN) payments and cash withdrawals? Before I go on holiday, I tell the bank where I’m going and for how long. It’s easy to implement and easy for the cardholder. Mandate 3-D Secure?
Sadly, inconveniencing the cardholder gets in the way and we can’t possibly have that. And fraud is still only ~0.1% of total card spending. So, perhaps it’s not such a big issue for the banks, anyway. Afterall, card fraud was projected to be £1bn by 2010 were it not for Chip & PIN.
To the extent that the card issuers pick up the tab for fraud, as they are the ones that design the security of the system, then sentiments such as fraud being low (0.1%) are no problem.
To the extent that the card issuers shift that liability to the card holder, who has no understanding or capability to assess security, that’s gross negligence. For the card holder, a card fraud can easily outweigh their entire card use, taking the cost of fraud to greater than 100%. This very personal equation tends to scare people off these newfangled payment schemes, because the experiences of ones friends are better testimony than anything banks can say.
So once again we face headlines that tarnish the image of card payments in general and cause the public (or at least journalists) to question the whole notion of Chip & PIN and the iffy technology the banks have heaped on an unsuspecting public. We also have to read dreary outpourings from the uninformed about PIN usage in France or shouldn’t we be exploiting second channel (e.g. SMS) or novel keying techniques? Ho hum.
It is true that Chip & PIN has succeeded in reducing a particular type of fraud. But our action and inaction (sic) have perpetrated new frauds and these deserve some/huge criticism.
1 [We have allowed the same card to be used at the POS and in the ATM with the same PIN]
This may seem attractive at a business level but I advise people to use a credit card and not a debit card at the POS. Why use a debit card? Discipline yourself with credit cards. Insist with your issuer if you can that no cash advances are to be allowed against the credit card. (Note to retailers: the MSC is a separate argument which deserves sympathy).
2 [We have allowed the entire magnetic stripe details to be included in the chip data whilst maintaining the legacy magnetic stripe processing systems]
This was included so that the schemes could downgrade the transactions from the POS to magnetic stripe whilst the issuers upgraded their systems. We should have been much tougher with the timeline for removing this exposure. The use of ICVV is now mandated by APACS but a mandate should not have been necessary.
3 [We allow the PIN to pass to the card in clear]
This was a tricky one to circumvent due to the cost of the chip at the time. This is less so now. However, by separating the POS and ATM systems the impact could have been minimised. Relying on vendors to provide adequately protected devices against an attack here that are economic is never going to work. Repeat never.
4 [We allow downgraded transactions from overseas to arrive unchecked to preserve the scheme brand]
The brand decrees that the card is accepted anywhere. This is an argument for a domestic card or for a process that requires holders to notify international usage where Chip & PIN is not the standard.
5 [We perpetuate the “cheque card style” protection myth of CV2]
CV2 is a wholly inadequate device for preventing internet fraud. It’s only grace is it is better than nothing. We really need to tackle this one.
Too often we are tempted to believe the job is done and we need have no further worries regarding fraud. Witness the shedding of expert staff when Chip & PIN was rolled out. The issuers contain little expertise with regard their own systems now.
So will this be enough? Maybe not. Recently we have seen that a law-court will require issuers to provide hard evidence that cards have been used to perform the transactions. This is not necessarily straight-forward since the current means by which the cryptograms which prove a card must have been present are generated do not provide this evidence. This is because the security systems are built to prevent any disclosure of the cryptographic keys needed to produce the cryptograms. The dichotomy is solved by moving the crypto-generating system to an asymmetric type but this will require a change of card chip and back-end systems. Alternatively, some means of publishing a particular account key set may be needed but will forever expose that account and provide ammunition to cryptanalysts.
So what should you do, you bankers? Listen to your Security and Risk people of course, get expert vendors to design your systems and then get independent security experts to audit the whole lot. Holistically. And have an ongoing security policy that includes keeping ahead of the fraudsters by continual system assessment and upgrade on a stated and robust timeline. If you are not already planning to move to DDA cards you should be.