For years I made big wood with Sonny’s “dupes”, phony credit cards with real numbers. He sold them to me for a hundred bucks a piece. Sonny had salespeople in retail stores on the take, boosting charge card receipts… I’d visit a jeweller who was in on the scam and buy a Rolex. If the watch retailed for five grand, I’d tell him to hit the card for ten. I’d leave with the watch. He’d made money. Both of us happy.
What the wise guys, as I believe they are know, really wanted though, rather than Rolex watches and the like, was cash. Card fraud was also a means to that end.
If I knew a guy who sold stuff I didn’t want, like Paulie Flowers, I’d work out a cash split. I’d show up and tell him “hit my card for four grand, keep two and give me two when you get paid”. He’d tell the card company he’d delivered arrangements to a wedding, and send them a phony bill of sale, and that was that.
Things have changed since then. That kind of card fraud was a sort of cottage industry, almost quaint. Today the fraudsters have followed the banks and the rest of the business world and globalised. It’s no longer about getting a Rolex and a few thousand to spend, it’s about investment and return on investment. Moises Naim’s book “Illicit: How Smugglers, Traffickers and Copycats are Hijacking the Global Economy” talks about the new cross-border, enterprise-scale organised crime. Card fraud is part of this, and that’s a big problem. From being a minor branch of mafia robbery, it’s become easy money for funding drug dealing, trafficking and even terrorism. This is why, even though the business case for the transition to chip and PIN was marginal from the bank point of view, the government were keen to see it go ahead.
Today card fraud is a cost of doing business, a few basis points. In the UK, that’s more than six hundred million pounds, which isn’t that much compared with total card spending, so it’s not surprising that it may not be the banks absolute no.1 priority at a time when chargeoffs are running at a hundred times the rate of chargebacks. I’m not bad mouthing the UK card industry: card fraud is a global problem.
Australian Payments Clearing Association data for last year shows fraud remains a fraction of overall payments: 44.5 cents in every $1000 of transactions in the case of credit and charge card fraud, 7.1 cents in every $1000 for debit cards and less than one cent in every $1000 for cheques. However, while cheque and debit card fraud are falling, credit and charge card fraud are rising – up from 36.9 cents the previous year. About 70 per cent of that increase relates to cardholders making purchases overseas via the internet and telephone.[From Card crime jumps, so don’t get caught – Banking – Money – Business – Home]
A few basis points of turnover is a tiny fraction of the money spent on cards, but a big income for organised crime. So even though the crime is tolerated by the payment industry, it shouldn’t be. As Scott Loftesness said on Twitter when we were discussing this, we need to remember the “broken window” theory of policing. Tolerating crime that we can tolerate because it doesn’t stop us from doing business is a bad policy.
Card fraud is rising, and (unsurprisingly) it’s worst in the places where cards were never designed to be used: in CNP transactions. Note though, that while new schemes that were invented after the Internet do better, they are not immune. The problem of payment fraud is not just a card problem.
Alternative payment services typically report lower rates of fraud than major credit-card companies. Of the total amount that PayPal processes, it takes a fraud loss on 0.26% of transactions, or a fraction of the typical fraud loss rate of about 1% for online merchants.[From EBay’s Profitable Pal]
The problem facing payments isn’t confined to CNP and it isn’t confined to cards. New opportunities for criminals are springing up all the time. As money transfer schemes increase in popularity, for example, the criminals are exploiting them too and in sometime ingenious ways.
Using a fake ID, the scammers then posed as Penny’s boyfriend and took Penny’s money from a Western Union branch in Manchester and a MoneyGram outlet in London.[From BBC NEWS | UK | Fraudsters target money transfers]
I don’t want to get sidetracked by the fake ID issue, which is often discussed over at the Digital Identity Forum Blog, except to note that I expect this problem to get worse in the UK, where the first ID cards have been issued but there are no readers to check them in. Is the corner money transfer agent really going to ring up the Identity & Passport Service to check every ID card presented to them (a service that they have to pay for, by the way) or are they just going to the tick the box and photocopy the potentially bogus card? Indeed, ID cards were being forged for this kind of application long before they even existed in the UK!
They were highly sophisticated – featuring holograms and chips – and came in the form of driving licences, permits and UK identity cards.[From BBC NEWS | England | Couple jailed for fake ID factory]
But back to payments. In countries where older, simpler payment systems remain popular, those systems are also under attack.
The ABA estimates check fraud costs banks a total $2.2 billion per year.[From Bank of America expands reach of fingerprinting program]
Fingerprinting people may be a messy and expensive process for cheque cashing, but it does seem to have a real impact on the problem. Perhaps we should begin planning to introduce fingerprints as an alternative to PINs now!
So what are we going to do? We’ve designed payment systems where the cost of fraud is a manageable cost of business, but that cost is becoming unacceptable to society. The situation is getting so bad that if the industry doesn’t come up with some pretty effective, and pretty quick, changes in the system somewhere then we might end up with having ridiculous solutions imposed on us by politicians and legislators. This has already happened with interchange — to no benefit to consumers, as far as I can see — and may happen with fraud. Once again, the banks might be out-lobbied by retailers, to shift all of the costs in one direction.
The House of Lords Science and Technology Committee follow-up report on Internet security, which was published today, says legislation is now needed because the current Banking Code does not offer people enough protection against losses arising from fraud.[From Finextra: Lords calls for law to make UK banks liable for online fraud]
If banks are wholly liable for online fraud, it won’t go down because merchants and consumers will have no incentive to reduce it. So that isn’t a good solution. But what should be our alternative? Do we press on with chip and PIN and start making new mandates about DDA, enciphered PIN, tamper-resistant terminals, PCI-DSS and so on? Or do we focus on the next generation of 3D Secure? Or do we, as an industry, recognise that payment cards were invented 60 years ago in a different world and it’s time to move on? Instead of trying to make the existing infrastructure accommodate mobile money transfer, Internet merchants and P2P, perhaps we should sit down with a wider group of stakeholders — including merchants and the police — and start drawing up plans for the next generation.
Incidentally, while mobile is certainly underutilised in the fight against fraud, a situation that is beginning to be addressed, tacking mobile on to the end of “traditional” payments is a stopgap.
For the time being, the mobile channels appear more inherently robust, but one wonders how long it will be before organised crime follows the mobile money and mounts sophisticated attacks in and around the telephone networks. I hope that this time round, in the early days of a new banking channel, we do something proactive to ensure the pedigree of personal data sent over the air. Perhaps using the public key cryptography built into SIMs and available in many handsets.[From We need clearer thinking about privacy and security]
The more I think about, the more I think that it’s time to get people round a table and start thinking about the next generation. At next year’s Digital Money Forum, I’ll see if I can find a way to get that discussion started.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
With the IT Security field continuing to grow, and so many compelling individuals and firms participating in that growth, the breadth of information and opinion is becoming quite impressive. Given the rate of development in our field, we thought it m…