The fraud trajectory

There’s no doubt that chip and PIN is one of the key planks in the industry strategy to reduce card fraud to manageable levels (which is not the same as eliminating card fraud, note). One of the reasons why it is so secure is that is uses offline PIN verification, where the chip on the card checks that the PIN input at POS is the correct one. And since the PIN is known only to the cardholder, and they never divulge it, this provides validation that… no, wait…

Despite the strict recommendations from card providers about keeping your PIN confidential, research by shopping website VoucherCodes.co.uk has revealed that over half (59pc) of Brits are flouting the rules by sharing their bank card PIN codes and are putting their personal finances in jeopardy.

[From More than half of card users share their PIN – Telegraph]

Uh oh. But come on – anyone out there in the real world will know that it’s impossible to get through life without giving your spouse your PIN. What happens when (to pick a hypothetical example) she can’t remember what the hell she’s done with her handbag and needs to get to Homebase to buy some paint? Or (to pick a hypothetical example) a husband may have stupidly left his wallet in his desk at work but needs to get cash out at an ATM on the way to a football game. Come on – we’ve all done it (except me, I should point out to the terms and conditions chaps at Barclaycard).

The poll of 3,000 people revealed that Brits are most likely to entrust their partners with this security information, but a surprising one in twenty (5pc) adults feel that it is safe to divulge this information to their children.

[From More than half of card users share their PIN – Telegraph]

What? Not in my house they don’t. We have a Visa prepaid card for “house” use, so if the kids need to get some shopping, stuff for school or other supplies, they use that one, and I top it up online when necessary. It’s a simple way to manage money, so I’m surprised more people don’t do this: and it has the added benefit that it doesn’t have a name on it, so if it gets lost or stolen it can’t be used to start identity fraud.

Incidentally: 3 per cent of the people surveyed said that they wrote their PIN on a piece of paper and kept it in their wallet, which may account for at least some of the incidence of the ATM and POS chip and PIN fraud more plausibly than complex attacks on the unencrypted messages between the card and terminal.

There are plenty of other initiatives aimed at improving the overall level of card security. 3D-Secure has taken a long time to get traction but is now widely used in e-commerce. PCI-DSS is costing a fortune, but may reduce the industrial-scale counterfeiting of the magnetic stripe cards still widely used for retail payments in less-developed parts of the world.

In raids conducted Feb. 1, agents seized $300,000 in cash, three firearms and ammunition as well as equipment to make fake credit cards from the gang… The credit card details and stolen identity information was purchased from “online data traffickers via Web-based portals, and the purchasers would store the stolen credit card information in shared e-mail accounts, allowing several defendants to begin creating counterfeit credit cards,” prosecutors said.

[From US indicts 27 in Apple product credit-card fraud ring | MP3 Players | Macworld]

Anything that stops card details like these from falling into criminal hands so easily must be worth the money, right? Actually, on the costs of PCI-DSS, there may be some relief in sight for European retailers.

Visa last week announced a new programme which means European merchants will no longer need to prove they adhere to PCI DSS regulations on an annual basis, as long as 75 percent or more of their transactions originate from EMV-enabled chip and pin terminals. The programme will be introduced on 31 March, 2011

[From Visa PCI DSS exemptions send out mixed messages to merchants | Business Computing World]

So come on, it’s not all bad. In fact the bottom line is that the fraud figures have been improving, and I expect them to improve further still over the next couple of years as we begin the integration of cards and mobiles. This is because even simple integration (eg, texting unusual transactions) delivers good returns and the impending integration of payments with handsets means that issuers will be able to go even further with 24/7 access to the “card”. I won’t rehearse the basic arguments, but I think there are many reasons for thinking that the mobile is a means to manage card fraud down, and line of thinking that we have presented frequently over the years.

So, are mobile payments safe or not? It’s not a “yes” or “no” question, as we hope this discussion has shown. Let’s ask another question instead: Can we make the risks of mobile transactions manageable? The answer to that is “yes”. In fact, in the particular case of mobile proximity payments, we happen to believe that there is more security overall in using a mobile than in using a card payment

[From TM Forum – Article: Mobile Payments – Safer than Cards?]

For one thing, as noted, we can use the mobile to provide information and as communication channel to report on and detect suspicious activity. Potentially more interesting, though, there are techniques that take advantage of the characteristics of the mobile channel, primarily location There are some practical problems to be overcome though.

ValidSoft [has] direct access to mobile networks, tables, and services around the globe and can provide mobile based location services without requiring that users opt in. Many financial institutions are interested in using these services for fraud detection but are concerned about the privacy implications and don’t want their customers thinking they are following them around.

[From Visa Europe sets trend with mobile location-based fraud detection]

Actually, I might well want my issuer to follow me around, but I might also want it to stop other people from following me around. Anyway, I’ll be talking about this kind of thing — including lessons from our practical experience advising leading payments organisations around the world and some of the things we are learning from the Ph.D in mobile handset security that Consult Hyperion is funding at the University of Surrey — at the excellent UK Card Fraud Conference on 29th/30th March 2011 in London.

The magnificent people at DT Conferences have given me a delegate pass for the event — worth an amazing ONE THOUSAND TWO HUNDRED POUNDS plus VAT — to give away on this blog as a competition prize! So if you are going to be in London on those dates and you’d like to come along to meet some of the leading thinkers in the UK’s fight against card fraud (and me) then all you have to do is be the first person to comment on this post with the name of the doomed precursor to 3D-Secure, the PKI-based online card payment security system developed in the 1990s: full name, please, not just the TLA!

In the traditional fashion, this competition is open to all except for employees of Consult Hyperion and members of my immediate family, is void where prohibited and has been gritted for your safety. The prize must be claimed within three months. Oh, and no-one can win more than one of the Digital Money Blog prizes per calendar year.