In all conscience

I’m giving a keynote at the Smart Card Alliance conference in Chicago in a couple of weeks. It’s going to be about EMV in the USA. I’ve just been mulling it over, and once again looked at Deborah Baxley’s neat summary of the immediate future for the US cards business:

Banks scrambling to replace lost fee revenue will likely shift focus to credit and prepaid, impose DDA and other fees, along with new account services and comprehensive pricing packages.

[From Changing the Game in Cards – pymnts.com]

It’s not just banks who have to rethink their strategies because of developments in the payment sector. I note that in the UK, according to the Centre for Economics & Business Research reported in Fraud Watch 6(18), nearly 100,000 people were victims of direct debt fraud last year, a direct consequence of the use of chip and PIN at retail POS. As card fraud has become more difficult, the criminals have shifted their focus. Direct debit fraud was one basis point of identity fraud cases a decade ago, now it is a tenth of all cases. Criminals have to adapt to chip and PIN just as banks and merchants do.

A GROUP of seven postmen intercepted letters containing credit cards, switched the microchips of the cards with fake ones and then delivered them to the applicants… the syndicate also had the help of a National Registration Department (NRD) officer who supplied them with the names of the mothers of the real credit card applicants

[From 7 M’sian postmen nabbed for credit card fraud]

It’s interesting to think like a criminal. Well, sometimes. In Chicago, two men were shot by guards while trying to rob a cash transit.

The dead suspect was identified as Jimmy Townsend, 52… a convicted felon and was sentenced to 10 years in prison for two separate armed robbery convictions.

[From 2 suspects shot, one fatally, in armored truck heist – Chicago Breaking News]

Armed robbery is a bizarre crime. I think I’m right in saying that in the UK the average sentence is longer than that for murder. In the US, Mr. Townsend spent years in jail for it, and then got killed doing it again. How dumb did he have to be go back to trying to rob armoured cars. If only he read the Digital Money Blog, he would have known that there are much easier targets.

The heavily-armed gang made off with the tournament jackpot of 242,000 euros ($327,000; £217,000) in early March. Police said a 28-year-old Lebanese man, the fourth arrested in connection with the raid, had been detained on Sunday.

[From BBC News – German police arrest poker tournament heist suspect]

OK, so not all of them got away, but casinos are not a bad idea for enterprising criminals. They do have lots of cash, and often the people in them will not report cash as stolen.

Masked men have stormed a packed casino near the Swiss border city of Basel, making off with hundreds of thousands of francs, prosecutors say.

About 10 raiders pulled up at the Grand Casino in two cars just after 0400 (0200 GMT) and smashed their way in, brandishing machine-guns and pistols. The French-speaking gang ordered the 600 guests and employees to the floor while they emptied registers.

[From BBC News – Switzerland casino is robbed by armed gang]

Criminals follow the path of least resistance. I hope Bankerstuff don’t mind me quoting from a marketing e-mail they sent me concerning a forthcoming webinar.

A Former Bank Robber Shares Security Insights During Live Webinar on April 28 from 2:00 – 3:00pm Eastern

Troy Evans pursued a career as a self-employed addict, drug dealer, gambler and thief for more than 15 years. Ultimately, his disregard of values and discipline resulted in a 13 year federal prison sentence. Facing the obstacles, pressures and violence of prison life, he was determined that his time behind bars would not be wasted… Having met and interviewed over 300 bank and credit union robbers he is able to give us a “look into the mind of the enemy”. Troy answers questions such as… What can financial institutions do to deter a desperate criminal?

I would have thought than an obvious idea would be to not have any cash since, as another bank robber famously remarked, he went “where the money is”? When it comes to card payments, the money is in getting hold of card details and (because of the switch to chip and PIN) PINs. Here, the criminals soon adapted their strategies to deal with the new instruments.

Victorian Police believe international crime syndicates are bribing shop workers in return for access to EFTPOS terminals as part of an elaborate scam. They believe criminals have stolen as much as $80 million from Australian bank accounts over the past year…

The syndicates install cameras in ceilings to film people entering their identification numbers.

[From EFTPOS scam costs Australians $80m – ABC News (Australian Broadcasting Corporation)]

They’re using these PINs (since they can’t make counterfeit chip and PIN cards) with the card details to withdraw cash from ATMs. Once all of the cards and ATMs are chip-only, this avenue will be closed to them. Thus while chip and PIN isn’t perfect, it’s good enough to push criminals into other channels. So: a thought experiment…

Suppose we improve the security of payment systems to the point where they cannot, effectively, be broken. Theft, fraud and hacking are not possible. Where would criminals go next? I think they’re spoilt for choice, so relatively small improvements in payment security would send them off to pasture news.

The poll of 533 firms shows that 55% experienced fraud in the last 12 months, with 61% of these hit more than once, a similar picture to the previous year. In total, 75% of the businesses participating in the study experienced online account takeover and/or online fraud.

[From Finextra: Account takeover fraud plaguing US small businesses]

SME account takeover seems much easier than armed robbery and much more profitable. The so-called man-in-the-middle attacks on OTP systems for remote access to baking accounts are an established attack vector.

According to BillingScore, 19.4% of the value of all transactions in the U.K. premium rate sector are fraudulent, or roughly £1 on every £5 spent. “With the premium rate sector in the U.K. mobile industry currently worth in the region of £700 million, this equates to £135.8 million per year being lost to fraud in the U.K. alone,” the company said.

[From UK mobile operators ‘hide’ £136m annual fraud loss]

A fifth? As opposed to a few bp in cards? I predict that any forward-looking criminal in this scenario will be eyeing up the telecommunications opportunities. So let’s look at what some forward-looking criminals are doing. I think criminals in eastern Europe are a useful barometer, because they tend to be well-educated and computer-savvy. And they get arrested for time to time so we can see what they get up to. Here’s the stash of Romanian hackers arrested last year. You will, of course, note that it does not include low maximum balance prepaid cards or accounts.

77,350 euros, 49,000 U.S. dollars, 64,860 pounds, 60,645 lei, a luxury watch, a rifle, three pistols and 150 grams of gold. 70 laptops, 165 mobile phones, 35 desktop computers, 15 modems, new servers, 10 blank cards, 2425 SIM cards…

[From CyberCrime & Doing Time: Nicolae Popescu, Romanian hacker, at large!]

So not only the usual euros and dollars, but also gold (clearly the hackers were diversifying) and also two-and-a-half thousand SIM cards. Two-and-a-half thousand! Here are people taking the messages of convergence, future-proofing and cloud payments quite seriously. As Eric Schmidt said when still with Google, if you don’t have a mobile strategy then you don’t have a strategy. Now, if you’re like me, you will wonder what on Earth they are going to do with these SIMs. Then I remembered something that I’d read a while ago.

Only days after almost two million Bulgarians registered their SIM cards, the Interior Ministry warns that new forms of abuse are appearing. According to the ministry, two cases had recently been uncovered in which telephone fraudsters had allegedly offered 50 leva to Romas for registered SIM cards, Bulgarian daily Standard reported… the Interior Ministry as saying that it expected a flood of SIM cards, registered to Romas and homeless people, to appear on the market in the coming weeks.

[From Interior Ministry warns of trade in registered pre-paid SIM cards – Bulgaria – The Sofia Echo]

Mystery solved. The answer to why there should be a significant value attached to SIM cards that you can buy for virtually nothing in any shop is, naturally, government policy. After pocketing their windfalls from selling their SIM cards, the homeless and Roma presumably went off to celebrate their good fortune, whereas the criminals went off to figure out how to create a mass supply instead of having to negotiate with individuals.

…only four months into 2010, and organised crime groups already have found ways of beating the system. In fact, there are unsuspecting people right now who are completely unaware that their mobile phones, or names and registration, are being used for serious criminal activities… Radio host Borislav Borissov found out that he was the “proud owner” of about 200 different SIM cards, all registered to his name and personal social security number.

[From Bulgarian criminals ‘beating the system’ of pre-paid SIM card registration – Bulgaria – The Sofia Echo]

I know where I’d invest my criminal dollars! Mobile is the future! No, of course, I’m just joking to make a point. If I really was going to invest dollars in a criminal enterprise, it would be in Somali pirates, except for one sticking point. I’m afraid my strict ethical position will not allow me to deal with these people.

The al Shabaab group, which professes loyalty to al Qaeda, said mobile money transfers (MMT) helped feed Western capitalism and were turning Somalia’s Muslims against Islamic banking practices.

[From Somalia’s al Shabaab bans mobile money transfers | Top News | Reuters]

I cannot do sufficient violence to my conscience to support a group who are against mobile payments.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]