Written by This paper highlights the difference between the direct, indirect and social costs of payment fraud and calls for a more holistic approach to security in payment instrument design. The payment industry has done a lot, bit it should do even better and make use of customer-specific parameters and take a stronger role in the whole payment processing chain.
This really is an important point to make, especially to regulators. I think that payment systems regulation should have explicit goals, and that the most important of these should be to maximise the net welfare, as economists say. In other words, the goal of payment system regulation should be to make payments perform for the whole of society, not any particular subset such as banks or merchants. In particular, the idea of externalising the costs of poor payment system security should be examined. Card fraud provides a simple example:
93% of respondents say they are worried about bank card fraud. This fear appears fairly well justified considering that there were over 102,500 cases of bank card fraud identified in 2010, according to Cifas, with many more instances not reported.
[From Finextra: Card fraud is number one security worry for Brits]
Personally, I’m not that bothered about card fraud. I only ever use a credit card, so if the details are used by fraudsters to buy stuff, I don’t care (it’s the bank’s problem, not mine). Actually, the statistic in that quote isn’t quite what the source document says…
…the unwelcome and continued presence of identity fraud, with no sign of any reduction, with over 102,500 cases identified in 2010,
[From CIFAS – Press Release – 20 Jan 2011]
…but whatever. From the industry perspective, card fraud is a few basis points and falling and entirely manageable in financial terms. But the police would say that this is wrong way to look at it, because card fraud (particularly ATM fraud) is used to fund other criminal enterprises such as drug dealing, so that the social cost is much higher than the cost to the financial sector. This is a general point, by the way, and I’m not picking on financial sector.
According to BillingScore, 19.4% of the value of all transactions in the U.K. premium rate sector are fraudulent, or roughly £1 on every £5 spent. “With the premium rate sector in the U.K. mobile industry currently worth in the region of £700 million, this equates to £135.8 million per year being lost to fraud in the U.K. alone,” the company said.
[From UK mobile operators ‘hide’ £136m annual fraud loss]
That’s an astonishing figure, which tells you more about the margins on digital goods sold by mobile operators than it does about security technologies or techniques! These technologies do work…
Online banking fraud losses totalled £46.7 million in 2010 – a 22% fall on the 2009 figure – as banks installed sophisticated fraud detection software and more consumers equipped their PCs with up-to-date anti-virus protection. The dip in online fraud has occurred despite a continuing rise in phishing attacks, up 21% from 2009.
[From Finextra: UK banking fraud losses at their lowest for a decade]
I’m sure that one of the major reasons for this fall, and the general containment of this class of fraud in Europe, is the steady migration to two-factor authentication (2FA) for online banking—while there is still no 2FA for online payments, which are general based on knowing a password, not possessing any tamper-resistant hardware. In the US, hardware 2FA is less common but the new FFEIC guidelines may result in more uptake.
It clearly tells financial institutions that the techniques many of them have relied upon, i.e. simple device identification and easily exposed challenge questions, are not good enough anymore given today’s threat landscape.
[From FFIEC finally releases new Guidance on Internet Banking Authentication; Better Late than Never]
I’m pretty sure that the dominant 2FA in the US will be mobile rather than the custom devices adopted in Europe a few years ago (such as my splendid Barclays’ PIN sentry). This is the kind of thing I’ll be talking about at Business and Operational Excellence in Payments in London on 18th/19th October 2011. With the payments industry entering a period of unprecedented challenges, this highly topical two day conference will examine what changes banks need to make in order to maximise efficiencies in payments. From new products for corporate clients to cutting edge solutions in new delivery channels our 40+ distinguished speakers (and me) will explore and debate where the new opportunities to increase revenue really lie. For the latest programme or to register at a 20% discount, please visit: http://www.informaglobalevents.com/FKP2225DMB and quote VIP Code: FKP2225DMB.
Oh, I almost forgot to mention. The fantastic team at ICBI have given me a two-day delegate pass worth an amazing ONE THOUSAND THREE HUNDRED AND NINETY NINE POUNDS (plus VAT) to award as a prize on this blog! If you will be in London on those days and would like to come along to hear leaders in the field (and me), all you have to do to win is to be the first person to comment on this post with the name of the famous fraudster portrayed by noted American actor Leonardo di Caprio in the splendid 2002 motion picture, “Catch me if you can”.
(By the way, if you’re in the mood for more financial services-related academic papers from Finland, you might be interested in this one, which proves apparently conclusively that size really does matter.)
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
Who’s Abagnale anyway?
We have a winner! Please e-mail your full contact details to me please Mark and I will pass them on to the conference organisers.
Honestly? Online payments or using a debit card in a store share an equal fraud risk. In fact debit cards have been in the news a lot where I’m from. People can use fake terminals and steal your card info. It happens a LOT. In fact I think debit in store is more risky than CC online. — David Grant (contributor at http://bestantivirus.net/ )