Fraud is out of control in the UK. Identity fraud is half of all fraud in the UK. SME account takeover is one of the fastest growing categories of identity fraud. So if you are an SME and an identity fraudster gets hold of your bank account, you could be in trouble. Here's a current story from the UK press.
NatWest said AEV’s liability was based on the fact it breached terms and conditions of Bankline. It said that it had told the company via pages on its internet banking website and in emails that it would never ask for a Smartcard Pin, notwithstanding the fact users are expected to enter the Pin into the card-reader device.
You can see their point. My bank is always telling me that it will never ask for my PIN. If a screen popped up asking for my PIN when I logged in to online banking then I would assume that I had been hacked and would shut down immediately and contact the bank. But I am an "expert", not a member of the public. If a member of the public sees a screen that they think is from their bank and it asks them for their PIN then they will give it, no matter how many times the bank has told them not.
Bank card fraud is at its highest level since 2009, despite investment by banks and retailers in better security features such as chip and pin devices.
The fraudsters have become admirably more inventive since the advent of chip and PIN. For example, I imagine that banks have also told customers (repeatedly) not to hand over their cards and PINs to other people either, but that particular kind of fraud is booming.
"Courier fraud" involves criminals phoning victims pretending to be from an authority to extract pin details. The fraudsters then send a courier to pick up the victim's bank card. The Met Police said 143 people had been arrested on suspicion of courier fraud, since January 2011.
You can see why the public are easily hoodwinked by those phoney security calls when the real ones are so confusing. I get asked for all sorts of daft things when I'm trying to log in to do stuff or get some help on the phone. You know how it us: you phone up to sort something out on your cable bill and they guy asks you what your special word is and you can't remember if you had a special word, let alone what you might have told the cable company when they asked you twelve years ago. When I logged in to iTunes on my new iPhone the other day, I was asked for my favourite character on TV when I was at school! I must have chosen this as a "security" question at some point in the distant past, but naturally had no memory of such. I hazarded the guess of Sir Keith Joseph, but this turned out to be wrong, and I still can't buy anything from the US iTunes store.
So, yes, we can try and educate the public, but in the UK at least this is a waste of time, since a fifth of them are functionally illiterate. Alternatively, we could try and build a working identity and authentication infrastructure (and then manage the convergence of the infrastructure so that there is a single, shared experience when purchasing whether in-store or on-line). What's more, unless there is some serious work done in the industry in the near future, we have to face the fact that EMV is not that infrastructure and that chip and PIN is not going to save us.
Terry Dooley, senior vice president and CIO of EFT network SHAZAM noted that EMV implementation, as it is currently being done in the U.S., will not do much to prevent fraud unless it is coupled with PIN as opposed to signature authentication.”
We've already spent the money, so we have to keep working on chip and PIN. But if we hadn't spent the money yet, would we? Come on, be honest.
To prevent fraud, then, many companies are moving toward more identity-centered solutions and behavioral profiling to determine the level of risk for CNP transactions. Birch suggested that with the proliferation of mobile phones, the way forward will likely tie in to some form of mobile app payment, since customers’ phones already have chips, and customers are willing to put PINs into their own device.
Actually I said something slightly more controversial than that. I said that in the long run, EMV might turn out to have been a bad idea because it was a bad idea to train customers to enter their PINs into other people's devices (e.g., merchant terminals). It would have been better from an all round security point of view to have told people never to put their PIN into a device they didn't own and then issue everyone with a chip card reader!
Well, you might say, that's true from a purely academic security standpoint but in practical terms it would have been too expensive (I'm unconvinced about this, since it would have reduced CNP fraud and PCI costs as well). And, you might say, the personal device that you might put PINs into, the handset, is not secure anyway. Mobile malefactors and mountebanks the world over can send viruses and loggers and worms (oh my) into your handset to steal your PIN and other passwords and such like. Indeed, but there are two points to be made here that redress the risk analysis balance to make mobile use tolerable.
- Mobile has multiple protection factors (e.g., location) so even if your malware steals my PIN and your Eastern European hackers figure out how to make their mobile banking app look like my mobile banking app, they’ve still go to make their phone look like my phone and log in from a place where I might log in and so on.
- Mobile has a trajectory. I’ve written before about the move towards trusted processing in the handset and the evolution of the ARM Trusted Execution Environment (TEE) into “live” environments.
Now that handsets with trusted processing are wending their way toward to the market, they really should be on the roadmap for organisations interested in the secure electronic transactions in the retail marketplace. I’ll be down at the Global Platform TEE event in Santa Clara on 31st October 2013 to join in the conversation about mobile security and I look forward to seeing you all there.