Category: Crime & Fraud

The fraud trajectory

25th February 2011by Consult Hyperion2 Comments

There’s no doubt that chip and PIN is one of the key planks in the industry strategy to reduce card fraud to manageable levels (which is not the same as eliminating card fraud, note). One of the reasons why it is so secure is that is uses offline PIN verification, where the chip on the card checks that the PIN input at POS is the correct one. And since the PIN is known only to the cardholder, and they never divulge it, this provides validation that… no, wait…

Despite the strict recommendations from card providers about keeping your PIN confidential, research by shopping website VoucherCodes.co.uk has revealed that over half (59pc) of Brits are flouting the rules by sharing their bank card PIN codes and are putting their personal finances in jeopardy.
[From More than half of card users share their PIN – Telegraph]

Uh oh. But come on – anyone out there in the real world will know that it’s impossible to get through life without giving your spouse your PIN. What happens when (to pick a hypothetical example) she can’t remember what the hell she’s done with her handbag and needs to get to Homebase to buy some paint? Or (to pick a hypothetical example) a husband may have stupidly left his wallet in his desk at work but needs to get cash out at an ATM on the way to a football game. Come on – we’ve all done it (except me, I should point out to the terms and conditions chaps at Barclaycard).

The poll of 3,000 people revealed that Brits are most likely to entrust their partners with this security information, but a surprising one in twenty (5pc) adults feel that it is safe to divulge this information to their children.
[From More than half of card users share their PIN – Telegraph]

What? Not in my house they don’t. We have a Visa prepaid card for “house” use, so if the kids need to get some shopping, stuff for school or other supplies, they use that one, and I top it up online when necessary. It’s a simple way to manage money, so I’m surprised more people don’t do this: and it has the added benefit that it doesn’t have a name on it, so if it gets lost or stolen it can’t be used to start identity fraud.

Incidentally: 3 per cent of the people surveyed said that they wrote their PIN on a piece of paper and kept it in their wallet, which may account for at least some of the incidence of the ATM and POS chip and PIN fraud more plausibly than complex attacks on the unencrypted messages between the card and terminal.

There are plenty of other initiatives aimed at improving the overall level of card security. 3D-Secure has taken a long time to get traction but is now widely used in e-commerce. PCI-DSS is costing a fortune, but may reduce the industrial-scale counterfeiting of the magnetic stripe cards still widely used for retail payments in less-developed parts of the world.

In raids conducted Feb. 1, agents seized $300,000 in cash, three firearms and ammunition as well as equipment to make fake credit cards from the gang… The credit card details and stolen identity information was purchased from “online data traffickers via Web-based portals, and the purchasers would store the stolen credit card information in shared e-mail accounts, allowing several defendants to begin creating counterfeit credit cards,” prosecutors said.
[From US indicts 27 in Apple product credit-card fraud ring | MP3 Players | Macworld]

Anything that stops card details like these from falling into criminal hands so easily must be worth the money, right? Actually, on the costs of PCI-DSS, there may be some relief in sight for European retailers.

Visa last week announced a new programme which means European merchants will no longer need to prove they adhere to PCI DSS regulations on an annual basis, as long as 75 percent or more of their transactions originate from EMV-enabled chip and pin terminals. The programme will be introduced on 31 March, 2011
[From Visa PCI DSS exemptions send out mixed messages to merchants | Business Computing World]

So come on, it’s not all bad. In fact the bottom line is that the fraud figures have been improving, and I expect them to improve further still over the next couple of years as we begin the integration of cards and mobiles. This is because even simple integration (eg, texting unusual transactions) delivers good returns and the impending integration of payments with handsets means that issuers will be able to go even further with 24/7 access to the “card”. I won’t rehearse the basic arguments, but I think there are many reasons for thinking that the mobile is a means to manage card fraud down, and line of thinking that we have presented frequently over the years.

So, are mobile payments safe or not? It’s not a “yes” or “no” question, as we hope this discussion has shown. Let’s ask another question instead: Can we make the risks of mobile transactions manageable? The answer to that is “yes”. In fact, in the particular case of mobile proximity payments, we happen to believe that there is more security overall in using a mobile than in using a card payment
[From TM Forum – Article: Mobile Payments – Safer than Cards?]

For one thing, as noted, we can use the mobile to provide information and as communication channel to report on and detect suspicious activity. Potentially more interesting, though, there are techniques that take advantage of the characteristics of the mobile channel, primarily location There are some practical problems to be overcome though.

ValidSoft [has] direct access to mobile networks, tables, and services around the globe and can provide mobile based location services without requiring that users opt in. Many financial institutions are interested in using these services for fraud detection but are concerned about the privacy implications and don’t want their customers thinking they are following them around.
[From Visa Europe sets trend with mobile location-based fraud detection]

Actually, I might well want my issuer to follow me around, but I might also want it to stop other people from following me around. Anyway, I’ll be talking about this kind of thing — including lessons from our practical experience advising leading payments organisations around the world and some of the things we are learning from the Ph.D in mobile handset security that Consult Hyperion is funding at the University of Surrey — at the excellent UK Card Fraud Conference on 29th/30th March 2011 in London.

The magnificent people at DT Conferences have given me a delegate pass for the event — worth an amazing ONE THOUSAND TWO HUNDRED POUNDS plus VAT — to give away on this blog as a competition prize! So if you are going to be in London on those dates and you’d like to come along to meet some of the leading thinkers in the UK’s fight against card fraud (and me) then all you have to do is be the first person to comment on this post with the name of the doomed precursor to 3D-Secure, the PKI-based online card payment security system developed in the 1990s: full name, please, not just the TLA!

In the traditional fashion, this competition is open to all except for employees of Consult Hyperion and members of my immediate family, is void where prohibited and has been gritted for your safety. The prize must be claimed within three months. Oh, and no-one can win more than one of the Digital Money Blog prizes per calendar year.

Why us?

11th February 2011by Consult Hyperion3 Comments

Our good friends at ACI Worldwide have just released their annual Global Card Fraud Survey, which contains some rather bad news: the UK has more card fraud than many other countries. We’re up there with the US, with three times as many people affected than in Germany and the Netherlands. So a third of us have been victims of card fraud compared to only a tenth in Netherlands. Why? Are the Dutch more honest than Brits? Are their cards more sophisticated? No. I think there are two main reasons for this discrepancy.

First of all, while chip and PIN has cut fraud on the high street, card-not-present fraud is still a big problem. In the UK, cards still account for a big portion of online payments. In the Netherlands, and some other countries, they don’t. More than two-thirds of Dutch e-commerce purchases are made with iDeal, a bank-based scheme that has no equivalent in the UK (or the US, or pretty much anywhere else for that matter).

Second, UK credit cards have high limits. In the last couple of weeks, both of my main card issuers have written to me raising credit limits (I didn’t ask for this in either case). If you’re going to steal some card details, you’d go for cards that are likely to be some way from their limit.

The survey wasn’t all bad news, by any means. I found it interesting that the proportion of people who had been victims of card fraud but were satisfied with the response of their issuer had actually increased slightly, to almost four-fifths, which isn’t bad. Personally, like the majority of people surveyed, the last time there was a strange charge on my card, the bank took off the charge then cancelled and reissued the card.

The agent informed me that new cards for me and my wife would be Fed-Ex’d, to arrive today or tomorrow. What followed were a series of texts from merchants that have my credit card on file for automatic billing, delighting me with the knowledge that I won’t be able to use such services as the Bay’s FasTrak toll lanes or uninterrupted cable service until I update my records.
[From I’m a five-time ID Fraud victim; How crazy is that? – Javelin Strategy & Research Blog]

Think how expensive this all this though: cancelling and re-issuing cards, call centre seats, letters and whatever else. So we still need to do better. Only around a third of people (fewer than before) said that they would switch financial institutions because of card fraud, which is bad news for people trying to sell anti-card fraud solutions to high street banks.

The poll of 970 UK adults, part of the bi-annual global Unisys Security Index, reveals that cyber-security is the public’s chief concern, with 85% of respondents worried, and over 50% “seriously concerned”, about bank card fraud and identity theft.
[From Finextra: Brits switching banks over security and privacy concerns – Unisys]

This is odd, I think. I couldn’t care less about bank card fraud, since it’s the banks’ problem and not mine. I never use a debit card for anything, offline or online, so I’m totally protected by the legislation around credit cards. I’m more worried about identity theft, because it’s more time consuming to put right, but that’s a different issue (being discussed at the CSFI yesterday, as it happens).

The press release also noted that 81% of people have confidence in their issuer protecting them from fraud. I think that this may be a little simplistic, for that very reason: had I been asked for the survey, I would have said that I don’t really care about Barclays’ ability to prevent fraud on my splendid OnePulse credit card because it’s their problem.

Stux on you

29th November 2010by Consult Hyperion2 Comments

[Dave Birch] The media are full of cyberwar at the moment. I’m sleeping safely in my bed knowing that we now have a cyberwar strategy. But there does appear to have been one cyberwar attack that has already succeeded. The story about Stuxnet is fascinating, especially now that the Iranians have admitted that it worked.

President Mahmoud Ahmadinejad admitted Monday that “several” uranium enrichment centrifuges were damaged by “software installed in electronic equipment,” amid speculation Iran’s nuclear activities had come under cyberattack.
[From France24 – Iran admits uranium enrichment hit by malware]

So whoever wanted to stop the Iranians from enriching uranium (the Americans, the Saudis, the Israelis etc) found a cheaper and more efficient way to do it than launching cruise missiles or dropping bunker busting bombs.

Continue reading “Stux on you”

Are we bovvered?

24th September 2010by Consult HyperionLeave a comment

[Dave Birch] I was thinking that it might be fun to have a section on fraud at next year's Digital Money Forum, so that led to me to wonder about how card fraud is going at the moment and, more particularly, to wonder about the dynamics. Are consumers put off of e-commerce because they are worried about card fraud? It seems that it's not their priority.

Online consumers care more about convenience than card fraud,
[From Online card fraud not our problem? — Retail Fraud]

This is exactly what I told American Express when they phoned to offer me identity theft insurance yesterday. As I told the chap who called, I love my Amex BA card, but if someone steals the number and starts using it at Bolivian porn sites, I don't care, because it's Amex's problem and not mine. That's the beauty of credit cards. But does it lead to what economists term "perverse incentives" (which are nothing to do with Bolivian porn sites)? In other words, are people like me careless with their card details, thereby leading to more fraud, because we don't bear any responsibility for it? I certainly wouldn't pay for much in the way for fraud protection either.

A security vendor is trying to sell transaction monitoring services directly to consumers, a technology that until now has been offered primarily to banks.
[From service-mobile-phone-fight-fraud-targets-consumers – PaymentsSource Article]

This doesn't work for me, because if fraudsters use my credit card number to buy a car in Kazakhstan while I am in England, I don't care: it's the bank's problem, not mine, which is precisely why I value my credit card so highly and charge everything I possibly can on it.

Continue reading “Are we bovvered?”

Is more e-crime actually identity crime?

7th September 2010by Consult HyperionLeave a comment

[Dave Birch] I was kindly invited along to a breakfast briefing on e-crime by the folks at International Business Wales. They are trying to develop the financial services business in Wales by bringing together business, academia and government to create a more effective infrastructure. Obviously, financial e-crime threatens this sort of development, so I can see why they would be interested in finding ways to avoid it. Naturally, I was mainly interested in the payments-related parts aspects of the discussion, but I was generally curious about the topic as a whole. Before I reflect on the presentation, an aside on the topic of financial e-crime. There's no doubt that financial e-crime is on the rise the world over: here is one just one case chosen almost completely at random:

Criminals have stolen more than $479,000 from a Pennsylvania housing development authority after infecting its computer system with the notorious Clampi Trojan. The crime is the latest in a rash of heists from small business banking users in the US, which has led some industry bodies to suggest radical lock-down procedures for companies banking online.

According to local press reports, the Trojan was installed through a fake Web site purporting to belong to Cumberland County Redevelopment Authority's bank, M&T.

Once installed, Clampi stole passcodes which were used to transfer the money to bank accounts set up by the hackers at 11 different financial institutions. About $109,000 has been recovered since the money was taken on 22 September.
[From Finextra: $479,000 heist from small business bank account lends weight to calls for online banking 'lock-down']

This is clearly recognisable e-crime, but there are many other forms. In the UK, the probably biggest single category of business fraud is VAT carousel fraud. Is this an e-crime or not? Even though the crime is perpetrated using computers, I wouldn't call it an e-crime, since exactly the same crime could be carried out in exactly the same way without computers. What about credit card fraud? That clearly needs computers to execute at scale, but again I wouldn't really call cloning magnetic stripes "e-crime". I'd give card fraud its own category.

Police in 12 countries have arrested 178 people accused of involvement in an international credit card cloning ring that is believed to have netted crooks around EUR20 million. According to the Spanish Interior ministry, the arrests come after a two-year investigation that culminated in 84 raids in Spain, Italy, Romania, France, Germany, Ireland, Sweden, Greece, Finland, Hungary, the US and Australia.

The raids turned up 11 cloning 'laboratories' with around 120,000 card numbers and 5000 fake cards found in Spain alone.
[From Finextra: Card cloning raids net 178 arrests]

What? $20m? That's peanuts. Some guy was just indicted for a fraud fifty times bigger than that.

Former South Florida lawyer Scott Rothstein was sentenced to 50 years in prison for using his law firm to run a $1.2 billion Ponzi scheme that financed a lavish lifestyle, bankrolled his firm and bought political influence.
[From Rothstein Gets 50 Years for $1.2 Billion Fraud (Update3) – BusinessWeek]

Card fraud is so last year. But on to the report.

Continue reading “Is more e-crime actually identity crime?”

Prepaid preconceptions

24th August 2010by Consult Hyperion3 Comments

[Dave Birch] I've been involved in a few discussions about prepaid cards over the last couple of weeks. One of those discussions was about whether some prepaid products would remain viable under stricter regulatory conditions. Why would regulators want to increase the regulatory burden, and therefore cost, of products aimed at the unbanked? Well, in the US, prepaid cards are the focus on attention because of their supposed criminal use.

The "Stored Value Device Registration and Reporting Act of 2010" will close a loophole that has treated stored value cards differently than cash, money orders and traveler's checks..

Money stored in electronic devices would be considered the same as currency for regulatory purposes. Prepaid cards, cell phone chips and other electronic devices would be covered.

Stored value devices loaded with more than $10,000 would have to be registered with the Treasury Department.

The flow of money via stored value devices would be tracked. "There's no current data on how stored value devices are currently used" to smuggle funds, said Giffords.

[From Bills aims to snip cash-card money smuggling | Border]

Well, I'm sure there's lots of data on how stored-value is used, but it is of course private and the issuing banks would of course need a warrant to give it up. But I'm still curious to know whether criminal masterminds really are using prepaid cards instead of cash. My O2 Money card, for example, has a maximum balance of five hundred pounds unless you go through KYC/AML in which case it goes up to ten grand. So what criminal mastermind would want twenty O2 Money cards rather than a hundred $100 bills or twenty €500 notes? The article specifically mentions drug cartels, but when the police bust the Mr. Bigs, they don't find prepaid cards, they find cash.

"Don't trivialize this by calling these gift cards," Goddard said. "These devices can hold hundreds of thousands, if not millions of dollars."
[From Bills aims to snip cash-card money smuggling | Border]

No, they can't. The maximum you can put on a typical US prepaid card with going through KYC is $500-$1,000. But a drug-running master criminal might decide to get a hundred card and put $1,000 on each of them I suppose. Let's take a look at what we find in their treasure hoards.

The arrest of more than 2,200 persons and seizure of 74 tons of illicit drugs in 18 states in a massive nationwide undercover investigation by federal, state and local authorities has revealed that Mexican drug smuggling organizations are well entrenched in the United States… the operation accounted for $154 million in cash, 1,262 pounds of methamphetamine, 2.5 tons of cocaine, 1,410 pounds of heroin, 69 tons of marijuana, 501 weapons and 527 vehicles.
[From Massive bust nets suspects, drugs in 18 states – Washington Times]

But not, apparently, prepaid cards. Similarly, these ice men clearly prefer greenbacks to Starbucks' cards.

Authorities confiscated more than $200 million in U.S. currency from methamphetamine producers in one of this city's ritziest neighborhoods, they said Friday, calling it the largest drug cash seizure in history… Mexican officials said the cash seized was mostly in U.S. $100 bills and weighed at least 4,500 pounds.
[From Mexico meth raid yields $205 million in U.S. cash – latimes.com]

That's TWO TONS OF CASH. I suggest that the Senate turns its attention to the abolition of the $100 bill rather than imposing cost and inconvenience on my kids US$ "Cash Passport" cards that they have with them on vacation in California. Some more people who don't read my blog about the benefits of electronic payments over cash were uncovered last year.

Federal agents have rounded up more than 750 suspects in a wide-ranging crackdown on Mexican drug cartels operating inside the United States… The DEA seized more than 23 tons of marijuana, cocaine, heroin and methamphetamines; plus dozens of planes, boats and cars; more than $63 million in cash; and scores of weapons in the operation.
[From Feds Bust 750 In Mexico Cartel Crackdown – CBS News]

No mention again of their Sears gift cards or Walmoney. And, as an aside, the guy who owned the house that had the $200m in cash in it? He actually had $340m, most of which he spent in Las Vegas apparently, where the casinos assumed that he was legitimate businessman — his mistress paid a million dollars in cash for an apartment, shouldn't that ring some alarm bells? — unlike those Canadian casinos where the real criminals go to launder money.

Money laundering by organized crime groups is rampant at Canadian casinos but police are essentially doing nothing to combat it… "Since 2003, FINTRAC (the Financial Transactions and Reports Analysis Centre of Canada) has sent several disclosure reports to the RCMP on suspicious transactions involving casinos throughout Canada, with amounts totalling over $40 million," the 2009 report states.
[From Money laundering thrives at casinos: Report]

Come on. Prepaid cards don't make the slightest difference to criminals, tax evaders, drug smugglers or executive expense chats. But making them more expensive and more inconvenient does make a difference to people who are excluded from the financial system.

Continue reading “Prepaid preconceptions”

Who to trust?

5th August 2010by Consult Hyperion1 Comment

[Dave Birch] I’ve been involved in some involved discussions about an involved topic: trust (again). It happens that a number of the projects that Consult Hyperion is currently working on include implementing trust infrastructures in both private and public sectors. Now, we’re not alone in thinking that this is a big deal.

Newmark called some form of distributed trust system “the killingest of killer apps” for the web over the next decade (he said he wasn’t sure that was the best way to describe it, but was trying out to see how it sounded). He talked about “reputation and trust ruling the web, just the way it does in real life,”
[From Craig Newmark on the Web’s Next Big Problem – GigaOM]

Do they rule real life? Consider the transactions that I’ve made so far today. I took a bus — no trust required, I paid with cash — and then bought a train ticket — chip and PIN, so no trust in me required — and went to a couple of meetings — we’ll come back to this in a minute — took the train home — no trust in me required since I had a ticket — and then took the bus home — no trust in me required since I had a ticket.

crime and fraud, identity, management

Continue reading “Who to trust?”

Lolly Dolly

23rd July 2010by Consult HyperionLeave a comment

[Dave Birch] I was leafing through the English newspapers on the plane the other day — the usual kinds of thing, you know, men out on charity walk attacked and hospitalised by drunken yobs, public worker gets £80,000 payoff because new chairs cause backache, 18,000 Facebook tributes to murdering nutter and so on — but it was the story of the thieving Air France stewardess that caught my eye. The light-fingered trolly dolly was arrested for stealing from sleeping first-class passengers. Her preferred pilfering plane route was Paris-Tokyo, apparently because Japanese tourists carry huge wads of cash around with them and, like any self-respecting criminal, she wanted cash.

Police have arrested French air stewardess Lucie R. (her identity is protected) in Tokyo on suspicion of stealing from First Class Air France passengers while they slept.
[From France24 – Air France stewardess stole from passengers while they slept]

Incidentally, I loved Air France’s comment on this story, which was to say that only checked baggage is their responsibility and that theft from the cabin was a matter for travel insurance. Or, in English, “tough”.

Continue reading “Lolly Dolly”

The hole in the wall

20th May 2010by Consult HyperionLeave a comment

[Dave Birch] I’ve been thinking about ATMs this morning because of the news that

the man credited with being the inventor of the world’s first hole-in-the-wall cash dispenser has died in hospital following a short illness. John Shepherd-Barron… died at Inverness’s Raigmore Hospital on Saturday, at the age of 84.
[From BBC News – Inventor of cash machine, John Shepherd-Barron, dies]

It’s astonishing, really, how quickly the ATM permeated society. Today it is taken for granted. But will it be around for long? There are some signs that the days of the ATM are waning.

SIGNS are emerging that Australia is moving towards a cashless society, with the number of consumers making ATM cash withdrawals dropping to the lowest point in more than six years.
[From Cash transactions on their way out | The Australian]

I shouldn’t think the ATM manufacturers are throwing themselves off of buildings just yet. So long as people continue to use cash, the ATM is here to stay, and despite the best efforts of e-payment fanatics such as yours truly, they’re going to be here for some time. But that wasn’t what I was thinking about, because I’m in the middle of doing some work on trends in security technology for one of our UK customers, so what I was thinking was that ATMs will remain a focus for attack: the bad guys know that there is where the money is too.

Continue reading “The hole in the wall”

Cash does have some unique properties

10th May 2010by Consult Hyperion2 Comments

[Dave Birch] The cost of cash isn’t only the cost of the notes and coins, the ATMs and armoured cars, the night safes and counting machines. It’s the lack of efficiency in the economy that goes with it. And economies that are stuck with cash are the worst off. So how much does cash cost in a developing economy? I happened across this figure while I was looking for something else in connection with a project that we are working on.

“The total cost of cash handling in Indonesia is Rp 6.13 trillion a year,” she said.
[From More consumer purchases made in cash | The Jakarta Post]

It’s hard to work out by calculating adjusted GDP and historic exchange rates, but I reckon this is about 0.5% of GDP, which is comparable to the UK. Considering that over 90% of all Indonesian retail transactions are in cash, this seems low to me, but who knows. Anyway, in discussion with someone else today, another point emerged. The real hidden cost of cash in developing countries is corruption.

A friend of mine just got shaken down by the Kenyan police in an excellent new scam. Watch out for this one next time you go to Nairobi! He got a approached by a man who wanted to talk to him: my friend ignored him and carried on walking down to the street. A few metres on he was stopped by two policemen who said that they had just seen my friend talking to someone who was a known terrorist and that they were going to arrest him and he would get five years in jail. Unless, that is, he could pay the fine for talking to known terrorists, which in Kenya is apparently $300. My friend was marched back to an ATM (the policemen were very specific that it had to be a Barclays ATM, connected to the Visa network) to get the money. If only, I thought, he had had been using the excellent M-PESA mobile money transfer! Then he could have paid the fine on the spot. That would have been much more efficient.

Continue reading “Cash does have some unique properties”