Is card fraud really a barrier to cashlessness?

A while back, my old chum Ed Conway from Sky TV (better known for his excellent foreword to that noted tome Identity is the New Money, of course) ran a nice story about the British cash paradox. It turns out that since the #Brexit vote, the amount of cash “in circulation” has soared (it’s gone up by nearly two billion quid since B-day, as I call it). While the use of cash for transactions has continued to fall, the amount of cash just generally hanging around has continued to rise.

The growth rate of cash in circulation has more than doubled since January, when it was running at 4% a year, with a sudden acceleration in the weeks following the EU poll.

From More People Keeping Cash Outside Banks

Ed asks whether the cash has been hoarded, stashed or exported. I wrote about this following the Bank of England’s analysis of the situation last year, noting that 

The interesting question that the Quarterly Bulletin article by Tom Fish and Roy Whymark stimulates is straightforward: “if the majority of Bank of England notes are not being used for everyday transactions in the domestic economy, what are they being used for?”

From Where is the aggregate demand for cash coming from? | Consult Hyperion

Since the Bank of England’s own estimate is that about a quarter of the cash out there is used for “transactional purposes” and since the size of the black economy can be reasonably estimated, the answer seems to be that they are mainly used for tax evasion (primarily by SMEs), money laundering, drug dealing and corruption (Transparency International reckon that only 0.75% of global dodgy dealings are intercepted by the UK). We see the same phenomenon in America, where the amount of cash out there continues to rise but the use of that cash continues to fall.

The use of cash has fallen more than 50% in the last four years and is projected to continue to fall as consumers look for faster and secure means of paying options. With a high degree of smartphone penetration in the US market, mobile and digital payments are rapidly gaining a market share in digital payments.

From Americans Are Using Less Cash but Mobile Payments Are Not The Ones Replacing It | Let’s Talk Payments

So we can see that in the US, as in the UK and many other countries, the rise of contactless and mobile payments means that the use of cash for retail transactions is falling steadily. (Contactless transactions have now reached £2 billion per month in the UK.) It is interesting, however, that in the US there seems to be much more resistance to cashlessness than in Australia or Denmark. Or the Netherlands…

For example, paying rent or a telephone bill in cash only sparks scolding looks. But obstacles are present even when making smaller purchases such as groceries (where cash-only lines are the longest) or when paying for parking – impossible without a card.

From Consumers are bearing the cost of cash

Cash-only lines are the longest. Are you watching, Waitrose? But I digress. What accounts for the American cash gap? Well, first of all a lot of US dollars are under drug dealers mattresses in South America, not in the US at all, so that distorts the figures for cash “in circulation” but that doesn’t explain everything. In his new book “The Curse of Cash”, former IMF chief economist Kenneth Rogoff says (page 111) that in America “people pay by cash for small transactions to avoid credit card theft”. Is this true? I realise that in America they still use magnetic stripes (which is why America accounts for half of all the card fraud in the world although it is only a fifth of the volume) does that really encourage people to pay with cash? I always use cards in the US — since I don’t care if the card details get stolen as it the banks’ problem and not mine — and I get really annoyed when I go to a coffee shop or something and it doesn’t take cards.

 No Chip

But perhaps our American correspondents could enlighten us on this. Is card fraud really a barrier to cashlessness?

Yes I heard the news, it’s the same old blues again

I love J.J. Cale. His 2001 live album is one of the most-played on my iPhone. Sadly, it’s doesn’t have a live version of one of my all-time favourite J.J. Cale tracks on it: I got the same old blues. In case you don’t remember…

Have you heard that rumour / that’s a going round

You got it made / way across town

It’s the same old story / tell me where does it end

Yes I heard the news / it’s the same ol’ blues again

I think of this every time I read a story about how EMV chips are trivial to clone and how the banking system is about to collapse because of multi-billion pound frauds. So when someone sent me a link to this… same ol’ blues again:

As it turns out, the cards are just as easy to clone as their magnetic stripe predecessors.

From Forget card skimmers, chip-card shimmers will be your next nightmare • The Register

No, they’re not. If they were, then the “black hats” would be living in the lap of luxury on the proceeds of their undetectable crime and the world’s biggest issuing banks (who bear the cost of fraudulent EMV transactions) would be bankrupt. They’re not (or at least, not because of card fraud, which was a piffling half-a-billion quid or so in the UK last year) so perhaps the claim might be ever-so-slightly exaggerated. What this story is actually about is tampering with terminals in order to steal PINs, which is a flaw with EMV deployment because enciphered PIN is not implemented as the standard cardholder verification method (CVM), but it’s not a flaw with cards and it doesn’t help you to clone the chips. In EMVCo’s official response to this story they say that 

The attack described in the Breaking the Payment Points of Interaction (POI) presentation captures static card transaction data in order to attempt fraudulent magstripe or e- commerce transactions, where EMV is not used. This type of attack relies on magstripe information and not the EMV chip. It is EMVCo’s view that when the full payment process is taken into account, suitable protection exists to mitigate against this type of attack, such as ensuring that information read from a chip card is not sufficient to create a valid magstripe card. 

I bolded the EMV point, by the way. What EMVCo mean by that last sentence is that issuers should ensure that the ICVV in the chip is not the same as the CVV on the stripe. I wrote about this nearly ten years ago when ICVV was introduced in the UK so if there are any issuers out there who are still setting the chip ICVV to be the same as the stripe CVV then, well, they deserve everything they get.

In a similar vein, I was sent a few links to a story about another new “new security flaw” in EMV. I won’t give you the link here because there’s no point following it. I can give you the skinny in half a line: if you rewrite the service code on the stripe to indicate no chip present, then the CVV, which is calculated using the service code, will no longer be valid. If any issuer authorises that transaction then they are either somewhat cavalier in their risk profiles and find it sexually thrilling to put shareholders’ money on the line or they had the wrong consultants advising them on their card issuing and authorisation strategies. In other words, they deserve everything they get. But it’s not a “security flaw” in EMV it is a “moron flaw” in the authorisation system.

Incidentally, on a related topic, my good friend Stephen Murdoch wrote an interesting piece about what are called “relay attacks” (or “ghost and leech attacks) on contactless cards. I remember that a fair few years ago one of our clients had us build a ghost and leech system just to see if it would work. It did. But then everyone knew this. Here I am talking about it ten years ago:

David reinforced the feasibility of relay attacks against contactless systems and in the subsequent discussion, it seemed to me that me people felt that serious fraudsters would begin investing in this soon, so the industry needs to take it seriously.

From Taking a punt | Consult Hyperion

As it happens, fraudsters never did invest in it (because the contactless no-CVM limit of thirty quid makes it a very time-consuming and expensive way to steal not very much). Our clients did their risk analysis and decided that there was no need to fix it right away but maybe think about it longer term. One potential defence against this attack is based on timing and such a defence has now been defined by the EMV chaps. This is what is called (by MasterCard, since no-one else implements it yet) the “MasterCard Relay Resistance Protocol”. So, as Stephen says, as part of the transaction, the terminal sends a command to the card and measures how long it takes to respond. The response contains timing limits indicating how long it should take.

When the EMV cryptogram is generated by using Combined Dynamic Data Authentication-Application Cryptogram Generation (CDA), the response also contains the same timing limits, but these are digitally signed. If they don’t match the limits received earlier, or if the timed command exceeds the limits, then the transaction has failed and the terminal needs to decline the transaction. To be honest, a fair few observers have pointed out that because these are hard-coded limits, any variance in genuine devices may create more false negatives (genuine transactions incorrectly declined) that positives (actual attacks). Plus it needs all terminals to be modified and all cards to be replaced or renewed, and as I noted earlier it’s MasterCard only, so it may not be widespread any time soon, and it’s at least worth wondering whether it will be universal before #cardmaggedon (the day when non-card electronic transactions exceed card transactions at retail point-of-sale).

By the way, #cardmaggedon will be one of the topics covered in the discussions at this year’s Tomorrow’s Transactions Toronto Unconference to be held in the MaRS Discovery District on 29th September 2016. The post-card payments future will be the kick-off topic to get everyone thinking about where the world of retail payments might be going next. I look forward to seeing you all there.

Doing something about US card fraud

OK, OK, so we all know that the world’s card fraud has been steadily migrating to the US because the rest of the world was busy adopting EMV (“chip and PIN”) cards while the US insisted on sticking with magnetic stripe technology for as long as possible. You remember magnetic stripes? Signatures? 

Untitled

Chip cards reduce certain kinds of fraud over magnetic stripes cards because, basically, you can’t use stolen chip card data to make a bogus chip card but you can use stolen magnetic stripe data to make a bogus magnetic stripe card. You have to go somewhere that takes magnetic stripe cards to use it, of course: the US.

As the US experiences an unprecedented spike in fraudulent ATM cash-outs, it is reported that the US accounted for 47% of the fraudulent cross border transactions seen on UK debit cards in 2014

[From 25% jump in cross border fraud on UK debit cards – Payments Cards & Mobile]

The gap between US card fraud and card fraud everywhere else in the entire world is substantial. In fact US card fraud runs around triple the rate outside of the US. That’s a lot of money, whichever way you look at it. And remember, the reported figures for fraud are for the direct losses to the issuers – they do not take into account the money that merchants have to spend on PCI-DSS or the sales they lose because of complex authentication processes or the money that goes into data breach notifications and repair.

US fraud losses equaled 12.75¢ for every $100 in total volume last year. Fraud in all other regions combined was only 3.73¢ per $100.

[From Global card losses will exceed $35 billion by 2020, says The Nilson Report » PaymentEye]

And unless we do something about it, it’s going to get a lot worse. Why? After all, now the US has finally started switching to EMV, surely the situation should improve? Sadly , no. As well all know, EMV only help with “card present” (CP) fraud. That’s why people have been talking about the expected surge in “card not present” (CNP) fraud in the USA following on from the introduction of EMV as sure as night follows day. That’s exactly what has happened everywhere else.

While POS card fraud is expected to decline gradually in an EMV-enabled U.S. market, CNP fraud will nearly double by 2018

[From A Hole in the Balloon Analogy: The Complex Evolution of Card Fraud in the US – Javelin Strategy & Research Blog]

The US already has half of the world’s card fraud so this is an impressive effort. But hey, they’re on track because it looks as if that surge has already started – even before the EMV liability shift – and the number of fraud attempts is escalating.

Between January and July, one in 86 online transactions was an attempted fraud, compared to one in 114 for the same period a year earlier,.. That’s a 33% jump in fraud attempts in one year.

[From The Surge in Online Fraud Is Already Here]

Now, this figure may not be as scary as you think, because while the number of fraud attempts is climbing, the amount of fraud is climbing more slowly. We’re getting better at defending ourselves. And this is why I think there is some cause for optimism, even in the US. The reason is that the number of ways to fight card fraud is increasing and because, in time, the cards themselves will be supplanted by much smarter devices (i.e., phones) that have more security capabilities. Actually, whether they replace cards or not, phones are a critical component. Knowing where you are is a really big factor in working out whether a transaction is valid or not, and knowing where your phone is is a reasonable proxy. Hence my interest in initiatives like the Visa location-based fraud analytics.

Mobile Location Confirmation is an optional service for consumers that will be offered through participating financial institutions’ mobile banking applications. The service uses mobile geo-location data in real time as an additional input into Visa’s predictive fraud analytics… When a cardholder’s mobile device is in the same location as the payment transaction, the issuing financial institution can more confidently approve the transaction.

[From Tech Matters]

I love learning more about this sort of thing, so on Friday 15th January I’ll be taking part in IBM’s “Blab” on real-time fraud detection at 1pm EST. A “Blab” is a bit like a Google Hangout – so I’ll be on webcam with my chum Cherian Abraham from Experian chatting about the topic and mulling over some interesting questions. You’re welcome to come and join us!


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.