[Dave Birch] Our friend David Poe from Edgar Dunn gave a presentation at the recent Chicago Fed conference on payment fraud on
Identifying Security Issues in the Retail Payments System
[From – , Federal Reserve Bank of Chicago]
He sums up an important aspect of managing fraud in the retail e-payments world when he says that “Players often make suboptimal fraud risk management business decisions because the true cost of fraud is often misunderstood.” While we all understand that some costs of fraud end up hidden away in bad debt, he points out that there are other, just as important, substantial costs to be taken into account. These include the opportunity cost of dealing with fraud when management time and effort could be going into growing the business instead. The more I think about it, the more I’m sure he’s right. On the one hand, fraud stimulates new product and service ideas all the time: just pick a recent one at random,
Online shoppers in the UK will be able to pay direct from their online bank account rather than via a credit or debit card, thanks to a new service. The POLi online bank payment platform aims to increase payment choice while reducing card-not-present fraud, a category of fraud covering ecommerce transactions which is on the rise. UK card-not-present fraud rose from £212.7m in 2006 to £290.5m in 2007, an increase of 37 per cent… According to merchants in Australia using POLi, the service now accounts for an average of 23 per cent of their total online payment transactions.
[From Online banking payment system aims to reduce fraud | The Register]
I would never use this of course because I want to pay for everything using a credit card since that frees me from all worry: it’s not my problem if something goes wrong, but that’s besides the point. The point I wanted to make is that there’s considerable intellectual effort going into dealing with online payment fraud, but if that problem were to be fixed then this energy and initiative could be freed up to develop cheaper, better, more inclusive payment systems instead and give a greater boost to net welfare.
[Dave Birch] Part of my Bank Holiday reading this year was book dropped on my desk by our head of Software Development. He’d been working with a customer on helping some of their people to develop a better understanding of phishing (and similar threats) by developing a bogus web site to show how easy it is, and had been reading it on the train. The book is Zero Day Threat
by Acohido and Swartz. It’s an O.K. read and at the end makes a few sensible suggestions. For example, they say that a priority is to do something about payments.
Jettisoning magnetic stripe payment cards and online authentication systems that rely soley on user names and passwords, and replacing them with technologies that actually hinder counterfeiting and impersonation — not make it mere child’s play — is also a must… In short, the credit-issuing and card-based payment systems are due for a massive overhaul that will take us beyond the current solutions now on the table.
They also go on to say that
One can only hope that political leaders will emerge to champion the greater public good, not be bulldozed by probusiness interests.
What they are saying here is that banks prefer to have payments insecure because it’s cheaper. This is true, but it’s important to see why, and why the goals for the payment system might diverge from public policy goals. The designers of payment systems do not have as a goal the eradication of fraud but the management of fraud down to acceptable (ie, financially acceptable) levels. The few hundred million that goes to card fraud in the U.K. is a tiny fraction of the amount spent on cards. But the money earned through this fraud, while not a big deal to the banks, may well lead to larger social problems that do not figure in the banks’ cost-benefit analysis, which is why we should still try to reduce it even if it doesn’t make business sense for our particular organisations or systems.