Payment card issuance errors leave you vulnerable to fraud

Major payment cards

As Consult Hyperion, and as many other analysts, predicted, Covid-19 has driven the adoption and use of contact-free technology at the point of service. A recent survey funded by the National Retail Foundation, found that no-touch payments have increased for 69 percent of US retailers surveyed, since January 2020. In May, Mastercard reported that 78% of all their transactions across Europe were contactless.

Fraudsters are always looking for ways to take advantage of potential weaknesses or even inexperience in new payment devices. A recent news story promoted a man in the middle attack in which two phones are used to transfer and manipulate the transaction message between a stolen contactless card and the point of sale terminal.

Wireless Sunday

Off to the Barclaycard Wireless Festival for the day. I don’t really understand why its still called that. In the old days, when it was sponsored by O2, then calling it the wireless festival sort of made sense. But now it’s sponsored by Barclaycard, they should probably call it the Contactless Festival instead. Anyhow it featured a great many very popular bands, as evidenced by the enormous crowd trying to get in.

IMG_0406

I know it looks chaotic but in the end it only took about 25 minutes to get in. Contactless was much in evidence. Barclaycard had kitted all of the bars out with contactless terminals and were kind enough to give me one of the promotional lanyards containing a contactless card (a Visa gift card preloaded with £20) to go and try out. Which, naturally, I did. And, I have to say, it worked perfectly. As testimony, allow me to present the first beer I bought with it!

Dave at Wireless 2011

Being me, I couldn’t leave it at that though, and I started to try out some other contactless paraphernalia about my person. An obvious experiment was to try my Barclaycard phone, and that worked too, but oddly it went online, which rather slowed the transaction down. I don’t understand why it did this, so I’ll ask the chaps when I’m next in the office.

More interestingly, I asked a couple of the bar staff what they thought about contactless and they had both positive and negative observations that I promised myself to report in a spirit of openness and balance…

Positive. It’s quick, and you don’t have to hand the terminal to the customer for them to enter a PIN. And they thought my phone was really cool. They also said that some customers had been paying with their own contactless cards and not just the promotional lanyards.

Negative. There were two big issues that came up in both conversations with bar staff. One was the spending limit, which the bar staff said was too low at £12 (the limit was actually £15, but the all of the drinks cost £4, so you could buy three drinks at £12 but not the advertised four beers in a drinks carrier, because that costs £16). Surely it would have made sense to have subbed the bars so that four beers plus carrier was a £15 special.

Enough of these scientific experiments (most of which I drank), and off to see some of the popular beat combos on show. Here’s 47 second taster so that you can get the idea if you’ve never been to one of these events before.

I was reflecting on the security issue later on, because it really seemed a block. I took the time to explain to one of the women at the bar that there was no risk to her as a customer, because the UK banks’ were unequivocal about unauthorised use: if someone uses your card without your permission, they will refund the transaction. Yet she was unconvinced and was clearly uncomfortable about the idea of “no CVM” purchase. This has been true since the earliest days. As I highlighted four years ago:

Among those that are not yet ready to use contactless, security appear to be the dominant consideration. Which means, of course, that whatever we might think about actual security situation we must get better at communicating it.

[From Digital Money: Contactless update]

As I don’t know anything about customer communications and public information, I genuinely don’t know how to cross this chasm, but I wonder if it’s yet more evidence that we should be moving more quickly to contactless phones. The simple PIN code that I need to open up the mobile wallet on my Barclaycard MasterCard phone (the Samsung Tocco that I wrote about before) might well provide the reassurance that people want, even though it doesn’t really make much difference to the overall risk (phones are inherently safer than cards because people notice when they go missing anyway).

Overall, the weekend’s experiences did leave me with three firm conclusions:

1. Both the public and the merchants liked contactless. In this kind of environment – crowded, quick service – the technology performs very well. These were similar to the results seen elsewhere: the punters like contactless payments.

Festival-goers quizzed on the experience, said they were quicker (96%) and easier to use (98%) than credit or debit cards, while a resounding 100% said they’d want to use the PayPass prepaid wristbands again to pay at other festivals, concerts and sporting events.

[From Finextra: Contactless wristbands join wellies and camping gear as festival essentials]

2. We should accelerate the development of contactless phones, because they help with the security issue.

3. The Horrors are a good band, but not my cup of tea.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Economy class

At the Intellect / Payments Council conference on Driving Change in Payments, one of the delegates (I think it was one of the chaps from Accenture), raised the topic of surcharging, asking whether the surcharging of non-cash payments might slow the spread of e-payments in general and low-value contactless cash replacement payments in particular. He also mentioned the example of surcharging by low-cost airlines.

Perhaps the most obvious example of tender steering in Europe is in eCommerce – where Ryanair (and other low-cost carriers) surcharges considerably for all but a single method of payment (currently MasterCard Prepaid cards)

[From Will Retailers Use “Tender Steering” to Control Interchange Fees? |… | LinkedIn]

While the point about surcharging in relation to the spread of new payment mechanisms is interesting, what’s going on with the airlines isn’t really surcharging (Ryan Air said specifically that “these are not surcharges”, and they are correct). What these charges are are a transaction tax that everyone has to pay (I’d be curious to find out how many people actually pay with Ryan Air MasterCard prepaid cards). Unsurprisingly, a great many people were unhappy about this practice (ie, advertising an air fare as £10 then charging £18 because the customer pays with a credit/debit card) as it smacks of unfairness.

A super-complaint is to be launched about the “murky practice” of surcharges levied on customers who pay by debit or credit card

[From BBC News – Credit and debit card surcharges ‘are excessive’]

Bear in mind that if you are booking tickets for a family, these transaction fees can easily become significant: if they were folded into the price of the ticket, it would give a more accurate guide to the public.

I recently used Ryanair and cost me £30 in booking fees and another £48 in online checkin fees to use my printer and my paper and my Ink. Can anybody explain how that works ?

[From Which Launches Super-Complaint Into Credit And Debit Card Surcharges With Office Of Fair Trading | Business | Sky News]

Well, the solution to that seems pretty straightforward: don’t book Ryanair. It’s not just them, by the way. I understand that EasyJet charges £8 (EIGHT QUID) for a debit card transaction that costs it, what, 15p? Personally, I won’t use any of the “low cost” carriers, so I don’t know what the exact figures are. Anyway, today the OFT ruled on the super-complaint (and I can’t wait to Ryan Air’s response because they will undoubtedly go bonkers):

Travel companies have been ordered to end the use of hidden surcharges for passengers paying by card. Airline, ferry and rail passengers typically have to click through four to six pages of an online booking before the charge is added to the price. Now the Office of Fair Trading (OFT) has ordered them to make all debit or credit card charges clear immediately.

[From BBC News – Hidden card charges for travel tickets to be banned]

But that, to me, isn’t the interesting part of the ruling. This is:

It also wants the law changed to abolish altogether charges for using debit cards.

[From BBC News – Hidden card charges for travel tickets to be banned]

Much as I dislike government intervention in the pricing of anything, unless the costs of cash are to be distributed properly (which they won’t be) this is the only sensible course of action. Making debit cards the “zero” and allowing retailers to surcharge other payment mechanisms (including cash) is fair, with one proviso: that pre-paid cards are counted as debit cards. This is necessary to deliver financial inclusion.

Perhaps the European Commission could be persuaded to adopt this as part of its SEPA initiative and make it common throughout Europe so that pre-paid and debit cards become the “normal” way to pay?

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Give cash the heave ho, me hearties

There are some people, in some parts of the world, who still prefer cash over any form of electronic alternative. My mum, for example. But her demands on the Treasury are modest. In other countries, cash has a bigger impact, because local distributed entrepreneurs need it for business-to-business transactions.

Somali pirates are reported to have received a total of $12.3m (£7.6m) in ransom money to release two ships. They are believed to have been paid a record $9.5m (£5.8m) for Samho Dream, a South Korean oil tanker, and nearly $2.8m (£1.7m) for the Golden Blessing, a Singaporean flagged ship. “We are now counting our cash,” a pirate who gave his name as Hussein told Reuters news agency.

[From BBC News – Somali pirates receive record ransom for ships’ release]

I’ll bet they are. And It will take them a while. Once again, these marine miscreants aren’t looking for prepaid mobile phones, gift cards or PayPal accounts: they are after cash, and I’ll lay a pound to a penny that they didn’t want Yuan or Roubles or Kenyan Shillings and an M-PESA account in a false name: they wanted dollars, and in $100 bills. The cash was dropped from a helicopter on to the ship. Wait a minute, you might be tempted to think: how on Earth can people move millions of dollars in cash around when we have stringent KYC/AML/CTF legislation in place! I think I may have found the answer. They are criminals, and therefore don’t care about such restrictions. There’s an amazing story in one of the free newspapers you get on the tube (Metro, 20th June 2011).

Three Britons accused or smuggling more than £2m into Somalia to pay pirate ransoms. They were given sentences of between TEN AND 15 YEARS (my emphasis) and also fined £9,000.

That £9,000 fine must have strung. This is, apparently, the first time that “westerners” have been sentenced for their involvement in ransom payments. Hhhmmm. Interesting. Now what were they smuggling into Somalia again? Was it mobile handsets for illicit m-payments? No. Prepaid cards to be used for nefarious purposes? No. Bitcoin wallets on encrypted USB drives? No. It was cash. Of course it’s quite inconvenient to have to ship huge wads of $100 bills around, so perhaps the pirates had asked for euros instead. It could do with the support at the moment. If the Feds decide to start issuing $500, or $1000, bills anytime soon, the euro would be devastated, since almost half of the euros out there are in the form of €500 notes and if drug dealers, money launderers, kidnappers and corrupt politicians decide to dump them for dollars the demand would collapse (nobody uses them in legitimate transactions).

Malaysian police have arrested a Lebanese man allegedly carrying fake currency with a face value of $66 million after he tipped a hotel staff with a $500 note, an official said Friday. The largest U.S. note currently in wide circulation is a $100 bill. But police found bundles of $1 million, $100,000 and $500 notes in the man’s hotel room in Kuala Lumpur on Sunday, said Izany Abdul Ghany, head of the city’s commercial crime unit.

[From $500 Tip Leads Police to $66 Million in Fake Bills – ABC News]

Cash does seem to attract the wrong kind of person. There has to be a better way.

Elizabeth Buse, group president, Visa, responsible for Asia Pacific, Central Europe, Middle East and Africa said that bringing transactions out of cash into electronic forms will allow governments to have better tax compliance and greater monitoring of fraudulent transaction and money laundering.

[From Electronic payments can control black money]

There’s an interesting experiment in this line of thinking underway right now, The Central Bank of Nigeria (CBN) is attempting to restrict the role of the cash in the economy there and push for a more efficient less-cash system.

To be precise, the CBN on April 20 sent a circular to all banks, Cash-in-Transit (CIT) operating firms, payments system service providers, limiting daily cash withdrawals to N150,000 for individuals and N1 million for corporate entities effective June 1, 2012.

[From From cash to cashless economy: How practicable is CBN’s mop up policy?]

There’s been a storm of complaint about this from various elements in Nigerian society. I assume that some of these complaints come from people who are happy with the corruption and tax evasion that cash delivers, but there are also reasoned complaints that the electronic infrastructure is insufficient.

On May 17, the House of Representatives objected to the proposal by the CBN & requested the CBN to suspend the implementation of the policy. They argue that that the country was not prepared for such a change

[From Nigerian Cash Management Reform — Counting On Currency]

I hope the CBN stays the course, and not just because of economic efficiency. Cash discriminates in favour of the tax-evading, corrupt elites at the expense of the powerless and poor: electronic payments should be a cheap, fast and transparent alternative.

The biggest enemy in fighting poverty is physical cash. The fact that people living at the bottom end of the pyramid need to conduct their business with paper notes (and coins) is the main reason why they are often stuck there.

[From Mobile Banking: Nigeria and cash]

But how can an emerging market make the transition from cash to cashless? The answer is, of course, to skip past the slow roll-out of conventional banking and payments infrastructure and use mobiles, not cards, to replace cash. Kenya points the way…

Over 13,000 sugarcane cutters in Mumias Sugar zone will start receiving their pay electronically following a deal between Mumias Sugar Company, Family Bank and mobile phone money transfer service providers. Acting harvesting and transport manager Mr Franklin Maguge said the firm was considering the possibility of extending the programme to cover other casual workers in the next one month… The services will be also extended to cover sugarcane cutters National Hospital Insurance Fund (NHIF) medical scheme monthly remittances to make it easy for them to pay without going through hectic process.

[From 13,000 Sugarcane workers to get paid via phones. « Mobile Money Africa]

This story gets even more interesting, though.

The sugar milling firm in collaboration with Safaricom and Airtel mobile phone services providers and Family bank is also making arrangements to have the cutters provided with mobile phones at a subsidised loan for efficient running of the programme.

[From 13,000 Sugarcane workers to get paid via phones. « Mobile Money Africa]

Providing subsidised loans to the workers who do not have phones presumably saves money compared to paying them in cash. So if some of the workers still insist of getting paid in cash, great ineffeciencies remain for the company. When few enough remain, the company than quite reasonably insist that they are paid by mobile (I can remember my first factory job when I was a teenager, when the company was going through the process of switching the workers from cash to direct deposit – it wasn’t instantaneous, but it was done in the end). Come on mateys, all aboard for lack-of-Treasure Island.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

The Tesco way

At a recent Financial Services Club event, one of the speakers said that it was unlikely that retailers would make changes to their POS systems to adapt to new payment mechanisms, outside of their normal replacement cycles. With one exception. He said they might make the investment in POS if it was for their own payment system. In other words, Tesco won’t change their POS software because some student comes up with a cool way of paying for things with iPhones, but they will change their POS software to launch their own payments service, wallet, device or whatever that reduces costs and increases benefits.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Future tension

I was pottering around the British Library’s superb exhibition on science fiction and, since it is free, felt it only moral and just to stop off in the gift shop and buy a couple of books. Truth be told, there were a hundred books there I wanted to buy, but I decided to limit myself to two, one of them being a copy of Edwin Abbott’s magnificent Flatland, one of my all-time favourite books, for no.2 son. Browsing on, I was astonished to find a new edition of Edward Bellamy’s “Looking Backward, 2000-1887” from the Oxford University Press. This is dated 2009, so it didn’t exist when I wrote about the book back in 2006.

I’m always curious about the first reference to the credit card in literature. The oldest I’ve found so far is in a long-forgotten text from 1886 called “Looking Backward, 2000-1887” by one Edward Bellamy. I picked up a 1947 edition from the Amazon marketplace, which suggests it must have been reprinted a few times. Indeed, the dust jacket claims it to be one of the best selling utopian fantasies of all time.

[From Digital Money: 1886 and all that]

In this new version, according to the web site (I haven’t read it yet – will start tonight):

  • The second most successful novel to be published in nineteenth-century America–a book whose thunderous indictment of industrial capitalism and vision of life in a socialist utopia still touches a nerve in the twenty-first century.
  • The introduction offers a highly original reassessment of the novel, exploring the political and psychological peculiarities of this celebrated utopian fiction
  • Uses the second, revised edition text of the novel which made “Looking Backward” a bestseller, and the notes detail significant variations from the first edition.
  • Contains an up-to-date bibliography and chronology of the author’s life

The discovery of this new edition made me think again about just how long it takes to effect change in the conservative world of money. Yet perhaps Bellamy was only a couple of decades out in his predictions of cashlessness, which isn’t bad across a 125-odd span. Public attitudes are changing, even in conservative nations such as our United Kingdom.

Only 31% of people said using notes and coins was their preferred payment method, with 41% saying they would choose to use a card if they could, according to the Payments Council.

[From The Press Association: Consumers ‘choose cards over cash’]

Personally, I would never use notes and coins again if I had the choice, and it looks as if more and more people are coming to the same conclusion.

It found that while 83% of people aged over 55 would use cash when buying something for up to £3, 12% of under-35s would use a debit card.

[From The Press Association: Consumers ‘choose cards over cash’]

I’m certainly over 35, but I fall in the later category. I would always used a card, given the option, although I never use a debit card of course. Why anyone would use a debit card when they could use a credit card (except in the face of surcharging, about which more in a later post) I don’t know. But this leads me to conclude that Bellamy may well have been a more accurate soothsayer than anyone suspects. This is because the “credit card” that he describes in the book is actually a pre-authorised offline prepaid card, and these surely are they key cash replacement product de nos jours. In the Federal Reserve Payments Study last year, prepaid was identified as the fastest growing segment.

The Study found that prepaid cards represented the fastest growing payments segment from 2006 to 2009, with an annual growth rate of transactions at 21.5%. By way of comparison, the number of debit card transactions grew at 14.8% and the number of credit card transactions declined by .2% annually over the same time period.

[From PaymentsJournal – Prepaid Transaction Volume Continues to Grow, Even as the Size of the Transactions Gets Smaller]

I’ve just been exploring some prepaid opportunities with one of our clients, and one of the factors that we were kicking around (not giving any secrets away!) was that prepaid is a way to experiment (provided that not-too-ridiculous KYC/AML/CTF doesn’t derail it) in a way that other products aren’t.

From the consumer side, prepaid allows consumers to test new opportunities and options without risking a lot of money or putting their bank accounts or credit cards on the line.

[From PaymentsJournal – When It Comes to New Payments Technology, Prepaid Will Lead the Way]

This is a good point, but I feel there’s another factor, at least in Europe. You don’t need to be a bank to offer prepaid services: the combination of an Electronic Money Institution Licence (ELMI) and a Payment Institution Licence (PI) means that any company can offer a full service: an open-loop prepaid card. I suspect that many of the companies applying for these licences are doing so because they want to use new technology to deliver new services that need payment, if you see what I mean. That is, they don’t expect to earn money from the payments themselves, but from the value-added services that need the payments to take place (what people are starting to call the “Google Model”). Hence Bellamy’s vision may be realised not from within the payments industry, but from, say, retail or mobile or brand or somewhere else entirely.

I’ve been using the prepaid contactless MasterCard on my Orange phone for a couple of weeks now — mainly in Pret and McDonalds — and I have to say it works pretty well. I’ve very comfortable with the idea of switching to prepaid, because prepaid on the phone isn’t a pain, it’s easy. When the prepaid balance falls below a certain level, you’re asked to enter your PIN and top up. Simple. Thus while it may be initially hard to imagine prepaid cards replacing cash in retail transactions, the more I use my prepaid “card” in retail transactions, the easier it becomes.

Naturally, I obtained a spare copy of the new edition of “Looking Backward” and I have it on my desk beside me as I type. I will cheerfully dispatch it post-haste to the first person to respond to this post with the name of the first-person narrator of the story in question. In the traditional fashion, this competition is open to all except for employees of Consult Hyperion and members of my immediate family, is void where prohibited and is not connected in any way with the London Olympics 2012. The prize must be claimed within three months. Oh, and no-one can win more than one of the Digital Money Blog prizes per calendar year.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Viva El Presidente!

[Dave Birch] I just saw an American in a bit of a pickle at Holborn Tube. He was trying to buy a ticket, but the machines won’t take non-chip cards, so he was stuck. His US American Express card was useless. Fortunately he was my brother-in-law, so I bought his ticket with my splendid Barclaycard OnePulse card. This is happening to Americans all the time, and since it happens to the banks’ best customers, they are beginning to respond.

I was pleased to see in the news recently that Chase and Wells Fargo announced the issuance of EMV chip-enabled cards for several of their credit card portfolios.

[From Portals and Rails]

I notice that at many of the US international airports I’ve been to recently (on a sample of three) you can buy prepaid Sterling and Euro pre-paid chip and PIN cards from the Travelex booths as well. Chase and Wells aren’t the first US EMV issuers.

State Employees’ Credit Union (Secu) is set to be one of the first financial institutions in the US to roll out chip and PIN debit cards to its customers. The non-profit cooperative has enlisted French vendor Oberthur Technologies to help migrate its 1.6 million debit card holders to EMV between March and the end of the year.

[From Finextra: State Employees’ Credit Union makes EMV move]

The pressure for US migration is growing. As Jamie Henry of Walmart mentioned in his recent Tomorrow’s Transactions podcast, many retailers are asking the banks to go ahead with migration because they think it will reduce their costs dealing with fraud and PCI-DSS. Perhaps the pressure is reaching a critical point of some kind.

Don Rhodes, senior director of risk management policy for the American Bankers Association, says a number of emerging technologies, such as the EMV chip standard, mobile payments and peer-to-peer or person-to-person payments, will soon change the way U.S. financial institutions and merchants connect and transact. And it could all happen in 2011, much sooner than most industry experts expect.

[From EMV, Mobile and the Payments Landscape]

The kind of things that have been going on with Google and Square and Isis would serve, I think, to reinforce that the trend is accelerating. The fact that some of the trailblazers (eg, Bling Nation) have found it heavy going doesn’t mean anything about the overall trend (the weather isn’t the climate, as they say). I saw in a Mercator Advisory Group press release that they are saying that

Merchants are advised to “spend the $10” for EMV capable terminals now in anticipation of an eventual EMV roll-out.

[From EMV in the USA: Waiting on Debit, a Mandate, or Just the Opportune Moment]

They were anticipating an early 2011 start for the EMV roll-out, which is exactly what appears to have happened, albeit still on a limited scale. Elsewhere, the chip and PIN bandwagon rolls on inexorably.

Due to an increasing number of transaction fraud worldwide, more and more countries are shifting from the stripe card standard to the EMV standard, which substantially enhances transaction security and operation efficiency. Now some major Chinese commercial banks are to join the trend, planning to issue their chip band cards by the middle of the year.

[From Banks in China to Launch Chip Cards]

Perhaps in the Americas it will take political leadership to enable to the final push towards EMV, a President with real vision and a commitment to the well-being of his nation.

President Chavez has mandated that the country move to EMV chip cards later this year which should stop this type of fraud

[From Chavez figures out how to stop cross border fraud]

Well, if only President Obama shared the wisdom, vision and economic genius of the noted revolutionary leader Hugo Chavez! So Viva El Presidente and down with the reactionary and counter-revolutionary Yankee magnetic stripe hegemony imposed by the running dog lackeys of imperialist aggression.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

The fraud trajectory

There’s no doubt that chip and PIN is one of the key planks in the industry strategy to reduce card fraud to manageable levels (which is not the same as eliminating card fraud, note). One of the reasons why it is so secure is that is uses offline PIN verification, where the chip on the card checks that the PIN input at POS is the correct one. And since the PIN is known only to the cardholder, and they never divulge it, this provides validation that… no, wait…

Despite the strict recommendations from card providers about keeping your PIN confidential, research by shopping website VoucherCodes.co.uk has revealed that over half (59pc) of Brits are flouting the rules by sharing their bank card PIN codes and are putting their personal finances in jeopardy.

[From More than half of card users share their PIN – Telegraph]

Uh oh. But come on – anyone out there in the real world will know that it’s impossible to get through life without giving your spouse your PIN. What happens when (to pick a hypothetical example) she can’t remember what the hell she’s done with her handbag and needs to get to Homebase to buy some paint? Or (to pick a hypothetical example) a husband may have stupidly left his wallet in his desk at work but needs to get cash out at an ATM on the way to a football game. Come on – we’ve all done it (except me, I should point out to the terms and conditions chaps at Barclaycard).

The poll of 3,000 people revealed that Brits are most likely to entrust their partners with this security information, but a surprising one in twenty (5pc) adults feel that it is safe to divulge this information to their children.

[From More than half of card users share their PIN – Telegraph]

What? Not in my house they don’t. We have a Visa prepaid card for “house” use, so if the kids need to get some shopping, stuff for school or other supplies, they use that one, and I top it up online when necessary. It’s a simple way to manage money, so I’m surprised more people don’t do this: and it has the added benefit that it doesn’t have a name on it, so if it gets lost or stolen it can’t be used to start identity fraud.

Incidentally: 3 per cent of the people surveyed said that they wrote their PIN on a piece of paper and kept it in their wallet, which may account for at least some of the incidence of the ATM and POS chip and PIN fraud more plausibly than complex attacks on the unencrypted messages between the card and terminal.

There are plenty of other initiatives aimed at improving the overall level of card security. 3D-Secure has taken a long time to get traction but is now widely used in e-commerce. PCI-DSS is costing a fortune, but may reduce the industrial-scale counterfeiting of the magnetic stripe cards still widely used for retail payments in less-developed parts of the world.

In raids conducted Feb. 1, agents seized $300,000 in cash, three firearms and ammunition as well as equipment to make fake credit cards from the gang… The credit card details and stolen identity information was purchased from “online data traffickers via Web-based portals, and the purchasers would store the stolen credit card information in shared e-mail accounts, allowing several defendants to begin creating counterfeit credit cards,” prosecutors said.

[From US indicts 27 in Apple product credit-card fraud ring | MP3 Players | Macworld]

Anything that stops card details like these from falling into criminal hands so easily must be worth the money, right? Actually, on the costs of PCI-DSS, there may be some relief in sight for European retailers.

Visa last week announced a new programme which means European merchants will no longer need to prove they adhere to PCI DSS regulations on an annual basis, as long as 75 percent or more of their transactions originate from EMV-enabled chip and pin terminals. The programme will be introduced on 31 March, 2011

[From Visa PCI DSS exemptions send out mixed messages to merchants | Business Computing World]

So come on, it’s not all bad. In fact the bottom line is that the fraud figures have been improving, and I expect them to improve further still over the next couple of years as we begin the integration of cards and mobiles. This is because even simple integration (eg, texting unusual transactions) delivers good returns and the impending integration of payments with handsets means that issuers will be able to go even further with 24/7 access to the “card”. I won’t rehearse the basic arguments, but I think there are many reasons for thinking that the mobile is a means to manage card fraud down, and line of thinking that we have presented frequently over the years.

So, are mobile payments safe or not? It’s not a “yes” or “no” question, as we hope this discussion has shown. Let’s ask another question instead: Can we make the risks of mobile transactions manageable? The answer to that is “yes”. In fact, in the particular case of mobile proximity payments, we happen to believe that there is more security overall in using a mobile than in using a card payment

[From TM Forum – Article: Mobile Payments – Safer than Cards?]

For one thing, as noted, we can use the mobile to provide information and as communication channel to report on and detect suspicious activity. Potentially more interesting, though, there are techniques that take advantage of the characteristics of the mobile channel, primarily location There are some practical problems to be overcome though.

ValidSoft [has] direct access to mobile networks, tables, and services around the globe and can provide mobile based location services without requiring that users opt in. Many financial institutions are interested in using these services for fraud detection but are concerned about the privacy implications and don’t want their customers thinking they are following them around.

[From Visa Europe sets trend with mobile location-based fraud detection]

Actually, I might well want my issuer to follow me around, but I might also want it to stop other people from following me around. Anyway, I’ll be talking about this kind of thing — including lessons from our practical experience advising leading payments organisations around the world and some of the things we are learning from the Ph.D in mobile handset security that Consult Hyperion is funding at the University of Surrey — at the excellent UK Card Fraud Conference on 29th/30th March 2011 in London.

The magnificent people at DT Conferences have given me a delegate pass for the event — worth an amazing ONE THOUSAND TWO HUNDRED POUNDS plus VAT — to give away on this blog as a competition prize! So if you are going to be in London on those dates and you’d like to come along to meet some of the leading thinkers in the UK’s fight against card fraud (and me) then all you have to do is be the first person to comment on this post with the name of the doomed precursor to 3D-Secure, the PKI-based online card payment security system developed in the 1990s: full name, please, not just the TLA!

In the traditional fashion, this competition is open to all except for employees of Consult Hyperion and members of my immediate family, is void where prohibited and has been gritted for your safety. The prize must be claimed within three months. Oh, and no-one can win more than one of the Digital Money Blog prizes per calendar year.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.