Recently I saw this article suggesting that 97% of mobile transactions in Asia are fraudulent? Can this really be true? I decided to investigate.
The article highlights an excellent report published by Secure-D looking into mobile ad fraud, which it appears is a largely hidden multi-billion dollar enterprise, impacting emerging markets in particular. As you might expect with an enterprise of this size it is multi-faceted and complex. Two of the ways fraudsters are making money are as follows:
Fake clicks: The internet runs on advertising revenues obtained when a user clicks on an ad in a mobile app or on a web page. Fraudsters have numerous ways to create fake clicks, that look like they’ve come from a real person, and then be paid the associate fee. One way that they do this is by deploying malicious apps to the devices of unsuspecting users often disguised as a legitimate app offering an innocuous service like providing weather information.
Hidden purchases: Many mobile users in emerging markets are unbanked and use their prepaid mobile airtime to purchase goods or services. Those malicious apps deployed to devices can also then siphon off funds from users without them realising it is happening. They just see their airtime running out more quickly than it otherwise might.
When consumers install software on their devices, they often perform some sort of risk evaluation, even if they don’t consciously realise it. They might consider who provides the software, whether it is from an app-store, what social media says, and whether they have seen any reviews. But what if once a piece of software had been installed, the goalposts moved, and something that was a genuine software tool at the time of installation turned into a piece of malware overnight.
This is what happened to approximately 300,000 active users of Chrome ad blocking extension Nano Adblocker. You see, at the beginning of October, the developer of Nano Adblocker sold it to another developer who promptly deployed malware into it that issued likes to hundreds of Instagram posts without user interaction. There is some suspicion that it may have also been uploading session cookies.
I love the BBC’s Money Box programme with Paul Lewis and I listen to it every week. A recent episode included what, I’m afraid, has become an all-too-familiar story.
Paul Lewis hears from a listener who built up savings of £180,000 over more than ten years in business, only to have it all stolen from her account in 24 hours by online scammers. Should her bank have noticed and stepped in?
The essence of the story is that the customer fell for a scam. She had a phone call from someone purporting to be from BT and the upshot of it was that she allowed fraudsters access to her Santander business account whereupon they immediately began to transfer all of the money out to a variety of other accounts. When she discovered that she had been the victim of fraud she asked the bank for the money back and they said no.
From her perspective, I can see why she feels aggrieved. She feels that the bank’s antifraud mechanisms should have resulted in a phone call or email and text message or something when these completely unusual transactions took place. After all, 33 transfers in 24 hours from an account that is normally used only for direct debits and standing orders would hardly need Watson to flag up a warning. From the bank’s perspective, I can see why they feel they are not responsible since she authenticated all of the fraudulent transfers by entering the 2FA codes they texted her (they hadn’t read my blog on why SMS isn’t security).
Whether the bank is at fault or not for this specific scam the banks, collectively, will have to do something about the instant payment fraud problem in general. These frauds have become a very serious problem and I can understand why consumer groups are upset about what they see as a lack of action from the banks.
The Payment Systems Regulator’s (PSR) response to the Which? super-complaint on bank transfer scams ‘has let the banks off the hook’.
It isn’t only phone calls. There’s a huge amount of e-mail fraud going on as well. In essence, fraudsters intercept legitimate requests to transfer money from one account to another using the Faster Payments Service (FPS) and they change the details so that the payer sends the money to an account under the control of the fraudsters rather than the intended destination. So, typically, the fraudsters will get into the email of a solicitor and when that solicitor sends an email to one of their clients requesting money for a house purchase to be transferred into the solicitors account, the fraudsters replace the legitimate account details with details of another account that they control. I wrote about this ages ago and put forward the obvious solution, which is to stop using e-mail for important transactions, but nobody paid any attention, and the problem continued to grow.
A particular problem, of course, is that you identify a payee by giving a sort code number that identifies the bank branch and an account number to receive the funds. I defy anybody to carry around the six digit sort code and nine digit account number of their correspondents in their heads or to be able to spot their solicitors real payment details from some fake payee details when reading an email. If you are expecting to send the money to $dgwbirch (you can try this by the way, it’s my Square Cash name) and then get an email asking you to send instead to $davidovichbirchski then you might be a little suspicious, but if you get an e-mail using to switch from sort code 12-34-56 to 34-56-78 its less obviously a fraud.
Now, for someone like me who is reasonably savvy about the operations of the UK domestic interbank payment networks, instant payment fraud isn’t a problem. Whenever I have to set up a new payee for instant payments, I always send an initial payment of a fiver and wait for confirmation that it has arrived before a transfer any larger amount. But a great many people, and a great many people who are intelligent and sophisticated customers, do not. They enter the incorrect payee details and hit send. The impact of this is significant as the number of frauds continues to increase.
Hannah Nixon, managing director of the PSR, said: ‘Tens of thousands of people have, combined, lost hundreds of millions of pounds to these scams”.
Indeed they have. But if I tell my bank to send £10,000 to the Nat West in Barnsley by mistake – whether I was scammed or typed in the wrong sort code or was using an out-of-date account reference or whatever – and I go through all of the security hoops to do so, why is it my bank’s fault that the money went to the wrong place? It is not obvious at all that it is my bank that should be compensating me for my mistake. If scammer gets me to send my house deposit to the wrong account, then my claim is against the scammers or the destination bank if it was negligent in some way (e.g., if it didn’t do KYC) isn’t it?
I agree with the BBC and everyone else that something needs to be done. On this Money Box episode, Hannah Nixon (the UK’s Payment Systems Regulator) mentioned one specific countermeasure that is to be implemented by 2018, which is payee verification, but I wonder if the solution isn’t to put an overlay on top of FPS for retail and SME customers to use. As I wrote earlier in the year,
if someone put a scheme on top of FPS so that they did the payee verification for you and included chargeback rights for a small fee then that might be very attractive to a great many people.
In other news, MasterCard are apparently launching a bid for VocaLink.
This isn’t just about bank accounts and instant payments, of course. If it was, I wouldn’t be blogging about it. I hate to say it, but the problem and the solution are all about identity. She couldn’t tell it was BT, and bank couldn’t tell it was her (and she wouldn’t have been able to tell it was the bank). Fraudsters are ruthless about exploiting the gaps in identification, authentication and authorisation infrastructure and as far as I can tell, right now there are only gaps and no actual infrastructure. A system based on the gold standard of gas bills is, I am sorry to say, no longer fit for purpose.
Police later discovered Ghani and Mahmood carried out the fraud after stealing three utility bills from Mr To’s mailbox.
“Having forged his signature, they then transferred the deeds to his house into Ghani’s name”. Yes, I know I know, I’m sure the blockchain will put a stop to this, but in the meantime… should a homewoner whose house is stolen in this way be entitled to compensation from the utility company for sending the bills? Or from the whoever it is that transferred the deeds based on a forged signature? If I can steal your house just by getting information from utility bills and forging your signature, society wouldn’t expect you to be the one to lose out and I understand this, would it? Surely if I am able to login to the solicitors email server and then send emails masquerading as them, it’s the solicitor that is being negligent not the bank!
Just whose fault is it when someone gets scammed in an environment that has no effective identity infrastructure?
Online (identity-related) fraud is absolutely out of control in the UK and there is, so far as I can see, no prospect of any form of identity infrastructure to deal with the problem. Prospective Prime Minister Jeremy Corbyn has put forward the suggestion of a digital passport (and has, as yet, not responded to my offer to step forward in the nation’s hour of need with my Dr. Who-based identity architecture to implement it properly) but he won’t get elected anyway, so it won’t happen. Yet the fact remains that whether its scammers going through Facebook to perpetrate dating fraud or going through LinkedIn to perpetrate corporate fraud or going through the Land Registry to perpetrate property fraud or going through Companies House to perpetrate corporate fraud identity is broken.
After two decades of the web we’re getting no closer to fixing it. And example from my e-mail today: how is the average punter supposed to know whether “email.correspondence@assure3.barclays.co.uk” is real or not? It doesn’t look very real and there’s no digital signature on the email they sent me so I’ve got no way to check it (although all my messages from Facebook are digitally-signed!). Anyway, this is the sort of thing that plagues our nation:
The company was conned into paying more than £1million to a fraudulent caller. The conman told staff that the firm’s internet banking was the target of a virus. He managed to persuade them to transfer funds into a separate account while the bank worked to fix the issue.
How come it is impossible to know who you’re on the phone with (because of caller ID spoofing) let alone which dog is messaging you on the Internet? One of the great advantages of my ID scheme, as opposed to the last government’s scheme or the scheme that we abandoned in the 1950s, is that under my scheme, my “digital passport” (whatever) would be able to verify your digital passport. If you phone me claiming to be from NatWest then I will ignore you unless my digital passport (e.g., app) tells me that it has received a digitally-signed, verified credential containing your phone and a NatWest virtual identity
I talked about this last week when Brett King was kind enough to invite me on to an episode of Breaking Banks covering the blockchain and identity. What might have gone on to say is that we seem to have made no progress at all on this since the internet reached the mass market. And if you think that you’re so smart that you would never fall for this kind of thing, you’re wrong.
Sole practitioner Karen Mackie took a call in April which claimed to be from her bank warning her that her clients’ accounts had been compromised — and as a result ended up moving £734,000 into new accounts in £99,000 chunks.
The reason for the £99,000 chunks is of course that the Faster Payment Service (FPS) limit was £100,000 at the time. Still, not to worry, you would think, because the money can only be transferred to UK bank accounts and UK banks have very strict KYC procedures. It should be easy to text the plod with the names, addresses and phone numbers of the fraudsters. Apparently not…
Which is exactly what happened — only the accounts weren’t so safe. £222,000 was subsequently retrieved by the bank, but the scammers got away with the rest.
Oh dear. So much for all the money that is spent on KYC, AML and generally annoying and hindering members of the public trying to go about their lawful business. It doesn’t seem to do much more than inconvenience criminals. They got away with half a million quid. So the moral of this story is that basically it’s more profitable using identity theft to steal from banks than it is trying to persuade banks to implement an identity infrastructure fit for the 21st century.
The latest CIFAS Fraudscape figures for the UK show identity theft up by half again in 2015. And there’s no end in sight. I’m genuinely not sure whether the fraudsters are getting smarter or the public is getting stupider. It does seem to me that some of the frauds being perpetrated might well be beyond the defensive capabilities of even the most advanced technology.
A taxpayer who bought and handed over £15,000 in Apple iTunes gift card vouchers is one of “hundreds” of HMRC customers to be defrauded in the past month, a scam bulletin says.
So much of the fraud going on depends, in one way or another, on the lack of an identity infrastructure and the useless proxies that support our daily interactions. That taxpayer had no reasonable way to determine whether they were talking to HMRC or not. There’s not going to be a green light on the phone that tells you the caller is who they say they are, although I can imagine how a some sort of digital passport that can check whether other digital passports are valid and I’m sure someone could come up with good mobile UX for it. The consequences are pretty significant.
The annual cost of fraud in the UK could be as high as £193bn a year, far higher than a government estimate of £50bn, according to a new report. The latest Annual Fraud Indicator, based on research from Portsmouth university, has estimated that private sector losses could be as high as £144bn a year — much larger than the public sector figure of £37.5bn. It also counted the cost of fraud against individuals.
Well, let’s not panic. After all, £193 billion doesn’t buy as much as it used to. Let’s call it £200 billion for a round figure. Against this, card fraud is a miserable half a billion, about a quarter of a percent. Hardly worth worrying about. And, of course, thanks to EMV and 3D Secure and all that, it’s going down. Oh wait…
Statistics by Financial Fraud Action (FFA) UK show fraud losses on UK payment cards totalled £567.5 million in 2015, representing an 18% increase from £479 million one year before.
OK, so it’s going up but we should be doing about it? Since there doesn’t seem to much enthusiasm for a general identity infrastructure to actually fix the problem, we should probably continue to focus on better authentication against revocable tokens in tamper-resistant hardware for payments for the time being (although that really isn’t going to stop people from sending gift vouchers to the “inland revenue”) and then see if we can move that model into other areas. If I can have a token that says I can pay by Visa but does not give away my actual PAN, then why can’t I have a token that says I’m over 18 without giving away my age or allowed to drive a car without giving away my address?
Back on “frictionless payments” again. The bitcoin dream of instant (well, sort-of-instant) value transfer from anyone to anyone else with no third party that might be able to censor the transaction in the middle inevitably leads to what we used to call, in the first flush of digital bearer instrument debate, the “Grandma presses the wrong button and loses the house” problem that I touched on earlier this week. Or, to rephrase using the current examples, if the customer uses two-factor authentication to instruct the bank to send money to a crook is that the bank’s fault? Is it really a customer’s fault , for example, if their solicitor uses insecure e-mail to communicate with them instead of secure WhatsApp? There’s a spate of such frauds in the UK right now.
Mr Doyle instructed his bank to pay the money into this account. The couple then enjoyed their Easter weekend, little knowing their money had been stolen and their lives were about to be derailed. The truth emerged only the following Wednesday when TCS confirmed it did not have the money, and it became clear that the payment had been made to unrelated account operated by fraudsters.
The report then goes on to say that “the whereabouts of the money remain unknown” but this cannot be entirely true. Since the money had to be paid into a UK bank account and since UK banks perform stringent Know-Your-Customer checks before giving people bank accounts, the whereabouts of the money are very likely known, if not by the account holder (who could then be arrested) by whoever the account holder gave the login to (who could then be arrested). So it should be easy to get the money back… well, maybe…
Mrs Parkinson, a self-employed secretary and bookkeeper, was told that the remaining money could not be returned because the stranger who had the cash was “not able or willing to return the funds”.
Payment UK recently released a report about payee identification that proposes to add another step to inter-bank transfers so that after you enter the bank account details of the recipient (which you shouldn’t be doing of course – a big part of the solution is to stop requiring customers to enter sort codes and account numbers) the system will send you back the name of the receipt and ask you to confirm. There’s a long way to go with this though, because there are privacy and other issues. Is it any of my business what the name on your account is? Nevertheless, fixing the problem is on the agenda.
The UK banks also have a new code of conduct for instant payments so that if you accidentally send money to wrong account then the banks will ask nicely to get it back, but if the person you sent it to doesn’t want to send it back, you basically have to go to court (and pay the banks’ lawyers somewhere between £80-£200 per hour).
the ombudsman ruled in favour of the banks, reiterating that MBNA and Santander had done all they could.
If the bank can’t get your money back for you when you made a mistake, then you may as well have used bitcoin. Right? That’s what they appear to be telling you! This is why I will pay for the lovely antique map case I just saw using a credit card and not the faster payment service (FPS), which would have been quicker and cheaper for the me, the merchant and the bank. Of course, if someone put a scheme on top of FPS so that they did the payee verification for you and included chargeback rights for a small fee then that might be very attractive to a great many people.
In other news, MasterCard are apparently launching a bid for VocaLink.
I imagine you are all familiar with the story of the Hatton Garden robbery in London. A group of elderly criminals with long police records (“old lags” in the English vernacular) staged the biggest burglary in British history by tunnelling through concrete into the vaults of a safe deposit company in London’s Hatton Garden district. They got caught and sent to jail. I don’t doubt the film rights have already been snapped up, because at the trial it was revealed that the pensioner perps included a look out who fell asleep, a deaf point-man and a gang that travelled using OAP Oyster cards. These guys must feel so out of place in the modern world, all Snapchat and no Sweeney, that given the demographic trends around cinema viewing, a comedy heist vehicle featuring Helen Mirren, Bill Nighy and Robert de Niro is frankly inevitable and I’m surprised that the idea hasn’t already cropped up in an episode of “New Tricks” (or, as my children call it, CSI:OAP) yet.
Meanwhile, if you want to see how proper bank robbers (i.e., the ones who don’t work for banks) are adjusting to the times, you need to check out what’s been going on in Bangladesh, where the governor of the central bank has just resigned in disgrace following the theft of an enormous sum of money from their reserves.
Bangladesh’s central bank chief resigned on Tuesday, the finance minister said, after hackers stole $81 million from the nation’s foreign reserves in an audacious cyber-heist that has hugely embarrassed the government.
Basically, crooks got into the central bank system (which according to Reuters had no firewall and was using $10 routers) and had access to the SWIFT gateway, so they sent messages instructing the Federal Reserve Bank of New York to transfers funds from the Bank of Bangladesh account to some accounts in the Philippines.
The problem is that the counterparty on the other side of the SWIFT order was not who the Fed thought, and what should have set off red lights is that the recipients was not the government of the Philippines but three casinos!
As it turned out, the cybercriminals would have got away with a billion dollars had they not mis-spelled the name of one of the payees, a mistake that caused one of the banks in the chain to send a query. Otherwise, with the Bank of Bangladesh shut until the following Monday, they would have been home scot free. The money that was wired to the Philippines was then converted into bitcoins and spirited away NOT. Of course it wasn’t. Crooks don’t want bitcoin, crooks want flippin’ great wodges of cash. Some $30m was withdrawn in cash by an unidentified person and the rest, as I understand, was turned into casino chips!
Now on to the point (I promise you there is one). Is it a really a bank’s job to police where you send your money to? The reason I was thinking about the Bangladesh heist (I think Hatton Garden will make for a better movie, to be honest) is because of a discussion that broke out during the Biometrics Institute Financial Services Seminar in London. Nick Middleton from Nationwide put forward an interesting concept: he said we shouldn’t be working toward friction-free payments but “friction-right” payments.
Friction-free payments have risks. Contactless is fine for a cup of coffee but for a fancy meal you would ask for a PIN. Matching the friction to payment makes complete sense. If I tell Barclays to send $10 somewhere then they should just do it. If I tell Barclays to send $10 million somewhere then should they still just do it? Does it make any difference whether it’s a retail bank or the central bank? After all, the Fed had received a perfectly legitimate request from the Bank of Bangladesh and I shouldn’t think the Fed see it as part of their job to tell the Bank of Bangladesh where they may or may not send their money to.
“The payment instructions in question were fully authenticated by the Swift messaging system in accordance with standard authentication protocols. The Fed has been working with the central bank since the incident occurred, and will continue to provide assistance as appropriate.”
So: the back received a perfectly legitimate request on a secure channel. The problem lays with the security of the originator, not the receiver.
If no second factor of authentication was required for the Central Bank of Bangladesh’s transactions, then the hackers could meet Swift’s requirements by using the information they stole from the Bangladesh bank.
This seems cut-and-dried to me. If a bank gets an instruction to transfer, and that instruction has the appropriate digital signature, then the bank should execute the instruction. Clear. End of story. Me telling my bank to send money to somewhere, even if that somewhere is the Dunkin’ Donuts at the main railway station in Minsk, is that same as me sending my bitcoins from my wallet. The bank should just do it and if I’m sending it to crooks, that’s my problem. Right? Well, there was some controversy about this recently when a senior British policeman said that we may need to reconsider the distribution of responsibilities and liabilities around online financial services to help society tackle the tidal wave of fraud.
Metropolitan Police chief Sir Bernard Hogan-Howe said that the system “rewards” the public for being lax about internet security.
Alan Woodward from the Department of Computer Science at our neighbours the University of Surrey responded to this on his blog.
I might have put the point slightly differently (something more like “One is not necessarily incentivised to protect oneself at present”) but essentially I think he had a point.
I said something similar on the BBC’s “World Tonight” [here at 18:50], pointing out that Sir Bernard was commenting on the well-known economic principle of “moral hazard”. If I write my PIN number on the back of my debit card and then lose the card, I have surely contributed to the subsequent looting of my account. It doesn’t seem right that people who carefully guard their PIN numbers should have to contribute to my retribution.
So does that get the banks off the hook? Does it mean they don’t need to spend money on cyber security? No, it doesn’t. The essence of the argument is that customers should be refunded unless they are negligent. But what constitutes “negligent”? Sir Bernard said that people who don’t choose a good password are negligent, but I think he’s wrong about this. What’s negligent is pretending that passwords are any form of security. Whether you chose a long password or not makes essentially no difference. The pie chart of typical bank fraud losses would, I’m sure, show that social engineering and malware are the dominant sources of loss and choosing longer password, passwords with a number in or passwords with a chemical symbol at the beginning and a sign of the Zodiac at the end won’t help one way or the other.
Under the principle of Strong Customer Authentication (SCA) banks are supposed to implement two-factor authentication (2FA) so if banks allows you to access your bank account using only a password then it’s the bank that is being negligent, not you. As I said in that interview, if we want to make progress on this we have to move away from passwords. If a fraudster tricks me in to sending them money and I do all the proper authentication with the bank, then they will send the money to the fraudster because I told them to. In this case, the bank isn’t being negligent – it’s my fault. Tough luck. Hard cheese.
But…
Is that what we really want? Doesn’t that make it too easy for the fraudsters? Do we want Grandma to be able to lose the house by pressing the wrong button after a dodgy e-mail? Nick is right: when you think about it, the public don’t really want “frictionless payments” at all, do they? So what is the appropriate level of friction? I’m genuinely curious to hear what you think about this.
I was watching Panorama on the BBC on Monday. It was about hacking, ID theft, the usual stuff. The main takeaway for the general public was, I think, that everyone’s personal details have already been stolen and are common currency amongst criminals.
Hackers have stolen the personal details of millions of customers from companies like Talk Talk. So how do cybercriminals get hold of our data? Reporter Daniel Foggo meets the hackers who can break into any website and finds out how criminals profit from our information.
It featured one sad case of a woman who had been misled by fraudsters. She was buying a house and got an e-mail from (she thought) her solicitor asking her to transfer the funds for the house purchase (some £50,000) to a particular bank account. She did. The e-mail was, of course, from crooks and they transferred the money out and were never seen again (so much for the KYC/AML checks we spend so much money on). With so much money at stake, I couldn’t help but wonder, wouldn’t some form of security seem appropriate?
According to the American Bar Association (ABA), only a third of lawyers use encryption to communicate with their clients and of the lawyers who claim that they do use encryption, fully a third cannot say what kind of encryption they use. Of those who could say what type of encryption they use, the most commonly identified type was general purpose software with encryption features that required the recipient to be sent a separate password. Which is perfectly acceptable: I do the same all the time, using some zip utility to encrypt with a password then texting the password to the recipient. But I can’t help but wonder: why it is that Facebook can send me e-mail that is encrypted and digitally-signed and lawyers cannot? It’s not as if there isn’t a threat model!
Mrs d’Adhemar engaged a solicitor to handle the transaction and sent all correspondence through her secure work email address, but used her personal email account for everything else, including contact with the estate agent, Chestertons.
But 10 days after the sale was completed they received a call from their solicitor, who said NatWest had flagged up a problem with their account. Alarm bells immediately rang. The couple didn’t have a NatWest account, they banked with HSBC.
Just in case you are thinking that I’m highlighting odd or exceptional cases in order to make a point, I can assure you that I am not. This sort of thing goes on all the time in the UK.
Mr Lupton’s solicitor, Perry Hay & Co in Richmond, Surrey, emailed him requesting his bank account details for the sale proceeds to be paid into.
As millions of people do regularly and without thought, he duly replied, sending his Barclays bank account number and sort code. The email was intercepted by fraudsters. Posing as Mr Lupton, the fraudsters swiftly emailed Perry Hay & Co again – from the same email account – and told it to disregard the previous details and send the money to a different account instead.
After all these years, we still can’t make e-mail security work. Imagine the hassle that the average solicitor would face in trying to get an average customer to install GPG or something. It’s never going to happen. The solution, as Ian Grigg pointed out seven years ago when I was going on about the security of e-mail another time, is to stop trying to fix e-mail and (as my teenagers did) move somewhere else. Why not use messaging systems that are secure, like Facetime? Yes they aren’t interoperable (so you would need to know whether the customer had Skype or Yahoo or WeChat or WhatsApp or whatever) but I don’t think it would be hard to set up a few accounts. Then the fraudsters would have to take over the solicitor’s account rather than just send an e-mail. This would have two immediate benefits: first, the security of the account would be specifically the problem of the solicitor and they would fix it by using strong authentication and, second, all communications could be encrypted (I remember that we worked on a pilot system like this – for financial services rather than for solicitors – a few years ago and even then the overheads associated with encrypting and signing were negligible).
We need solicitors to stop using e-mail as soon as possible, but we need to provide a viable alternative. If not social media or messaging, then why can’t we have something like they have in Denmark, where everyone has a sort of secure government postbox?
P.S. It’s a rhetorical question. I know perfectly well why we can’t: it’s because Denmark has a national digital identity infrastructure and we don’t. But why not have it as a bank service, like the Barclays Cloud thingy? Since the solicitor knows your bank account, they would automatically know which bank cloud to send the documents to. And if you wanted to tell your solicitor to send money somewhere else or some other instruction, you would have to do it from inside your bank cloud. Surely, with a nuclear-powered robot on Mars, it ought to be possible to send documents from a postbox in one bank cloud to a postbox in another?
It’s fair to say that Jeremy King of the PCI Security Standards Council and I do not always see eye to eye on things. In fact we’ve disagreed more than once (in public) about the usefulness of PCI-DSS. But I have to say that Jeremy is absolutely spot on here:
King says it will take years for the rollout of tokenization and end-to-end encryption to be completed. And once the U.S. migrates to EMV, “we will see a move of the fraud to card-not-present,” he says
I think that when you look at the big picture you can see that there is a problem brewing. It is taken so long to get to the position where the US is finally on-board with the general concept of a shift to chip and PIN, even though most US consumers still do not have chip cards, that you can’t help but wonder whether the effort is going to be worth it. As Jeremy says, the shift to card-not-present fraud is about to accelerate and there’s not much that EMV can do about it. I saw the same point being made in another article a few days ago:
For one thing, EMV security only addresses the issue of counterfeit cards, which account for around 10 to 15% of credit card fraud in the United States.
As it happens, that’s not true, at least according to Aite Group, who put counterfeit and lost/stolen fraud, the frauds that should be tackled by EMV (or at least if EMV cards are issued with correct ICVV, correct service codes and no fallback at ATMs) at around half of all fraud.
In the United States, card-not-present fraud is already a big problem. In fact, it accounted for 45 percent of credit card fraud in 2014, followed by counterfeit card fraud (37 percent) and lost/stolen cards (14 percent).
Well whichever fraction it is you can see the issue. If the British patterns are anything to go by then the growth in card-not-present fraud will exceed the drop in card-present fraud and so the overall fraud rate will continue to rise. This is why I’ve said at a couple of recent events that I think that tokenisation is going to be more important than chip and PIN and I’d be curious as to your feedback on my three central arguments on this front!
First, tokenisation helps to reduce fraud in the fastest-growing areas, online and mobile. You can’t use a token outside of its defined domain and if you were able to steal a token out of my iPhone, you wouldn’t be able to use it in your iPhone.
Second, tokenisation could help to reduce fraud in card present environments if, as I anticipate, there is a shift towards in-app purchasing even in store. I can easily imagine standing in Tesco and paying using a Tesco app on my phone (using tokenisation) rather than by taking out a card and using it in the POS terminal in front of me.
Third, there are new things that we can do with tokenisation that we simply can’t do with the existing infrastructure. In addition to the “plain” token that the bank puts into my handset, it could load other tokens for a variety of useful purposes: I wrote before about the idea of issuing a stealth token for use in online dating, adult services and other privacy sensitive environments but you can also imagine tokens that are issued for specific purposes such as a campus, or just for a day, or just for a particular website. Given the significant investments that most of our clients have made in tokenisation infrastructure, the need to develop additional services on top of the infrastructure is pressing, so I expect to see innovation in that field.
In the long term, the ability to deliver and maintain consumer security and privacy through tokenisation will be a crucial function of banks. This is why I think my apparently outrageous claim that it is more important than chip and PIN is justified, but if you don’t agree I’d still love to hear from you.
Oh no! Shock horror! Something must be done! It’s an outrage! Thank goodness we have a free press to expose this egregious, calamitous, nefarious episode! Questions must be asked in Parliament. Yes, it turns out that a famous author (J. K. Rowling who wrote the tedious “Harry Potter” series of children’s books) has been trimming her hedge.
Oh, and on the front page the non-issue of contactless card security has come up once again, following a report from the consumer organisation “Which?”. They reported that contactless cards work according to their specifications. Using a standard reader they were able to interrogate standard cards and obtain the standard details, which do not include either the cardholder’s name or the security code. You cannot use the details to make a clone contactless card or a clone chip and PIN card or a counterfeit magnetic stripe card.
Yet the Which? researchers managed to buy a £3,000 TV set using one of the cards.
No, they didn’t. They did not use one of the cards. What they did was to use the card number and expiry date with a merchant who does not check the name, address or security code. Retailers are entirely free to do this, it’s up to them. The point of the card system is to protect consumers, not retailers. If retailers decide to deliver a £3,000 TV to a block of flats in Hoxton on the basis of a card number and expiry date (without checking the name, address or security code) then that is their look out. The customer will spot the unusual transaction and charge it back. The bank will charge it back to the merchant. The merchant will be out of £3,000. But it was their choice, so who cares? Anyway, the researchers were surprised that some merchants would behave in this fashion.
We doubted we’d be able to make purchases without the cardholder’s name or CVV code, but we were wrong.
Remember, this is the same information that a fraudster could obtain just by looking at your card. Luckily, the newspapers have also had some useful advice for customers concerned about card security.
James keeps his debit card at home and the PIN is still in the sealed letter. That way, if a fraudster takes money from his account, he can easily prove to the bank that he hasn’t used it.
Had the researchers glanced at any or our blog posts about contactless security, starting back in 2006, they would have known about this uninteresting risk. It isn’t news. I’ve suggested before that rather than panic about the non-issue of contactless security, their energies might be better directed toward educating the public about the technology and the distribution of liabilities.
The traditional way of educating the mass market in the UK about anything is to pester the BBC to include it as an EastEnders story line.
You may think that I was being flippant with that remark last year but I wasn’t. In fact, the soap opera route has been tried, albeit on the other side.
Coronation Street and Emmerdale will feature Visa’s contactless payment technology from February.
Sadly, I have never watched either Coronation Street or Emmerdale, although I know what they are because Harry Hill used to make fun of them on “TV Burp”, so I’m not best-placed to suggest appropriate plot lines. But perhaps one of the characters spotting a £3,000 charge to Currys on their statement and then charging it back might be far too dull.
Now, you might imagine that these stories are so trivial as to be utterly uninteresting. And on the one hand they are. But on the other hand I find them intensely annoying, because they are so insulting. “Fraud alert” over a payment architecture that has been under development for a decade? That’s a headline that suggests that I am a moron. As are the experienced risk analysis and payments architecture experts at Consult Hyperion. As are the risk management experts at retail banks. As are the strategists at Visa and MasterCard.
What are the media thinking? That there is no point over the past decade when it occurred to anybody that because the EMV standard involves the passing of unencrypted data between the card and the point of sale terminal that anyone with a standard reader would be able to obtain the card number and expiry date? That the thousands of people involved in the planning, design, launch and management of contactless cards were as thick as planks? That the issuing banks were so dumb to accept full liability for the fraudulent use of contactless cards that they are going to go out of business? That merchants who accept card numbers and expiry dates without a valid cardholder name or address are simply too dense to understand the liability shift?
Just to be clear. The actual figures (from the UK Cards Association) are that fraud losses from contactless cards are less than for contact cards, for the obvious reason that card numbers are, by and large, stolen online in vast bulk (see, in the Daily Mail, for example “Benson bought stolen credit card details from Russian gangsters”) and not obtained by individual fraudsters waving phones around peoples’ arses (although that would work, as this video shows).
You can tell from the Nokia 6131 used in that video that it was made a good few years ago but, as yet, the gangs of pickpockets in London seem to prefer the old fashioned methods, so you’re much better off carrying a contactless card (that can be refunded in the event of loss) rather than cash (which cannot).
Don’t panic. Unless you spot someone holding their mobile phone a little too close to my backside on the tube, that is.
Subscribe to our newsletter
You have successfully subscribed to the newsletter
There was an error while trying to send your request. Please try again.
