Opportunity knocks

[Dave Birch] Our friend David Poe from Edgar Dunn gave a presentation at the recent Chicago Fed conference on payment fraud on

Identifying Security Issues in the Retail Payments System

[From - , Federal Reserve Bank of Chicago]

He sums up an important aspect of managing fraud in the retail e-payments world when he says that "Players often make suboptimal fraud risk management business decisions because the true cost of fraud is often misunderstood." While we all understand that some costs of fraud end up hidden away in bad debt, he points out that there are other, just as important, substantial costs to be taken into account. These include the opportunity cost of dealing with fraud when management time and effort could be going into growing the business instead. The more I think about it, the more I'm sure he's right. On the one hand, fraud stimulates new product and service ideas all the time: just pick a recent one at random,

Online shoppers in the UK will be able to pay direct from their online bank account rather than via a credit or debit card, thanks to a new service. The POLi online bank payment platform aims to increase payment choice while reducing card-not-present fraud, a category of fraud covering ecommerce transactions which is on the rise. UK card-not-present fraud rose from £212.7m in 2006 to £290.5m in 2007, an increase of 37 per cent... According to merchants in Australia using POLi, the service now accounts for an average of 23 per cent of their total online payment transactions.

[From Online banking payment system aims to reduce fraud | The Register]

I would never use this of course because I want to pay for everything using a credit card since that frees me from all worry: it's not my problem if something goes wrong, but that's besides the point. The point I wanted to make is that there's considerable intellectual effort going into dealing with online payment fraud, but if that problem were to be fixed then this energy and initiative could be freed up to develop cheaper, better, more inclusive payment systems instead and give a greater boost to net welfare.

It'll never catch on

[Dave Birch] Well, we've all made some predictions that didn't really work out, but Clifford Stoll's 1995 Newsweek article stands out from the crowd for completely misunderstanding the nature and direction of change. In a general diatribe about how the Internet is useless and will never amount to much, he says that

Even if there were a trustworthy way to send money over the Internet--which there isn't--the network is missing a most essential ingredient of capitalism: salespeople.

[From Clifford Stoll: Why Web Won't Be Nirvana | Newsweek Technology | Newsweek.com]

Well, we still don't have a completely trustworthy way of sending money over the Internet, although PayPal is doing a pretty good job, but there's no shortage of salespeople. True, most of them seem to be selling Viagra, but there's an awful lot of commerce going on nonetheless.

Zero hour

[Dave Birch] Part of my Bank Holiday reading this year was book dropped on my desk by our head of Software Development. He'd been working with a customer on helping some of their people to develop a better understanding of phishing (and similar threats) by developing a bogus web site to show how easy it is, and had been reading it on the train. The book is Zero Day Threat by Acohido and Swartz. It's an O.K. read and at the end makes a few sensible suggestions. For example, they say that a priority is to do something about payments.

Jettisoning magnetic stripe payment cards and online authentication systems that rely soley on user names and passwords, and replacing them with technologies that actually hinder counterfeiting and impersonation -- not make it mere child's play -- is also a must... In short, the credit-issuing and card-based payment systems are due for a massive overhaul that will take us beyond the current solutions now on the table.

They also go on to say that

One can only hope that political leaders will emerge to champion the greater public good, not be bulldozed by probusiness interests.

What they are saying here is that banks prefer to have payments insecure because it's cheaper. This is true, but it's important to see why, and why the goals for the payment system might diverge from public policy goals. The designers of payment systems do not have as a goal the eradication of fraud but the management of fraud down to acceptable (ie, financially acceptable) levels. The few hundred million that goes to card fraud in the U.K. is a tiny fraction of the amount spent on cards. But the money earned through this fraud, while not a big deal to the banks, may well lead to larger social problems that do not figure in the banks' cost-benefit analysis, which is why we should still try to reduce it even if it doesn't make business sense for our particular organisations or systems.

Learning from the UK EMV deployment

[Dave Birch] There's a great podcast here if you're interested in learning lessons from the U.K.'s "chip and PIN" rollout...

With Chip & PIN in full well established across the UK, fraud figures are painting an interesting picture of its impacts. Is it really making a difference when it comes to the never-ending battle against fraud? Consult Hyperion's Richard Allen discusses card fraud in an EMV world with AVISIAN Executive Editor Chris Corum.

[From re:ID Podcast]

Richard makes the point that the rise in fraud on the cards here is not "chip and PIN" fraud, it's "PIN" fraud. Since criminals can use data from the chip to make counterfeit magnetic stripe cards (not for too much longer, hopefully), fraud is still going up.

Systematic calculations

[Dave Birch] I'm reading up to try and learn more about banking as I think this will improve my understanding of the payments business, but I've been side-tracked today because I'm considering joining in with the lawsuit to stop CERN from switching on their Large Hadron Collider (LHC). Apparently, there is a concern that when the assorted euro-boffins start their atom-smashing antics, they may create "strangelets" and mini-black holes:

The builders of the world's biggest particle collider are being sued in federal court over fears that the experiment might create globe-gobbling black holes or never-before-seen strains of matter that would destroy the planet.

[From Atom-smasher fears spark lawsuit - Science- msnbc.com]

These mini-black holes would suck matter out of this universe and send it into other dimensions, where it would never been seen again. I was wondering if this might be what happened to the THIRTY SEVEN BILLION DOLLARS that's gone missing from UBS recently. It certainly cannot be explained by conventional physics. If the chairman of UBS had stood in front of a roaring bonfire and thrown $100 bills into the flames at the rate of one a second for the last two years, he would have lost a mere $6.3 billion. Oh wait, perhaps he was burning 500 euro notes not $100 bills. They have much higher money density: in that case I stand corrected and he could just about have done it without string theory or 11 additional dimensions coming into play.

All he had to do was resign though. The Hong Kong Standard reports a more robust line on gambling bankers who pick the wrong horse. Two employees of the Agricultural Bank of China came up with a better strategy than UBS. They took about three million quid from the bank vaults. They then used the money to buy lottery tickets: their plan was to replace the missing money with the lottery winnings and hope that no-one noticed (much the same plan as Jerome Kerviel of Societe Generale fame as far as I can tell). Generally speaking, Chinese bank employees are not familiar with the work of Adam Smith:

Adventure upon all the tickets in the lottery, and you lose for certain; and the greater the number of your tickets the nearer your approach to this certainty.

[From Adam Smith Quotes]

In the U.K you get to keep the Porche and the massive pension and take a few weeks gardening leave. In China, the rogue traders with the novel asset management strategy were executed.

Yet another dumb headline about contactless card security

[Dave Birch] I had a few e-mails from people about the story in Engadget that was titled "RFID cards hacked easily with $8 reader"...

the crew at BoingBoing TV has posted up a little demo of how easy cracking the RFID encryption on an American Express card can be. All it takes is an $8 dollar reader easily available on eBay

[From RFID credit cards easily hacked with $8 reader - Engadget]

The actual title should have been "Well-designed American Express contactless cards work exactly according to specification and non-hacking non-exploit does not actually result in losses to either cardholder, retailers or American Express themselves". Anyway, the reason I got a few e-mails was because people wanted to know where to get these $8 readers. I just checked on eBay (US) and the cheapest pre-owned contactless terminal I could find was over $60. The video actually shows him using a Vivotech Vivopay 5000 (which is a couple of hundred quid in the UK), so if this guy really can get them for $8 he'll make far more money from reselling the terminals than he will from "hacking" ExpressPay cards.

UK Card Fraud - gosh, shock, horror

We’re told that fraud migrates - push it down here and it goes up over there.  The introduction of Chip & PIN in the UK has squeezed out counterfeit, lost & stolen, and mail interception fraud.  This is countered by a rise in card-not-present fraud and overseas use of skimmed cards is on the up.  This trend has been clear over the last few years.  The net result is that overall UK card payment fraud has been flat at £400-450 million for 2001 to 2006.

The release of the latest UK card fraud statistics for 2007, by APACS, the UK payment clearing association, has created headlines.  It’s up 25% to £535m, they scream.  A quick glance reveals the usual trends, but chip & PIN in the UK has reduced fraud as much as it can whilst the CNP and overseas fraud continue to grow apace.  Hence the overall rise.

So, where is this fraud coming from?  It may be a blip - it hit £500m in 2004, for example.  Or perhaps fraud is migrating from elsewhere.  What happens to VAT carousel fraud when it is squeezed, for example?  [VAT carousel fraud is a peculiar wealth support mechanism dreamed up by the EU that costs UK taxpayer £8.4bn a year.]

What can be done to stem this rise?  CNP fraud is being tackled by 3-D Secure (branded Verified by Visa and SecureCode).  To stem skimmed card fraud overseas and skim & PIN fraud (whereby fake magnetic stripe cards are used with a captured PIN to withdraw cash at ATM), UK banks have gone so far – by introducing ICVV and declining technical fallback at ATM.

But they could go further.  Why not an opt-in for all but the most frequent travellers whereby my card is automatically declined for all overseas (non-chip & PIN) payments and cash withdrawals?  Before I go on holiday, I tell the bank where I’m going and for how long.  It’s easy to implement and easy for the cardholder.  Mandate 3-D Secure?

Sadly, inconveniencing the cardholder gets in the way and we can't possibly have that.  And fraud is still only ~0.1% of total card spending.  So, perhaps it’s not such a big issue for the banks, anyway.  Afterall, card fraud was projected to be £1bn by 2010 were it not for Chip & PIN.

Another perspective on chip & PIN fraud in the UK

[David Griffiths]  I think it's all good and proper that academics at world class universities have our (and I speak now as a punter) best wishes at heart, and I am grateful to the BBC for bringing it it, once again, to everyone's attention.  Taxes and licence fees well spent.  I only wish that the spin revolved around reality rather than headlines!   

Once again Ross Anderson has got the BBC all excited.  If there was real hole in Chip and PIN, the boffins at Cambridge would have spotted it, and the the BBC could then really get excited.  The reality is that Professor Ross Anderson has huge technical resources at hand, is surrounded by some very clever people, but they haven't cracked the system - not even com close.  They have, as we were told, found some vulnerabilities, but they have not found any that the banks were not aware of.

Once again, it's "PIN fraud" not "chip and PIN fraud"

[Dave Birch] Well that was dull. I got all excited about this...

Whatever you buy in the shops, you probably pay with a chip and pin card, tonight Newsnight has exclusive evidence that they are vulnerable to fraudsters. The implications could be huge for millions of shoppers. We'll be asking what are the banks going to do about it?

[From BBC NEWS | Talk about Newsnight | Tuesday, 26 February, 2008]

But it turned out not to be an exciting breach of chip and PIN security, using (for example) liquid nitrogen to extract keys or something similar, leading to "chip and PIN" fraud, but "PIN fraud" as usual. The allegation -- which is, as far as I know, wholly true -- is that track 2 data and PINs are being stolen from compromised terminals and then used to create counterfeit magnetic stripe cards. Sandra Quinn from APACS, who was being tortured by Paxo (it's a peculiarly British bloodsport), said -- again, wholly true -- that ICVV has been introduced from 1st January 2008 to mitigate this particular fraud. For the uninitiated, ICVV replaces the CVV in the Track 2 (equivalent) data stored in the EMV chip. Thus, if a bank host sees a magnetic stripe transactions with the ICVV in it, they know it's a counterfeit stripe. The ICVV varies from CVV by replacing the PAN Sequence Number with 99 instead of the actual value when deriving the code.

I must point out, in the spirit of shared openness and truth seeking, that we just checked the three cards we could find in our office that were issued after 1st January 2008 and we found that the Barclaycard and the Nationwide card do have ICVV, the other unnamed large U.K. issuer's card doesn't have ICVV. So, on balance, Sandra wins!

Time for the one-time signature ...

[David Griffiths]  I have recently moved home, and I wanted to tell my bank the new address for my business account.  I logged into the internet business account management centre, with my username, password AND one-time passcode from my whizz-bang security gizmo, but I couldn't find any option for updating my address.  "Perhaps I have missed it", I said to the lady in the call centre, after she had been through all of the additional security questions and had confirmed that it was indeed me, "No", she said, you have to go into the branch and tell them".  "But I work in London, and can't get in".  "That's ok", she said "I'll contact your branch and they can send you the form".  "And where will they send it?" "Ah!", she said, "You don't live there anymore, do you?  You'll have to write to them".  "But if I write to them, how will they know it's me?"  "You'll have to write to them", she repeated.  Now I can tell a procedural road block whan I hear one, and I could tell I was hearing one - I considered my best option was to give in before they start quoting the Data Protection Act at me ... I sent the letter...

 

Don’t worry, it still works fine

[Dave Birch] There are lots of fraud stories around today, including the one about the fraudster who managed to con high street bank Barclays out of £10,000 in a credit card scam by posing as the bank's own chairman, Marcus Agius. It seems as if the card fraud meme has been spreading. I don't know if you saw this wonderful story in The Guardian back in December, but it was about the English town of Letchworth (the world's first garden city) and the essence of the story was that card fraud is so out-of-control that a kind of panic has set in. I won't reproduce all of the details here, but I wanted to pull out a few key quotes from the story in order to make a couple of points and to reflect on the conclusion of the story, which is that whole communities are losing faith in payment cards and are turning back to cash-only transactions. The meme has been spreading through various channels and there are more and more stories about the failure of chip & PIN (ie, failure to eliminate fraud), the rise in ATM fraud, CNP fraud and so forth. But I'm getting ahead. In the Letchworth story, the reporter found many people "boycotting" outdoor cash machines, and, in some cases, abandoning the use of payment cards at retail POS.

Shoppers at the Shell petrol station told us they will never use their bank cards to pay for fuel again, after witnessing the chaos caused to friends who have had bank accounts plundered by fraudsters. Outdoor ATMs are strangely quiet, while inside banks there are queues of customers taking out cash.

The story says -- and I'm not questioning it -- that in the town (of 33,000 people) virtually everyone the reporter met had either been the victim of card fraud or they knew of someone who has had money illegally taken from their bank account. Usually the illegal withdrawals take place in Australia. This is a novel twist (it's usually Italy or Bulgaria) suggesting a specific gang at work. Several people said they were now only using cash. Almost all said they would no longer use cash machines unless they were inside the bank. One specific problem identified was -- hello 2006 -- the petrol station. Card-reading equipment at the Shell garage, on the main road in and out of the town, was compromised. Another was the bank. An ATM at a bank branch had a skimming device fitted The local paper reported the stories with additional coverage when it emerged the problem had spread to another Shell garage in nearby Hitchin. I'm not trivialising the issues: the stories involve real people, such as

Hilary Gibson defaulted on her mortgage because thieves stole the £700 she had deposited to cover the payment the following day. Leisa Virgo from Hitchin was another victim. When the bank called to check a payment, she immediately cancelled the card - but not before £300 had been withdrawn.

Hertfordshire police also reported that CCTV monitoring had foiled another attempt to install a skimming device at another ATM and four people were arrested. Nevertheless, residents such as Peter Merrigan are concerned:

To be honest, I have stopped using bank cards... I now prefer to go into the bank and get out my money the old-fashioned way - I certainly wouldn’t use a cash machine.

The reporter found the ATM outside the Barclays branch with wires hanging out. It had clearly been attacked. The staff were sanguine:

Don’t worry, it still works fine.

I'm not sure that the residents have been doing their risk analysis homework, because (and here I agree with the APACS spokeman) carrying around wads of notes is (I'm sure) more likely to lead to loss than carrying around a card: if I lose a tenner, it's gone for good, but if my card is skimmed I'll get the cash back from the bank. Sorted. Since I never, ever, use my debit card except at ATMs, I feel fairly comfortable. But then I don't live in Bicester, where fraudsters tried to attach a skimming device to every ATM in the town, or Houghton on the Hill, where the local garage was compromised so that everyone's card details were stolen.

Technorati Tags: ATM, banking, EMV, fraud, risk analysis

Criminals in Reading are thicker than criminals elsewhere

[Dave Birch corrected] Well, this is what this old story seems to imply. Apparently criminals in Reading never rob people for cash, which can't be traced, but will rob people for contactless payment cards that can be used for under ten pound transactions without a PIN (like cash) but can be traced (unlike cash). The report says that Reading town centre inspector John Relph thinks that shoppers’ convenience (from contactless cards) could lead to increased fraud. He says

I can’t believe banks are making fraud this easy. Without a PIN number there will be no identification verification process, therefore making it easy for the criminal to use. It will make our job in the town centre harder because there’s a strong probability that fraud will be increased.

Well, if contactless cards do cause an increase in fraud, the police will know where to look for the perps. Steve Wilmott, Head of the Economic Crime Unit for the City of London Police, says that one of the key trends in financial fraud is that a decade ago a tenth of fraud cases involved a bank insider whereas its' now 40%.

Technorati Tags: contactless, fraud, payments

Criminals in Reading are thicker than criminals elsewhere

[Dave Birch corrected] Well, this is what this old story seems to imply. Apparently criminals in Reading never rob people for cash, which can't be traced, but will rob people for contactless payment cards that can be used for under ten pound transactions without a PIN (like cash) but can be traced (unlike cash). The report says that Reading town centre inspector John Relph thinks that shoppers’ convenience (from contactless cards) could lead to increased fraud. He says

I can’t believe banks are making fraud this easy. Without a PIN number there will be no identification verification process, therefore making it easy for the criminal to use. It will make our job in the town centre harder because there’s a strong probability that fraud will be increased.

Well, if contactless cards do cause an increase in fraud, the police will know where to look for the perps. Steve Wilmott, Head of the Economic Crime Unit for the City of London Police, says that one of the key trends in financial fraud is that a decade ago a tenth of fraud cases involved a bank insider whereas its' now 40%.

Technorati Tags: contactless, fraud, payments

Falling back

[David Griffiths] The other day, my girlfriend said to me that she had tried to use her Nationwide card in a Nationwide ATM and then in a Nat West ATM. On both occasions the transaction was rejected with an "unable to complete" type message. I was surprised that the ATMs hadn't attempted fallback, as there is no intrinsic risk in fallback, especially if the issuer is aware of the circumstances, and the adopted fraud prevention mechanisms are working. Fraud prevention mechanisms are elaborate - neural networks and other clever stuff they are reluctant to discuss - and can monitor the cardholder's usage patterns. So, if there is a "dodgy" fallback authorisation request, but the transaction fits with the cardholder "norm", the issuer may chose to take the transaction risk, for all of the reasons highlighted by Richard Allan. However, if the cardholder used the card yesterday in Telford, has no history of exotic travel, and then an authorisation request is received today from Thailand, they may choose to issue a decline. My girlfriend was using the same ATMs she always uses, and was requesting the same amount that she always requests - any neural network worth the investment would recognise this as likely to be a genuine transaction. She has therefore been inconvenienced by what looks like the whim of the ATM acquirer, but ultimately blames the issuer as they can't get a replacement card to her for 10 days.

Technorati Tags: ATM, debit cards, fraud, security

It was a cunning plan

[Dave Birch] It's amazing to me -- no, not amazing, more kind of quaint, reassuring and comforting -- that in this high-technology e-money world, there are crooks who still try to rob banks the old fashioned way. Not the modern way (by working for them as traders) but the old fashioned way. There are still people out there who rob banks with shotguns. And there are still people out there who make dodgy banknotes. An example being the gang of Chinese counterfeiters currently on trial in London for attempting to defraud the Bank of England of more than TWENTY EIGHT BILLION POUNDS. Yes, that's right. They tried to cheat the Bank of England out of more than FIFTY BILLION DOLLARS by swapping 360 "special-issue" £500,000 notes and and 28 million £1,000 notes for lower denominations. Unfortunately, there were two tiny flaws in their masterplan: the Bank of England has never issued a £500,000 note and £1,000 notes were taken out of circulation in 1943 (and there are only 63 of them not accounted for). The criminal geniuses tried to get the Bank of England to accept £1,000 notes with the signature of Jasper Holland, the chief cashier in 1963. Now, far be it from me to criticize -- I know virtually nothing about counterfeiting -- but c'mon guys. Didn't anyone think that the Bank of England might double-check if someone turns up with twenty eight billion pounds in used notes? The only way to get away with this kind of thing is to skim off a small amount from each legitimate note in circulation (like the Chancellor of the Exchequer does).

Technorati Tags: credit cards, debit cards, EMV, fraud, retail, security

Where next for U.K. cards?

[Dave Birch] In an article about the immediate future of credit cards in the U.K., which I found via the Sun newspaper I think (it's a key source of financial insight...), the commentator focuses on dull subjects such as the continuing popularity of balance transfer deals -- though these seem to me to encourage, rather than, "stop rate tarts". For foreign viewers, I should explain that a rate tart (eg, me) is someone who takes a zero-interest balance transfer deal from a card issuer, never uses the card, and then switches to another zero-interest balance transfer deal at the end of the term. And why not? If a bank sends me a letter saying "please have some free money", then of course I'll tick the box marked "yes". Anyway, what caught my eye was the comment that the only thing likely to change the market will be some genuine innovation (a topic of some discussion previously). The article goes on to say that

Perhaps Barclaycard's upcoming Oyster/contactless payment/credit-card combo [he means the OnePulse card] will do that, at least for the London market. I expect it to significantly increase people's spending, just as credit and debit cards did. Other providers will see its impact and will want to work on similar technology and infrastructure as fast as they can -- if they can.

I think it's fair to observe that in the case of Oyster, they can't (because the deal with Barclays is exclusive for an initial period). But perhaps the author is right that contactless will spark off some new products -- as it has in the U.S., where Visa USA has just announced the Micro Tag, a contactless keyring (like the PayPass fob and the American Express companion fob) instead of cards to pay for purchases under $25 by waving the device in front of a contactless payment terminal. Sadly, we can't use these in the U.K. -- for technical reasons to do with transactions being online, PINs, EMV scripts and such like -- but we don't especially need to worry about this, because there's no doubt in my mind that the preferred contactless doo-dah (sorry for the technical argot) for most consumers, in most of the world, is their own phone.

Technorati Tags: contactless, credit cards, debit cards, fraud, security

More post-modern policing

[Dave Birch] There's been a bit of a fuss in the media here about card fraud. I paraphrase, but essentially the police are too busy to investigate credit card fraud so it's been agreed that it's up to the banks to sort it out. This is being reported (incorrectly) as card fraud being decriminalised and the newspapers say that the Home Office is failing to take credit card fraud seriously. In essence, under some guidelines which came into force in April, it is now the responsibility of banks to decide which offences to pass on for investigation. Critics suggested the move is being made to reduce crime figures and "demanded a rethink". Now, I have to say that I've often argued for this policy: it's a bank problem and it should be up to banks to take the lead in sorting it out (and paying for it). But you can see how the spin could have been managed better: perhaps labeling the policing of card fraud as post-modern rather than as low priority.

Technorati Tags: credit cards, debit cards, fraud, government, payments, regulation

All sorts of payment frauds are growing

[Dave Birch] Not all of the payment fraud in the world is payment card fraud. A survey of more than 3,000 corporate treasury officials raised the alarm about cheque and electronic payment fraud.

Payments fraud last year was pervasive and increasing

says a report from the Association for Payments Professionals. The Association for Finance Professionals did another survey and found that 72% of its 414 respondents had been victims of actual or attempted fraud in 2006, up from 68% in a 2005 survey. But here's the good news: electronic payments turn out to be significantly safer than paper (cheques processed as images are also much safer than paper cheques) even though ACH and payment card networks are subject to increasing fraud attacks, particularly in transactions on the Internet and over the phone. Nearly all respondents said they had been the target of actual or attempted check fraud in 2006, while 35% reported fraud activity in ACH debits. Seventeen percent said they had seen attempted or actual fraud with consumer credit cards. Of those who reported fraud activity with cards, consumer credit cards accounted for by far the most response (82%), with signature debit cards registering 18%, stored-value cards 7%, and PIN debit cards 4%. Of those respondents that accept consumer payments via the phone or over the Internet and also reported ACH fraud, some 44% said they received fraudulent ACH instructions from their Internet channel; 45% said the same about the phone channel. Similarly, the organizations responding to the AFP survey are sustaining fraud losses from card-not-present transactions. Liability for these transactions is cited by 64% of those respondents that sustained losses because of card fraud as the primary reason for the loss. Delays in filing chargebacks comes in second, at 25%.

Organizations that suffer financial losses from card payments do so primarily because they are ‘card-not-present’ merchants

notes the report, although it might have gone on to say that they are CNP merchants that have not signed up to 3D Secure. Interestingly, in light of a recent string of hacker intrusions into merchant data bases, none of the respondents reported fraud stemming from a card-data breach. But then, as has been discussed on Digital Identity, there is a clear correlation between the size of the breach and the likelihood of fraud (and the type of data). If a neighbour steals your card from the post, there is pretty likely to be a subsequent fraud. If some government department tells the entire world your personal details, there may be a few frauds, but not that many.

Technorati Tags: credit cards, EMV, fraud, payments

All sorts of payment frauds are growing

[Dave Birch] Not all of the payment fraud in the world is payment card fraud. A survey of more than 3,000 corporate treasury officials raised the alarm about cheque and electronic payment fraud.

Payments fraud last year was pervasive and increasing

says a report from the Association for Payments Professionals. The Association for Finance Professionals did another survey and found that 72% of its 414 respondents had been victims of actual or attempted fraud in 2006, up from 68% in a 2005 survey. But here's the good news: electronic payments turn out to be significantly safer than paper (cheques processed as images are also much safer than paper cheques) even though ACH and payment card networks are subject to increasing fraud attacks, particularly in transactions on the Internet and over the phone. Nearly all respondents said they had been the target of actual or attempted check fraud in 2006, while 35% reported fraud activity in ACH debits. Seventeen percent said they had seen attempted or actual fraud with consumer credit cards. Of those who reported fraud activity with cards, consumer credit cards accounted for by far the most response (82%), with signature debit cards registering 18%, stored-value cards 7%, and PIN debit cards 4%. Of those respondents that accept consumer payments via the phone or over the Internet and also reported ACH fraud, some 44% said they received fraudulent ACH instructions from their Internet channel; 45% said the same about the phone channel. Similarly, the organizations responding to the AFP survey are sustaining fraud losses from card-not-present transactions. Liability for these transactions is cited by 64% of those respondents that sustained losses because of card fraud as the primary reason for the loss. Delays in filing chargebacks comes in second, at 25%.

Organizations that suffer financial losses from card payments do so primarily because they are ‘card-not-present’ merchants

notes the report, although it might have gone on to say that they are CNP merchants that have not signed up to 3D Secure. Interestingly, in light of a recent string of hacker intrusions into merchant data bases, none of the respondents reported fraud stemming from a card-data breach. But then, as has been discussed on Digital Identity, there is a clear correlation between the size of the breach and the likelihood of fraud (and the type of data). If a neighbour steals your card from the post, there is pretty likely to be a subsequent fraud. If some government department tells the entire world your personal details, there may be a few frauds, but not that many.

Technorati Tags: credit cards, EMV, fraud, payments

Card fraud in the UK

[Dave Birch] Following from Paul Marsh of APACS, I thought I'd post a few figures.  The basic UK picture is that online banking crime is going up while card and cheque fraud is falling.  The APACS figures that Paul was kind enough to discuss with us show that card fraud losses fell by three per cent in the past year to £428m, a decrease of nearly £80m over the past two years.  But online banking fraud is up 44% from £23.2m in 2005 to £33.5m in 2006.  As had been hoped, chip & PIN has reduced card fraud at POS.  As had been expected, some of this fraud has been displaced into Card-Not-Present (CNP) channels to the extent that CNP now accounts for half of all fraud.  Fraud on UK cards overseas has increased because the stripes are counterfeited and the PINs are then used to withdraw cash at foreign (non-chip & PIN) ATMs.  To put total fraud losses further into context, however, losses as a percentage of plastic card turnover are now below 10 basis points compared to 14 basis points before the chip & PIN migration.  Cheque fraud fell by another quarter.

Technorati Tags: credit cards, debit cards, EMV, security

Anti-fraud people in favour of untraceable cash?

[Dave Birch] There's a letter in The Economist concerning their recent story on cashlessness.  It comes from someone who works in a bank fraud department and they paint an apocalyptic picture: "The potential for digital piracy of cash soon dwarfing the piracy of digital content is very real... Not only will the value of national currencies be undermined, but they will also be open to manipulation when effectively privatised and under corporate control.  If digital money becomes standard, those insisting on paying with cash will be penalised. I am currently charged a ‘non-Direct Debit fee’ each time I pay my cable bill over the phone – speaking with an automated voice, no less – because I refuse the ‘convenience’ of Direct Debit. My local lunch restaurant no longer accepts debit or credit card payments under GBP10 because the banking fees are too high.  Cash works just fine."  Now I'm confused: as a law-abiding, tax-paying citizen (well, subject), should I be for cash or against it?

Technorati Tags: mobile, nfc, privacy, regulation, security

Comforting phone call

[Dave Birch] There are some strange things going on in the world of chip and PIN. First of all, the Scottish Grocers' Federation (SGF) Retail Crime Survey for 2006 shows that card fraud in Scotland's convenience stores has gone up by 54% since the introduction of chip and PIN, an increase for which they can provide no explanation, which is even more odd considering that card fraud is continuing to fall at other kinds of retailers. I'm really, really curious to know if anyone has any theories. Second of all, the issuer of one of my UK credit cards called...

Technorati Tags: credit cards, EMV, fraud, security

Simple text

[Dave Birch] I've was at a seminar discussing card payments in the Middle East recently. A couple of the banks there were talking about how simple and effective transaction notification by text or e-mail has been for them, so I was wondering why my bank don't offer it to me in the UK.

Technorati Tags: credit cards, debit cards, mobile

Risk and reputation

[Dave Birch] One of the most difficult things to assess as part of the risk analysis for a new electronic payment product is reputational damage. Not only is it hard to quantify, it's hard to rank the reputational risk due to payment products alongside other reputational risks. There are quite a lot of these if you're a bank. I used to read newspapers more often but now I only read the newspaper once a week when I get the Telegraph on a Saturday. It happens to have a number of stories around this topic today. The one I'm curious about is...

Technorati Tags: EMV, risk analysis

Moral panic or genuine worry?

[Dave Birch] It looks as if gift cards will need some better PR. The panic has been growing for a while, but I thought it had peaked before Christmas with stories about them being the ideal present for organised criminals in Canada. According the Mounties, such persons use them as "virtual currency" for drug deals and money laundering. Apparently, a recent organized-crime threat assessment for Canada and the United States identified gift cards and prepaid debit cards as one of the tools in the financial-crime kit of organized crime. The assessment was compiled by the RCMP, the FBI and the U.S. Drug Enforcement Administration. "All these cards were built for legitimate purposes, obviously," said Det. Insp. John Sullivan of the Mounties, "But as with any new technology, as soon as criminal organizations see a gap, they exploit it."

Technorati Tags: fraud, prepay, retail, security

Noted security expert (well, congressman) comments on contactless security

[Dave Birch] I was thinking about the reporting of threats to retail e-payment systems because of recent discussions and it reminded me of U.S. Sen. Charles Schumer (D-N.Y.) call for stronger encryption for contactless payment cards and better warnings from card issuers about the technology's potential security risks according to Card Technology. This appears to follow on from the Wall Street Journal article discussed before. It's good to see experts getting involved.

Technorati Tags: contactless, security

Threats and threats

[Dave Birch] I have had a few calls from journalists about the chip and & PIN "Tetris stunt". Basically, some guys at Cambridge took the innards out of a chip & PIN terminal and replaced them with something else. I didn't think this was terribly interesting, but then I don't know anything about marketing and publicity! As I've mentioned before, I do find it odd when journalists call about something like this: they're effectively saying "hey, is it true that banks, retailer, suppliers -- and their consultants of course!! -- are so dumb that it's never occurred to them at any time in the last decade that criminals could build a device that looks like a POS terminal but really isn't in order to get customers PINs."

Technorati Tags: emv, retail, security

Swings and roundabouts

[Dave Birch] The introduction of Chip and PIN payment at POS in the U.K. has helped to cut losses from credit card fraud in the first half of this year from £219.5m to £209.3m (APACS). As expected though, fraud has migrated from the physical world to the virtual world and internet, phone and mail order (ie, Card-Not-Present, or CNP) fraud accounted for 46% of all losses. In the last five years, CNP fraud has doubled in value. Time for action.

Technorati Tags: fraud, internet, security

Real or phish? Time for the people's court...

[Dave Birch] I was thinking about an e-mail that I got last week. I would have deleted it, except I was thinking about getting (yet) another credit card, and I saw this in my inbox...

It was an HTML e-mail with a convincing HSBC logo and some pretty graphics, but no digital signature or certificate. And it comes from somewhere called "acxiom" which sounds made up to me. What do you think? Real or phish? Here's the URL it takes you to. Again, looks convincing but it's not secure site (where my little padlock?) so there's no certificate to check, a bit suspicious if you ask me. And if you click on "Apply Now", you get some sort of pop-up window with no address bar visible. I don't trust those, because you can't see where you are supposedly visiting. The pop-up window doesn't have a menu either, but it does have a little padlock. If you click on that, it says that "Verisign" (who are they?) have issued the certificate to "hsss1.hsbc.co.uk". What's "hsss1"? And what's it got to do with Sheffield, South Yorkshire, GB?

How is the man using the Clapham ISP ever going to trust the Internet?

Technorati Tags: banking, fraud, internet, security

Talk of the town

[Dave Birch] Down here at the RSA Conference Europe, a couple of people asked me about the article in the New York Times concerning contactless card security. In particular, the potential for mail interception (since you can read the cards inside the envelope). As the article says, "Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers. Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen."

You know, I bet the US issuing banks never thought of that.

Technorati Tags: contactless, credit cards, security

Seana Pitt, PCI Security Standards Council

A visitor from New York in this week's podcast. Seana Pitt, chair of the recently-formed PCI Security Standards Council.

Technorati Tags: credit cards, debit cards, retail, security

Second identity theft

[Tony Seymour] I noticed the following article in Finextra. Does this mean the end of virtual universes? Or does this mean that Virtual universe needs to come into the real world?

Virtual universe <Second Life suffers real world security breach: The creators of Second Life, a virtual world where people play out fantasy lives online, has asked all players to change thei