Wendy Atkins examines the latest weaponry to combat banking card fraudsters in the payments industry’s arsenal.
Any consumers reading newspaper headlines over the past 12 months could be forgiven for thinking that the banking industry is not doing enough to combat fraud. In fact, that perception could not be further from the truth. Horror stories of card fraud and identity theft do little to instill confidence in systems, and while individuals are becoming more cautious about how they treat their bankcards and passwords, banks are also working to ensure customers do not lose confidence in card systems.
It is not all bad news, though. While much of the media coverage has focused on the problems of card fraud, little has been said about the advances that have been made in combating it. The roll out of EMV-based (a standard for interoperation of chip cards named after the three developers, Europay, MasterCard and Visa) debit and credit cards has been very successful in reducing cardholder-present fraud. According to the latest figures from the UK’s payments industry association, APACS, total card fraud for the UK was down by 5%, from £219.5m (€324m) to £209.3m in the six months to June 2006.
The organisation attributes much of this success to chip and PIN in protecting consumers from cardholder-present fraud in the UK retail environment, where losses fell 43% in the first half of 2006, following a 35% fall in 2005.
However, the success of EMV has caused fraud to migrate. Card fraud abroad increased by 16% in the first half of the year as fraudsters began targeting countries that have not yet upgraded to the more secure technology. APACS also reported card-not-present (CNP) fraud increased, but at a much slower rate than seen previously. According to its figures, this type of fraud now accounts for 46% of all losses but grew by only 5% year-on-year, compared with a 29% increase between 2004 and 2005.
One of the biggest sources of CNP fraud is internet transactions, where it can take several forms. The majority involves a criminal obtaining genuine card details in the real world that are then used to shop online. However, technology savvy criminals are also using ‘phishing’ as well as other internet strikes, such as Trojans, which log keystrokes to capture passwords and other personal information; and ‘vhishing’, which, like phishing, involves the fraudster posing as a financial institution but uses voice over internet protocol (VoIP) technology.
“Phishing raises the importance of two-factor authentication. And faster payments [as mandated by the payment task force set up by the UK’s Office of Fair Trading] will raise the bar further,” says Steve Lomax, head of marketing at Alaric, a supplier of technology for the card payments industry.
Anti-fraud initiatives
Banks are now using fraud detection software to identify any unusual patterns of behaviour in cardholder transactions. And, in some countries, in-branch issuance of cards is becoming more popular to alleviate the problem caused by fraudsters intercepting post – particularly where magnetic stripe cards are still issued.
The industry is working to combat the problems of CNP. MasterCard and Visa have both established systems to enable cardholders to improve their authentication with a password when shopping online (MasterCard SecureCode and Visa’s Verified by Visa), thus making such transactions safer.
The cards industry is also adopting an industry-wide approach to card security with the Payment Card Industry Data Security Standard, known as PCI. By June 30, 2007, retailers, financial services institutions and businesses that accept card payments must be compliant with PCI.
The PCI guidelines affect every part of the payments value chain. They require merchants to have the security of their key storage and credit card transaction processes audited. This means that, at a minimum, merchants must install and maintain a firewall, encrypt data that is transmitted across public networks, use and frequently update antivirus software, assign a unique ID to each person with computer access, and regularly test and monitor access to network resources and cardholder data. For payments processing companies, the PCI standards include a mandate to implement two-factor authentication systems as a means of securing network access.
Authentication methods
Two-factor authentication can take a number of forms, including public key infrastructure (PKI) certificates, smart cards, USB tokens, handheld tokens and biometrics.
Although biometric technology can be used for authentication in the banking world, it is still not widely deployed. “There is interest in biometrics, but banks are still nervous about the technology,” says Gareth Ellis, consultant at software firm ACI. “One of the issues holding the technology back has been the lack of standards. But as more standards are implemented, we will see greater use of the technology.
“There is also a problem with the choice of biometrics. Retina and fingerprints are all talked about, but there are still some problems about consumer perceptions of the technology. Everyone knows their PIN, but how do you maintain the integrity of a biometric?”
Didier Serodon, chief marketing officer at payment transactions company Ingenico, agrees: “Biometrics could have a place, but the size of the transaction would have to be taken into account. Taking a customer’s fingerprint could be too much for a basic £15 transaction.”
The array of solutions available in the two-factor world means that banks must select methods of authentication that match customer profiles. “Banks already segment customers for marketing purposes. Now, they need to apply this approach to security and risk management,” says Nesic Dragoljub, head of professional services at Thales e-Security. “Banks need to evaluate the risks associated with different customers, including high-net-worth individuals, businesses and low-income customers, and match the level of security to their needs.”
One-off passcodes
One approach that is starting to become popular with some customer target groups is the deployment of devices that can generate one-off passwords. Cardholders insert their EMV card into a hand-held reader and enter their PIN. On validating the PIN, the reader generates a unique, one-time-only passcode, which the cardholder provides to the retailer for authentication with the cardholder’s bank.
Xiring manufactures a range of readers for this market, including the Xiring 1000 mini reader, the Xiring 4000 regular-sized reader and the Xiring 4500 to meet the requirements of disability rights acts throughout Europe. Nigel Reavley, director of business unit, banking, at Xiring, says: “We have shipped seven million of our one-time password devices, and have seen a growth in shipments of 50% per year.”
Typically, banks give these devices to their corporate and high-net-worth customers. For example, BNP Paribas is among the list of Xiring clients that has already started to deploy the readers to its corporate customers.
However, there seems to be a mixed case for being an early adopter of the technology. It is widely agreed that there are clear first-mover advantages to adopting it: banks get to demonstrate to their customers that they take fraud seriously and, because the devices can be branded, they are a good way for a bank to get its brand in front of its customers on a daily basis.
However, some insiders believe there is a theoretical first-mover disadvantage. As one insider at this year’s Cartes (smart cards and identification) show comments: “If bank A deploys the technology, there is nothing stopping consumers from using the devices to generate one-off passwords for their bank card issued by bank B. Although bank A would still enjoy the marketing advantages of having its branded devices in front of customers, bank B would get to experience the security advantages of the technology without the costs of deployment.
“How much of a problem this would be in the real world is still unclear, because most consumers will probably not even attempt to use their B bank card in a bank A-branded reader.”
Restoring faith
In some countries, the money banks lose through fraud may be less than the cost of consumers’ loss of trust in payments systems, which is why it is so important for banks to act. Some insiders think the roll-out of password devices has resulted in a 15% increase in internet transactions. And anecdotal evidence suggests that improved customer confidence is driving up the value of transactions.
Consumers enjoy the flexibility that shopping over the internet provides: for example, more than four million people in the UK shop online and there were an estimated 372 million transactions last year, according to APACS. The industry is devoting its resources to staying one step ahead of fraudsters and the hard work is beginning to pay off.
