Combating card fraud
Of the security issues facing banks everywhere, prevention of card fraud has always been a high priority, and is set to grow even further in importance.
The level of card fraud has risen significantly over recent years, caused in the main, by the explosion in the number and usage of payment cards and the associated high level of organised card crime activity. For example, over the past decade, fraud losses on UK-issued plastic cards have risen from £96.8m to a staggering £402.4m a year. And these figures do not take into account the 'soft' costs related to card fraud, such as tarnish to reputation and potential legal costs.
Numerous types of card fraud have been developed over the years and are regularly committed throughout the world. The most prevalent and commonly known type is counterfeit card fraud. However, as new banking channels have opened up, for example internet, phone banking and e-commerce, and the boom in credit card use, crime has migrated to seek any opportunity to attack these new and immature transaction methods.
The losses associated with these attacks has risen drastically over the past couple of years, and counterfeit fraud has now been overtaken as the most costly type of card fraud by a newer method, that of Cardholder-Not-Present (CNP) fraud. In the UK last year, CNP fraud was responsible for losses of £116.4m – more than any other type of card fraud.
CNP transactions are performed remotely, when neither the card nor the cardholder is present at the point-of-sale. CNP transactions take many forms such as orders made over the phone or internet, by mail order or fax. In such transactions, retailers are unable to physically check the card or the identity of the cardholder, which makes the user anonymous and able to disguise their true identity. Fraudulently obtained card details are generally used with fabricated personal details to make fraudulent CNP purchases. The card details are normally copied without the cardholder's knowledge, taken from discarded receipts or obtained by skimming. This means that while the three or four digit Card Security Code on the back of cards can help prevent fraud where card details have been obtained, it does not prevent fraud on cases where the card itself has been stolen. Ironically, another reason CNP fraud is on the increase is because of the advent of EMV smart cards – a technology that was introduced to tackle counterfeit fraud. The major advantage of smart cards is the increased security they provide. The chip technology uses sophisticated processing techniques to identify authentic cards and make counterfeiting extremely difficult and expensive. Combining this with a PIN is a proven system for combating fraud as it provides the two-factor authentication of 'something you have' (the smart card) and 'something you know' (the PIN). This makes the probability of fraudulent transactions taking place in an ordinary retail environment extremely low.
By making cardholder present fraud so difficult through the introduction of smart cards, it is predicted that CNP fraud will increase further, along with other forms of fraud such as advanced internet fraud techniques like phishing. At the same time, levels of e-Commerce and internet banking continue to rise and more and more transactions are performed without the physical presence of the user or card.
Two factor authentication is key
Banks are having to face up to the realities of the modern highly connected world, which now provides a vast array of opportunities for banks to interact with customers. It has meant that whether as a consumer or a business, the number of transaction channels is now extremely varied and continuing to grow, yet it is not a scenario that all banks are fully prepared for.
At the moment the maximum level of security available to consumers for e-transactions is user ID and password authentication. However, this is already seen as being inadequate for securing financial transactions. Instead, pioneering banks and credit card providers are turning to the obvious candidate for reducing CNP fraud, the EMV smart card.
The reason that the EMV smart card is not already used within consumer e-transactions is the difficulty in including the card within the transaction process. The solution for this, an unconnected reader, is not new. However, the barrier has always been around cost. In other words, is it more cost effective for the bank to accept low levels of fraud rather than the expense of rolling out millions of unconnected readers to consumers? The continuing rise of CNP fraud is beginning to tilt the argument in favour of the rollout option.
In terms of the technology behind the unconnected smart card readers, it is the introduction of a common standard that is the most important innovation. APACS, in association with MasterCard, released specification standards for unconnected smart card readers which have allowed leading manufacturers to offer products for mass consumption at a commercially viable cost.
The reader provides the user interface to the card and displays a one-time passcode once it has read the smart card and the user has entered his/her PIN. The user then manually types this passcode into the computer at the appropriate prompt. Only the issuing bank can authenticate this one-time passcode. To avoid repeat attacks, the one-time passcode can also be linked to the individual transaction by a more secure, yet still simple, challenge–response process. In that case, should the passcode be intercepted, it is of no use whatsoever beyond that single transaction.
Assuming that consumers will not resist the introduction of unconnected readers, this new system will have an extremely positive effect on fraud and in turn help boost consumer confidence in e-Commerce. However, it is not just internet-based transactions that will benefit. Theoretically, any transaction where the card has to be used, and the cardholder is not present, could use this scheme. For example, if purchasing a good or service over the phone, the user could simply read the one time passcode to the person at the other end who could validate it in the usual way through the payment system. As such the smart card is transformed into a personal security module to validate every financial transaction the user wishes to make.
The security benefits are clear to see. The inclusion of a smart card in every financial transaction will add a crucial second layer of authentication. This two-factor authentication process of something you have as well as something you know should dramatically reduce fraud.
The move towards two-factor authentication for all transactions using smart cards is an important example of a security model that is able to grow organically and embrace and integrate new transaction technologies and channels, as and when required. This kind of flexible, yet secure and dependable system, is key for today's advancing e-business world and, crucially, is now a commercially possibility.
The author is head of transaction security of the e-Security activities of the Thales Group.