30 September 2014


Pat Carroll - ValidSoft

76 | posts 267,123 | views 37 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.
A post relating to this item from Finextra:

Over 100 indicted in huge New York ID theft ring takedown

10 October 2011  |  6397 views  |  1
New York authorities have indicted 111 people - including bank tellers - accused of participating in an identity theft scam that saw counterfeit credit cards used to steal more than $13 million.

What's really mind-boggling about the NY card-skimming fraud

10 October 2011  |  3469 views  |  4

News that 111 people were arrested last week in New York in a US$13 million card fraud scam was a useful reminder of just how easy it still is to skim credit card details in the US. NYPD Commissioner Raymond Kelly was quoted as saying: “Thieves have an amazing knowledge of how to use technology . . . The schemes and the imagination that is developing these days are days are really mind-boggling.'

In fact there was nothing sophisticated about this crime, just “traditional” skimming of customers’ credit card details which could be used either to manufacture false credit cards or for online purchases. This is a lot easier in the US where credit card companies don’t use the microchips common in European cards, but those chips don’t prevent, for example, the use of stolen credit card details for online purchases.

As I have argued before, the financial industry’s main focus should be on preventing fraudsters from using stolen data. Technology can already show that an individual (in fact his/her mobile phone) is not in the US when his/her credit card is being used at a POS in New York. Technology can do so in total respect of privacy laws, through anonymous correlation, and in a way that is totally invisible to the customer before such withdrawals and purchases are authorised. Technology can also support additional strong transaction authentication and verification methods, namely through an automated call to that phone can immediately confirm that fact, and – if the card holder rejects the transaction – alert the issuing bank to block the card.

And if the fraudsters have gone to the lengths of swapping the sim card or automatically forwarding calls to the customer’s mobile number on to a number of their own, that can also be detected. The level of authentication can be tailored to the transaction type and size, and can even include voice biometrics for added security if the card issuer wants to use it.

The key lies in real-time detection, prevention and immediate resolution enabled by the empowered customer. The security technology industry has a job to do in encouraging customers to question just how it is possible in 2011 for a skimming scam like the one uncovered in New York to be so profitable on such a scale. That really is a mind-boggling thought.


Comments: (7)

Christopher Mc Carthy - SunGard - Zurich | 11 October, 2011, 08:08

"Technology can already show that an individual (in fact his/her mobile phone) is not in the US when his/her credit card is being used at a POS in New York."

Erm, Not sure I want a card processor (or anyone really) having real-time access to my movements via mobile phone location records.

Pat Carroll - ValidSoft - London | 11 October, 2011, 10:07

As I explained in an earlier blog on EU Data Privacy, using mobile telephony to improve security for multiple aspects of banking can offer consumers around the world huge gains in terms of improved security and customer service. But those consumers – as well as banks, retailers, mobile telephony companies, regulators and governments – need to feel absolutely confident about the protection of individuals’ privacy, if these exciting opportunities are going to be realised.

And that is why security companies should go through the complex process of applying for a Privacy Seal from EuroPriSe.

European data privacy laws are arguably the most stringent in the world. That should be great news for companies that meet them when those companies come to offer their services around the world.

Nick Collin - Collin Consulting Ltd - London | 11 October, 2011, 11:17

The lesson to be learned is quite clear - the US must migrate to EMV chip.

Christopher Mc Carthy - SunGard - Zurich | 11 October, 2011, 13:16

"European data privacy laws are arguably the most stringent in the world."

Perhaps, but they're not worth much if the politicians then decide to share it in places where the data is less well protected:




Pat Carroll - ValidSoft - London | 11 October, 2011, 14:30

The bank, or card processer always knows where you are (at an ATM or POS) – our technology simply confirms this, or in the event that we refute it we never say where the person is, so the bank only works with the information it already has.

Christopher Mc Carthy - SunGard - Zurich | 11 October, 2011, 14:47

So your company tells a card processor if the transaction is more likely to be good or bad?

I imagine the criteria you base your decision on are secret, but one thing that would help you immensely would be to know if the card holder's mobile phone agrees with the card on current location?

Again, I want as few people as possible to have access to information on my movements.  Not sure how many other peopel are like me (probably more in the UK now following the phone hacking scandal!).

I could however see a system being build, with some safeguards, doing as you suggest.  But as you wrote, that is a new trust relationship and would also require a change in the law (I'm thinking in terms of the UK).

Already some cards have other safegaurds - such as requiring a user to contact the issuer or go online and tell the issuer that they are going abroad (good idea, as long as the client knows about this beforehand - a friend of mine didn't, went to HK and found himsefl in trouble - luckily he had just enough cash to call the issue to get the card unblocked).  And issuers have been known to call card owners mid shiopping to query 'unusual' purchases (but then we get ot the question of how does the card issue and the holder mutually authenticate each other?).

Pat Carroll - ValidSoft - London | 12 October, 2011, 13:04

Don’t want to breach the rules of engagement of the blog site by going into commercial detail. Briefly we sit as an additional layer of security alongside existing risk engines – the technology already is in place. We check the proximity of the origination of the transaction to the cardholder through the global mobile network. If in proximity then we simply “confirm” what the bank already knows. If we “refute” we never declare where the phone is. Bank has much better quality information to base its decision on whether to accept or decline the transaction. On the privacy front we are fully compliant with UK Data Protection & Data Privacy laws, as we are from an EU Data Privacy regulation perspective also.


Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Pat

More Channels, More Payment Options, More Fraud

23 September 2014  |  681 views  |  0  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

iHack Hastens Call for Multi-factor Authentication

05 September 2014  |  2360 views  |  1  |  Recommends 0 TagsSecurityPaymentsGroupInformation Security

The Next Target-Style Attack This Holiday Season?

11 August 2014  |  1743 views  |  1  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Securing Transactions Means More Than Just Authentication

10 July 2014  |  2485 views  |  0  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

Pat Carroll

job title

Founder/Executive Chairman

company name


member since




Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisat...

Pat's expertise

What Pat reads
Pat writes about

Who is commenting on Pat's posts

Ketharaman Swaminathan
Kenneth Carnesi
Andrew Smith