22 August 2014

Stephen Wilson in Lockstep

Stephen Wilson - Lockstep Group

34 | posts 113,457 | views 166 | comments

How much worse can CNP fraud get?

17 July 2012  |  2300 views  |  1


The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period.

For the first time in many years, Australian card fraud has grown in all categories.  The ratio of Card Not Present fraud to all fraud remained steady at just under three quarters.  An up-turn in skimming and counterfeiting is surprising given the strong penetration of chip-and-PIN cards in Australia, although most ATMs here still use the stripe and remain vulnerable to carding.  It will be interesting to watch card present stats in the next 6-12 months.

Still, CNP fraud remains the preferred modus operanum of organised crime; the  cost of CNP fraud grew by 61% from 2010 to 2011.

"Innovation" is a topical notion in Australian payments systems circles, but for the most part innovation is confined to back end systemic improvements to interbank settlements. Regulators take a light touch on the user side.  The market is fostering innovative payments applications in mobile devices, but so far, security still proves to be too hard.  APCA's only position on security is to wait and see what happens when 3D Secure comes to Australia.  Given that nothing has stood in its way, and CNP fraud is doubling every two years, the very absence of 3D Secure here should be worrying to the regulators. 

3D Secure is awkward and off-putting to users, expensive to implement, slow to process, and above all, incredibly costly thanks to high abandonment rates.  In contrast, we could solve CNP fraud online in exactly the same way as we solved carding, simply using asymmetric cryptography to render stolen account details non-replayable. 

After all, CNP fraud is just online carding.

 

TagsSecurityPayments

Comments: (2)

A Finextra member | 20 July, 2012, 12:36

Great post.  But when you thrown about terms like 'asymmetric cryptography' assuming we all know what it means, you lose points!  Please at least explain what you mean - one-way encrypted data - otherwise known as a hash.

Add my vote to the scrapping of 3D Secure too.

Stephen Wilson - Lockstep Group - Sydney | 21 July, 2012, 02:05

Thanks for the feedback.

Asymmetric cryptography describes a big class of technoloigies, including hashes but also digital signatures, which is an even better way to protect the pedigree of data sent from a device, on behalf of its owner.

A digital signature is created by processing transaction data through a private key kept in a chip like a smartcard, mobile phone SIM, NFC element, Trusted Platform Module and so on. The signature code can be readily processed by any receiver that has been preconfigured with the corresponding public "master" key [skipping some unimportant details here about public key certificate paths]. Modern Internet servers come with the master keys of almost all commercial PKI providers, plus the necessary software primitives.

CNP fraud is just online carding, and could be solved the same way.  Magnetic stripe carding was solved by Chip-and-PIN's asymmetric cryptography.  Each transaction is digitally signed in the chip before being sent across to a terminal, making the transaction specific to both the session and the card, and thus non-replayable. The very same chip could be used to digitally sign CNP transactions sent from browsers or mobile devices over the Internet to a merchant server, to prevent replay attack and CNP fraud, and thus neutralise the black market in stolen card details.

If we used personal smart technologies to sign transaction data sent  to merchants, then we would prevent replay attack at its roots. We could then preserve the entire four cornered settlement model, and avoid the legal and technological complexity engendered by 3D Secure etc. It's nuts that we don't leverage chips to perform the same security services in the online channel as they do in offline. 

 

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Stephen

Now is not the time to go soft

03 August 2012  |  2960 views  |  2  |  Recommends 0 TagsSecurityPayments

How much worse can CNP fraud get?

17 July 2012  |  2300 views  |  1  |  Recommends 0 TagsSecurityPayments

Credit card numbers are like nitroglycerine

13 January 2012  |  3862 views  |  0  |  Recommends 0 TagsSecurityPayments

Banks really know their customers

13 December 2011  |  2544 views  |  1  |  Recommends 1

Taking full advantage of Chip

02 June 2011  |  3654 views  |  6  |  Recommends 0
name

Stephen Wilson

job title

Managing Director

company name

Lockstep Group

member since

2008

location

Sydney

Summary profile See full profile »
I specialise in digital identity, privacy, smart technologies and fraud prevention. I run the Lo...

Stephen's expertise

Who is commenting on Stephen's posts