This month, we saw Europol’s launch of EC3, the new European Cybercrime Centre that aims to be at the heart of combating cybercrime in the EU.
As I blogged back in July 2012, it’s fantastic the EU recognise cybercrime as a serious enough issue to warrant a dedicated centre. In my opinion EC3 can help protect Europeans and businesses against mounting cyber-threats by focusing on illegal online activities
carried out by organised crime groups, especially attacks targeting e-banking and other online financial activities. My thoughts on this initiative are that it is a perfect backdrop against which to promote an awareness campaign to educate and fight fraud,
whilst as an industry we move to a new paradigm of fraud detection and prevention.
Europol being at the centre of EC3, my confidence was somewhat eroded by Europol’s recommendations for preventing cybercrime on cross-border card fraud. Although Europol is not EC3, it does directly influences its workings. So what did Europol say?
Europol’s statistics reveal that card fraud on EU issued cards is a hefty 1.5 billion euros a year. A good chunk of this - 600 million euros to be precise - is attributed to card-present (CP) fraud, the vast majority of which is perpetrated outside of the
EU, in non EMV-compliant countries.
Now what Europol suggests, is that all EU issuing banks should geo-block EU issued EMV cards. In short, this means cards should not be allowed to work in non-EMV countries without the magnetic strip being explicitly reactivated.
I have to disagree with this recommendation. It’s a blunt instrument which loses sight of the bigger picture.
What is not being taken into account within this report is that EU issuing banks already lose large amounts of their travelling customers through aggressive cross-border decline policies. Those using practices such as “travel flags” still incur administrative
costs and the wrath of their customers and ultimately provide no guarantee that the card will not be blocked and can also be exploited by fraudsters. There is a cost to banks and their customers today from excessive cross-border declines which does not feature
in the aforementioned 600 million euros.
The solution is surely less cross-border declines, not more. This doesn’t mean that the fraud problem will be ignored. Security technology exists today to tackle this problem from both sides, namely, fraud prevention and false-positive (decline) reduction.
Importantly, the technology does not require the EU banking industry to break the fundamental tenant of universal acceptance or to incur ever more overheads which will, eventually be passed onto the consumer.
The way the security solution can work is to use Proximity Correlation Logic (PCL) as one of the multiple factors of authentication. By using a mobile phone, PCL can detect if a cardholder is not where the transaction is being made in non-EU countries. What’s
more, the solution has been granted a prestigious European Privacy Seal given its strict adherence to EU data protection legislation.
Rather than banks spending more at the back-end on investigations and card re-activations, we should be looking to reduce both cross-border fraud and excessive declines at source.
The purpose of EC3 is to encourage discussion about the best possible security solutions to fight cybercrime, but these discussions need to take into account business practicalities and consumer convenience. I urge the centre to rethink Europol’s recommendation
on cross-border CP crime as a prime example of collaborative thinking in the fight against cybercrime.