29 November 2014

PCarroll

Pat Carroll - ValidSoft

78 | posts 278,643 | views 40 | comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Could EC3 help Europol see sense?

25 January 2013  |  4634 views  |  0

This month, we saw Europol’s launch of EC3, the new European Cybercrime Centre that aims to be at the heart of combating cybercrime in the EU.

As I blogged back in July 2012, it’s fantastic the EU recognise cybercrime as a serious enough issue to warrant a dedicated centre. In my opinion EC3 can help protect Europeans and businesses against mounting cyber-threats by focusing on illegal online activities carried out by organised crime groups, especially attacks targeting e-banking and other online financial activities. My thoughts on this initiative are that it is a perfect backdrop against which to promote an awareness campaign to educate and fight fraud, whilst as an industry we move to a new paradigm of fraud detection and prevention.

Europol being at the centre of EC3, my confidence was somewhat eroded by Europol’s recommendations for preventing cybercrime on cross-border card fraud. Although Europol is not EC3, it does directly influences its workings. So what did Europol say?

Europol’s statistics reveal that card fraud on EU issued cards is a hefty 1.5 billion euros a year. A good chunk of this - 600 million euros to be precise - is attributed to card-present (CP) fraud, the vast majority of which is perpetrated outside of the EU, in non EMV-compliant countries.

Now what Europol suggests, is that all EU issuing banks should geo-block EU issued EMV cards. In short, this  means cards should not be allowed to work in non-EMV countries without the magnetic strip being explicitly reactivated.

I have to disagree with this recommendation. It’s a blunt instrument which loses sight of the bigger picture.

What is not being taken into account within this report is that EU issuing banks already lose large amounts of their travelling customers through aggressive cross-border decline policies. Those using practices such as “travel flags” still incur administrative costs and the wrath of their customers and ultimately provide no guarantee that the card will not be blocked and can also be exploited by fraudsters. There is a cost to banks and their customers today from excessive cross-border declines which does not feature in the aforementioned 600 million euros.

The solution is surely less cross-border declines, not more. This doesn’t mean that the fraud problem will be ignored. Security technology exists today to tackle this problem from both sides, namely, fraud prevention and false-positive (decline) reduction. Importantly, the technology does not require the EU banking industry to break the fundamental tenant of universal acceptance or to incur ever more overheads which will, eventually be passed onto the consumer.

The way the security solution can work is to use Proximity Correlation Logic (PCL) as one of the multiple factors of authentication. By using a mobile phone, PCL can detect if a cardholder is not where the transaction is being made in non-EU countries. What’s more, the solution has been granted a prestigious European Privacy Seal given its strict adherence to EU data protection legislation.

Rather than banks spending more at the back-end on investigations and card re-activations, we should be looking to reduce both cross-border fraud and excessive declines at source.

The purpose of EC3 is to encourage discussion about the best possible security solutions to fight cybercrime, but these discussions need to take into account business practicalities and consumer convenience. I urge the centre to rethink Europol’s recommendation on cross-border CP crime as a prime example of collaborative thinking in the fight against cybercrime.

TagsCardsSecurity

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Pat

Chip and Signature, a Paradise Lost

28 October 2014  |  2776 views  |  2  |  Recommends 1 TagsCardsPaymentsGroupDisruption in Retail Banking

Payment Card Data Theft At The POS - Time To Knuckle Down

13 October 2014  |  3358 views  |  1  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

More Channels, More Payment Options, More Fraud

23 September 2014  |  1059 views  |  0  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

iHack Hastens Call for Multi-factor Authentication

05 September 2014  |  2560 views  |  1  |  Recommends 0 TagsSecurityPaymentsGroupInformation Security
name

Pat Carroll

job title

Founder/Executive Chairman

company name

ValidSoft

member since

2011

location

London

Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisat...

Pat's expertise

What Pat reads
Pat writes about

Who is commenting on Pat's posts

Melvin Haskins
Ketharaman Swaminathan
Kenneth Carnesi
Andrew Smith