02 September 2014

PCarroll

Pat Carroll - ValidSoft

74 | posts 261,402 | views 37 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Ignorance is folly when 'tis bliss to be wise!

10 January 2014  |  2760 views  |  0

This itnews.com article sheds a different and interesting light on the methods now being deployed by the fraudsters. Basically these latest tactics are designed specifically to outwit the Risk Engines. Risk Engines work on the principle that if a transaction seems “normal” the risk engine will generally approve the transaction. Of course there are other checks that the risk engine will perform, but transactions that “appear” to originate from the locality of the normal use of the card will not generally appear unusual to the risk engine and the probability that the transaction will be approved is considerably improved.

So, the Target hackers have undertaken to selling location usage data alongside the card data, and can charge a premium for such data. Value added service to the fraudsters and clearly a strategy that is paying off. Fraudsters are paying anything between $20 and $100+ for a skimmed Target payment card – location data has added a premium to what the fraudsters charge. That’s puts the “value” on the 40million+ payment cards stolen from Target at between $800million and $4billion! If we assume that their ROI is a minimum of 10 times their “investment” then we are looking at a fraud value of between $8bn and $40bn. Who says that crime does not pay? The cost to the industry is substantially more and it is estimated that the absolute cost of fraud (the $value) is only 30% of the total cost to the industry. So, now we are looking at between $27bn and $134bn for the Target breach. Ok, they won’t be 100% successful, but even if the only achieve 20% success we can expect the industry to wear costs between $5billion and $27bn. A staggering $impact for a single data breach! No wonder that we hear that Class Actions are being prepared and knives being sharpened. The outlook for Target, an unfortunate company name to say the least, is bleak!

So, the fraudsters decision to add location data is a clever extension to the old skimming techniques (which of course will continue). The current implementation is simplistic but already proving to be successful and as we have seen, the fraud community is quick to exploit opportunity. We should therefore expect that as their methods evolve, they will become more sophisticated. The tools to achieve this are already out there in various forms, and the ability of the fraud community to mobilise such resources is without question.

Industry analysts seem surprised by the evolution of payment card data + location data, but we predicted this progression some time ago, and it is of course a logical progression to current skimming techniques. The solution to this type of attack requires real-time, reliable (ie trusted), granular location data, where the information to validate a transaction within the Authorisation Step is immediately available, invisible to the consumer, and totally privacy sensitive. Such counter technology is already available in the market today. Mind sets need to change. If your defence security mechanisms are based solely on keeping the bad guys out, then you have already lost the battle, and possibly the war!

 

TagsCardsSecurity

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Pat

The Next Target-Style Attack This Holiday Season?

11 August 2014  |  1660 views  |  1  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Securing Transactions Means More Than Just Authentication

10 July 2014  |  2388 views  |  0  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

'Trust but Verify' : Trust in Data Protection and Mobile

13 June 2014  |  2299 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Chip and Skim Cards: Renewed Need for Layered Authentication

03 June 2014  |  2157 views  |  0  |  Recommends 0 TagsCardsSecurityGroupInnovation in Financial Services
name

Pat Carroll

job title

Founder/Executive Chairman

company name

ValidSoft

member since

2011

location

London

Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisat...

Pat's expertise

What Pat reads
Pat writes about

Who is commenting on Pat's posts

Kenneth Carnesi
Andrew Smith