Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories ยป

Channels

Security Payments
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

An article relating to this blog post on Finextra:

FSA chides financial institutions for data security lapses

The Financial Services Authority has warned UK institutions to improve their data security practices after a review of systems and controls at 39 firms uncovered slipshod practices at banks, building...

See article

Regulators chasing their tail over data security lapses

 

Reading between the lines, regulators will continue to take a big stick to institutions that leak personal data.  And so they should.  But there must be a more artful approach to stem the flood of stolen ID data.  As a security professional, I am aghast at the never ending obsession with policy and process as the only weapons to fight ID theft.  That is, why do we think that beefed up security policies, staff training, audits, regulations and so on will make any fundamental difference? What about a bit of prevention?

IDs get stolen because IDs are valuable.  Look at the cyber crime clearing houses where personal data records including mothers maiden names, CCV2s and billing addresses are traded in parcels of 100,000 or more for a few dollars apiece.  Card Not Present fraud is growing at 40% p.a. in the UK and elsewhere, and is now the dominant form of payment card fraud.  To organised crime, it's childsplay -- vastly easier than hacking into Internet bank accounts and moving funds around.  Instead, just take stolen cardholder's account details and play them over the Inetrnet to a web merchant.  

It is high time that proper protections were put in place to prevent the replay of stolen IDs.  Only by rendering stolen IDs worthless to criminals will we cut ID theft. 

Stephen Wilson
Lockstep Group

Lockstep Consulting provides independent specialist advice and analysis
on authentication, PKI and smartcards.  Lockstep Technologies develops
unique new smart ID solutions that safeguard identity and privacy.

3815

Channels

Security Payments
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (2)

A Finextra member
A Finextra member 29 April, 2008, 09:11Be the first to give this comment the thumbs up 0 likes

Dare I say "there is an easy solution'.

The question is, do you sell it to a bank or banks, buy a bank, become a bank or do it for all banks?

What course of action would you propose? Remembering it's the 21st century.

Report abuse
Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 01 May, 2008, 01:55Be the first to give this comment the thumbs up 0 likes Dean Procter asked: "The question is, do you sell it to a bank or banks, buy a bank, become a bank or do it for all banks?"

I do believe the best hope for a solution to ID theft (including CNP fraud) is through safeguarding personal details in chips, be they EMV cards, SIMs, other smartcards, perhaps TPM chips [There are huge latent benefits to be had in applying government ID cards to secreting and notarising personal identifiers, protecting citizens from cyber crime, which would go a long way to redress community angst that ID cards don't really deliver much good to the individual.] 

But the most practical way forward, short term, would be for EMV card issuers to use their chips to secrete and notarise customer details for use online. Compared with using cards in unconnected readers to generate OTPs, this is a far more powerful and scalable way to leverage EMV cards into the online world. It could shore up 3D Secure (by hardening the personal details) or offer an alternative to 3D Secure, by sending notarised cardholder details direct from chip to merchant server. 

How to "sell it"?  EMV cards could be "Specially Personalised" [marketing speak!] for secure online payments, perhaps for a small fee levied annually against the cardholder.  Merchant sites could accept smartcard-notarised payments with very simple updates to their commerce servers.  For a bank to go ahead on its own with this, it might have to work with select merchants, through the acquiring side of its business, to have them preferentially accept such specially personalised cards (as opposed to regular CNP) for web transactions. Payment gateways could be important players; in many jurisdictions they act as systems integrators for merchant commerce servers, so they could make the necessary web site updates. 

Merchants, issuer and customers alike would all enjoy reduced exposure to fraud. Ideally that sort of proposition should 'sell itself' ;-)

Cheers,

Stephen Wilson.

 

Report abuse
Join the discussion
Stephen Wilson

Stephen Wilson

Managing Director

Lockstep Group

Member since

24 Apr 2008

Location

Sydney

Blog posts

34

Comments

181

More from Stephen

Blog post

Now is not the time to go soft

Blog post

How much worse can CNP fraud get?

Blog post

Credit card numbers are like nitroglycerine

Blog post

Banks really know their customers

Community
See all blogs »
Digital Identity Management 

Computerized Trust: How Machines Establish Our Identity

Robert O'Farrell

Robert O'Farrell

Payments strategies 2015-2020-2030 

Combatting Fraud in Payments: Essential Strategies for Issuing Banks Facing Dispute Challenges

Fatemeh Nikayin

Fatemeh Nikayin

Digital Identity Management 

The Foundations of Identity Verification: Trust and Its Pillars

Robert O'Farrell

Robert O'Farrell

Exposing Financial Crime 

The answer to solving financial crime lies in data

Michiel Droogsma

Michiel Droogsma

Now hiring

See more