Blog article
See all stories »

POS fraud, E-Commerce challenges, Consumer confidence?

Following a report in The Telegraph earlier this month that described the international scale of what is known as a “supply chain attack” powered by Chip-and-PIN readers across the globe (http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html), it does make me question again just how secure POS payments are. My previous post about the evolution of mobile payment processes describes how voice signatures can make on-the-go payments secure and the same principles would work at a POS level as well.

According to the report, the POS authorisation machines, unlike rigged ATMs, look identical to their legitimate counterparts as they are tampered with during the manufacturing process. At one plant, a production line operator was apparently heard singing, “One chip for MasterCard, one for Visa and one for me”! As Chip-and-PIN authorisation machines are becoming the standard method for authorising physical purchases in the UK , we can only hope that this practice has not become widespread; although similar problems are now appearing in advanced stages within e-commerce (http://www.theregister.co.uk/2008/10/23/vbyv_password_reset/).

Within the current financial climate, the whole question of who we trust has become a serious issue on a global scale. This lack of trust is heightened through the issues of fraud with POS and e-commerce payments and impacts heavily on the reputation of financial organisations and merchant authorisers. Consumers may even try to avoid paying for products with cards out of fear that their details will be cloned and then sent to fraudsters abroad on a regular and systematic basis. This is a risk that banks and card manufacturers cannot afford when consumer confidence in the financial services industry as a whole is at an all time low; in fact, in a recent Harris poll, well over 50% of UK consumers said that they no longer trust chips, pins and bank passwords.

Security systems evolve either just behind or for a short period just in front of fraudsters. Perhaps rather than develop a new range of Chip-and-PIN terminals or paying a large sum for ramped-up security at manufacturing plants, adding the ability to concurrently authorise transactions with a voice signature might work. It could even be offered as a value added service to consumers who could opt in to sign? After all that's exactly how banking used to work when we all had to sign cheques!

Using voice signatures, it’s easy to change the existing single solution - single security fix paradigm and fix and simplify many issues. Giving control for signing transactions back to the consumer really is the logical step, after all its their money!

7350

Comments: (9)

A Finextra member
A Finextra member 29 October, 2008, 04:17Be the first to give this comment the thumbs up 0 likes

Agreed Nick, the fraudsters are very smart, fast, adaptive and they use the same mechanisms to defeat ID authentication checks that are used by the financial organisations that create them.  It's rather like the sports branding game...the likes of Nike and Adidas employ manufacturing organisations to create their genuine branded goods but someone (or most likely more than one person) on the inside produces twice as many and sells the other half to shonky retailers.  So how do you overcome this insider issue?  With a change to the authentication paradigm...it's that simple.

Oh yes, I'm afraid that voice recognition although useful, has problems - the process is too slow...not quick enough to match patterns and if you include other checks to ensure that the voice is not a recording, then it becomes even slower...and more problematic and clumsy for the customer.

I agree with your issue...but the solution is not voice.

A Finextra member
A Finextra member 29 October, 2008, 11:35Be the first to give this comment the thumbs up 0 likes

The root cause for many fraud scenarios is the vulnerability of some underlying channel - which can even be the supply chain bringing those nice POS devices into stores.

Security can be added when using not only a single transaction that can be tampered with more or less easily. Shortly after the invention of the telephone, callback procedures have been put in place to protect against related scams ...

And mobile phones being ubiquitous today can easily be used also to verify the identity of a person or to authorise a transaction that was initiated via another channel, eg. via the Internet.

 

A Finextra member
A Finextra member 29 October, 2008, 17:19Be the first to give this comment the thumbs up 0 likes

APACS stated that they do not promote any particular technology or solution.

After reading theregister news article, it sure reads like APACS is more than promoting VBV/3DSecure/UCAF/SPA. While VISA and Mastercard refused to comment, APACS got quite busy defending VBV. 

What is APACS charter, exactly?

A Finextra member
A Finextra member 29 October, 2008, 20:16Be the first to give this comment the thumbs up 0 likes

 

 

There are MANY solutions, some that are actually effective in eliminating card skimming and card not present fraud.

But once a 'system' is mandated by a big card scheme - banks then don't have much of a choice than to deploy it. This then sets back the market specially if the system being mandated is not efficient. Obviously this also blocks the usage of more appropriate and more effective systems. This, I believe, is what allows fraudsters to stay ahead.

Like most economists would say, "If a company is too big to fail, it's too big. If a company is too big to mandate the course of doing business, then it's too big."

If a company is too big that it can enforce an ineffective product or solution into the market, then it's too big. 

Strong competition is an essential aspect of well-functioning markets. The lack of competition in providing better solutions or products is therefore making it difficult to provide QUALITY to the market. 

It seems a bit obvious that no one listens to consumers when solutions such as VBV are mandated.

In a well functioning market, a problem such as card fraud would have been solved years ago.

Card schemes earn each time cards with their labels are used. Financial institutions that provide the credit for these credit card accounts, did not fare so well. So, its really the banks that take the risks in issuing cards. Its also the banks that take the risk of losing customers when they mandate solutions (or anything for that matter) to their customers.

It is time to provide quality systems and products that would make consumers feel more confident about financial institutions. A competitive bank would break away and offer to its customers, products and solutions which their customers will use because it serves them well and not because they are forced to use them.

 

 

A Finextra member
A Finextra member 03 November, 2008, 14:57Be the first to give this comment the thumbs up 0 likes

Once again we are looking at the symptom and believing it to be the problem.  It isn't the fact that the terminals are being fiddled with, it's the fact that fiddling with the terminals is actually very profitable.

The reason the POS devices are being tweaked is the fact that there is value in the information that can be harvested, and the information that can be harvested has value because of the non-implementation of the iCVV (a simple security feature that prevents data from the chip being used to create a mag stripe card).  If the chip contains an iCVV, as apposed to the CVV on the magnetic sripe, the only way to clone the card is to actually swipe it, which would be obvious to the cardholder(except, for example, in some older single slot card readers).

If the fraudsters couldn't get the required data, they wouldn't bother to infiltrate the factories - but they can and they do!  The use of the iCVV has been recomended from day one, and mandated since January this year, but at the last count there were still issuers who haven't implemented.  But even those who complied with the mandate in January will still take 3 to 4 years to re-issue the whole cardbook, so there are still a few years left in the scam.

We shouldn't get hung up on the weakness of the technology, and we shouldn't whistle on about technological solutions, especially when the weakness is really caused by human stupidity.  

At the end of the day, however,  justice is done: it's an issuer error, and it's the issuers who are paying the price.  Fair's fair.

A Finextra member
A Finextra member 04 November, 2008, 20:58Be the first to give this comment the thumbs up 0 likes

David said : ICVVs should protect..."(except, for example, in some older single slot card readers)."

But most ATMs and standalone POS are still single slot specially the standalone ones....  Even with ICVV, mag-stripes are still skimmable using these ATMs and standalone POS.

Therefore its not just a matter of issuers implementing ICVV, its also a matter of upgrading ATMs and POS.

But as everyone knows there is a tug of war between chip/pin and signature/mag-stripe. In the U.S., where cards are still signature-based, the fraud rate as stated by a VISA security executive is 1 out of 10,000 transactions (0.01%). In the UK, APAC's website states "fraudulent transactions make up 0.12% of all transactions".

My initial comment also relates to card not present fraud, and ICVV will not eliminate card not present fraud.

A Finextra member
A Finextra member 06 November, 2008, 17:45Be the first to give this comment the thumbs up 0 likes

Interesting point, I had never really thought of an ATM as a magstripe harvesting tool, but yeah, looking at the way the card presentation mechanisms work, I can go with that.  I think it would be a little more difficult as the units aren't sealed, and so it should be easier to spot bits that shouldn't be there.  The modular construction also means that a number of different boards would need to be "tweaked", and that the "tweaked" boards may not all end up in the same machine, which would probably reveal the scam.  Having said that, history has recorded many cases of many less than honest ATM engineers, so maybe a potential there for the future.

Next time you are presenting your Chip and PIN card at a stand-alone POS (as apposed to a PIN entry device, or PED), have a look at the "single-slot" POS.  You will find that the slot only reads the chip - the mag stripe reader is usually to be found along one side, the top or the bottom of the device, which means that the cardholder will probably spot any odd card-swiping activity - or one would hope so.  The single slot card readers I am referring to can be found in NEXT stores, and in Maplin, and a few more that I can't recall - these devices are PEDs, and are unusual in that they read the mag stripe, but most PEDs don't read mag stripes.

As far as the security figures go - pinch of salt time.  The last thing an issuer wants to be seen as is a target of fraud, and sometimes these things are played down in the reporting.  As for the reporting, you aren't comparing like for like, the US figures are 1 in 10k transactions (0.01% absolute), the APACS figure are 0.12% by value (not absolute).  I can't tell which is worse.  My gut feel, however, is that Mag Stripe is inherently the more risky approach, if you take out the CNP and cloning fraud from the latest APACS figures, fraud losses in the UK appear to be falling. 

So, I think iCVV is still key, especially to the percieved security of Chip and PIN.  And, check out the stand-alone POS, but I don't think they are a risk as mag stripe readers.  ATMs look like thay could be a possibility, but they will be a harder nut to crack. 

And you are right, of course, iCVV will not prevent CNP fraud, but then CNP fraud is not a Chip and PIN fraud.

A Finextra member
A Finextra member 07 November, 2008, 11:33Be the first to give this comment the thumbs up 0 likes

David, perhaps you missed the video interview of Elliot Castro here in finextra. This ex-fraudster explains why clones of pin-based cards are easier to use. 

"David Robertson, publisher of The Nilson Report, a trade newsletter that tracks the payment industry, estimates that $1.24 billion was lost to fraud in 2007 in the United States, up from $1.14 billion in 2006. But in both years, that works out to just 5.7 cents for every $100 that customers charged on their credit cards."  Card Fraud in the U.S. = 0.057% of transactions, by value.

According to APACS, for UK : "fraudulent transactions make up 0.12% of all transactions, by value". 

A Finextra member
A Finextra member 10 November, 2008, 16:29Be the first to give this comment the thumbs up 0 likes

I have listened to the interview, and the one on You Tube (192).  Elliot clearly refers to the creation of mag stripe clones, as he says you can't clone the chip!!  The mag stripe clone is ONLY a possibility if CVV=iCVV, and as I keep saying, that is 100% down to the issuer.  If the issuer has used an iCVV, a cloned magstripe will be spotted EVERY time.

Elliot's interview also referred to the boffins at Cambridge, and as I have said many times, they have a lot of technology at their disposal, and if C&P was crackable, we would have read about it in the Daily Mail. 

The most striking thing that Elliot said, and this is why we should stop looking at the chip and start to look at social interactions, was that he used to work in a call centre and used his privilaged position to collect personal information.  He also called people and queried their recent transactions, collecting information in the process.

He made good use of the trust people have in their banks, but he didn't crack EMV.

Any more info on the US fraud?  The piece that you quote refers to estimates, whereas the UK figures are real (Hmmm?); but if you remove the CNP and mag stripe cloning from the UK figures, the UK fraud sits at around 0.06%, and appears to be falling.  I am probably going to get some stick for saying this, but I don't really trust Yankee Doodle accountancy. 

:o)

Nick Ogden

Nick Ogden

Founder and Chief Executive

RTGS.global

Member since

17 Sep 2008

Location

London

Blog posts

47

Comments

43

More from Nick

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.


See all