For Finextra's free daily newsletter, breaking news and flashes and weekly job board.
It is a fair question. Most fraud is card based, law enforcement claims money from fraud goes to fund terrorism (and drug, etc). Customers have to wonder at the real price of the billions of dollars in fraud. Are you inadvertently giving money to terrorists
when you participate in card networks?
How much of card-holders money gets to fund terrorist activities?
The question is whether you can afford any of your money going to support terrorism. The September 11th attacks on the US were estimated by the 9/11 commission to have been funded for between $400,000 and $500,000.
Since 2001, fraud was probably enough to have funded 10,000 attacks like 9/11.
Although not all fraud goes to support terrorists, how much does?
10%, 120%, 30%?
1% is still enough for 9/11 x 100.
It seemed relevant to mention it after news and intelligence reports that suggest there will be a resurgence of attacks against the western countries, possibly as a way to revive their flagging relevance amongst would be extremists. Particularly worrying is
the news that the attacks may be carried out but as many as thousands of disaffected would-be terrorists already within the target countries.
How much of your money has gone to fund terrorist attacks against your own or another friendly country? Have you been the victim of fraud? Do you know where the money went?
If it means stopping using leaky and poorly secured financial systems and going back to the branch and cash, it is probably worth it, at least the only place your funding neighbour's job at the local branch. The banks can't get it together with fraud risk,
just like they couldn't get it together with credit risk, why let all that money add to the terrorism risk? The anti-money laundering laws are aimed at just that problem, and compliance has cost millions but unless we close the loop it will all have been wasted.
Someone has to ask the question before, rather than after, billions more of our money goes to terrorists and criminals. Look how much 9/11 cost us all. Anyone fancy a hundred or a thousand more such attacks?
I'd suggest that the first step would be to stop financing it. Governments need to get together and make a concerted effort at fraud reduction and practical identity protection. While you're bailing the banks out would be an opportune time.
Until then, you are probably safer all round going back to cash. I don't remember their being billions lost in muggings before we all had the fancy cards.
Dean, now you're really scraping the bottom of the barrel.
I could quote endlessly from intelligence reports, and evidence collected from arrested terrorists, but that won't stop some people from keeping their head in the sand.
local paper has an article today suggesting that in Oz the fraud is running at around $500 million. Perhaps you know where the money has gone? Perhaps even the
Oz government is scraping the barrel too?
Closer to home for you, perhaps a read isn't necessary, but one of the key Bali bombers (who I refuse to name) wrote a 'manifesto' while in prison with a chapter entitled 'Hacking, Why Not'. He urged fellow Jihadists to look at the US computer network as
being vulnerable to hacking, credit card fraud, and money laundering.
The chapter did not focus on specific techniques. It focused on how to find techniques on the Internet and how to connect with people in chat rooms to perfect hacking and carding skills. It was a course of study for aspiring hackers and carders. He
discussed the process of scanning for websites vulnerable to hacking and then went on to discuss the basics of online credit card fraud and money laundering.
The Timesonline suggests that
mortgage fraud is potentially contributing too.
Terrorists and criminals are conning British banks out of £700 million a year to help to finance their illegal activities, a police report has revealed.
An intelligence report by the Association of Chief Police Officers said that organised crime groups used mortgage fraud to generate income and launder money from the proceeds of their operations, such as drugs, human trafficking and prostitution.
What was the purpose of all that
Anti-Money Laundering stuff? Why do we have
There may even be a
cost to your brand.
Some of those sites are relevant to payment industry professionals. You might have a look.
I'm just for making the world a little safer. We have to start somewhere and it's clear that, so far, progress is pretty dismal.
I well know the connection between cybercrime and terrorism financing. What I object to is your line that one should feel guilty about using a credit card because some of the proceeds of crime might be passed on to terrorists.
The implication -- given the backdrop of your long, long thread of anti-card, pro-mobile grandstanding -- is that if we switch to Transinteract, we'd be, what, purer, as well as more secure?
On Finextra, you have made a string of glorious yet utterly unsubstantiated claims for your technology, at one point even having the temerity of putting a price on it. You have avoided answering my many questions about what it actually does or how it actually
works. As a security professional I find this objectionable; in the absence of any details, I have to say you're posturing. But when you drag terrorism into the mix, you're stooping very low indeed.
Stephen, I wasn't suggesting we feel guilty, I am suggesting we fix it.
As for divulging proprietary information, I'll give you the same answer you might get were you to ask:
Google, What's your new search algorithm?
Steve Jobs, what's your real plan for the iphone3?
There is probably more than one way to skin that mobile cat, and like Google and Apple, I am happy enough with my competitors giving it their best shot without my help. I'd even go so far as to say some of their proposed mobile solutions are an improvement
on the current practices. I have even more faith in my own.
"most fraud is card based"? Really?
Didn't Jerome Kerviel defraud £3.7 billion? Nick Leeson had a fair go too a few years back. Isn't most fraud corporate or "rogue traders" it's just not as much fun to report?
I'm glad someone has said it and you put it so much better than I could.
You must accept that there is no silver bullet for combating fraud you can only take a layered approach. Mobile technology may have a part to play but it is not THE answer. The usability of your product is where it will succeed or fail and like Stephen I
have no idea what the process is [you don't say or even give a clue on your website] but a large UK retailer has a simple formula for testing a new technology "every second it adds to the checkout time costs £1 million per annum". Chip and PIN actually saves
them time [don't have to count money or make change] and as far as they were concerned it paid for itself – fighting fraud and saving money a retailers dream. If your product adds time to the point of sale it won't meet with retailers' needs because they don't
see card fraud as their problem to solve.
Perhaps you should hook up with Marite Ferrero because she also [from her posts] has THE answer to faud and it doesn't involve mobile phones. You can't both be right or is it that neither of you are.
Never mind card fraud - what about the threat from all these new fangled m-payment systems? More detail in
the mobile money laundry
Nick said : "Perhaps you should hook up with Marite Ferrero because she also [from her posts] has THE answer to faud and it doesn't involve mobile phones. You can't both be right or is it that neither of you are."
Thanks for including me, Nick. But I never excluded using mobile phones to secure card payments. In fact, I would rather receive OTPs via mobile than carry a card reader. And yes you are right, I do have the answer to card fraud.
Oh by the way, I also thought this idea of funding terrorism with cards was far-fetched until the first company I founded was invited to attend the crans montana forum in 2004. Look it up "CRANS MONTANA FORUM + CARD FRAUD". I recall that the forum was heavily
secured when we were there because Ministers from Iraq were also there attending it.
The idea of card fraud funding terrorism is not far fetched at all. It is real and has been for decades as it has been for criminals of all types.
"I'd suggest that the first step would be to stop financing it. Governments need to get together and make a concerted effort at fraud reduction and practical identity protection. While you're bailing the banks out would be an opportune time."
Dean on this one point I actually agree. Through governments and relevant industry bodies working together we can reduce fraud. The global adoption of EMV will reduce card present fraud, it will never remove it completely but will dramatically help. The
adoption of secured online transactions such as CAP will reduce card not present/internet fraud.
Increased checks and use of neural networks can help reduce card application fraud.
I am no expert in corporate fraud, mortgage fraud or any other for that matter but I am pretty sure governments can work together to reduce losses here.
It's all possible without the need to use a mobile
Firstly, as far as I am aware, the 'rogue traders' traders didn't defraud anyone by stealing money, they merely completed unauthorised trades. I don't know of any money being diverted to personal or terrorist's accounts - so that is irrelevant to the current
For those with their heads in the sand, some light reading. Those of you with access to the appropriate government departments may be more aware and can skip the reading.
Terrorism and Credit Card Information Theft
Terrorism's Hook Into Your Inbox -
Terrorist links to
commercial fraud in the United States ...
Credit Cards and Terrorists
Your Credit Card Could be Funding Terrorism
Credit-card fraud funding terrorists - UPI.com
Terrorists pay with credit cards
Financial Action Task Force OECD -
Credit Card fraud used to fund Terrorist Organization
American Chronicle |
Credit Card Fraud Is Funding Terrorist ...
As for Tesco.
The comment about checkout queues relates to the first thing anyone in the retail transaction business learns.
I am fully aware of the priority that stores place on fast transactions. Not all transaction systems are equal in satisfying this requirement. Enough said.
The 'change' line was a misdirection, where is the change in a mobile electronic transaction? It is no different than any other electronic transaction in that regard.
Marite has some positive ideas which perhaps just need a little tweaking in order to be more practical in the execution. There are some similar alternative approaches. Marite's objective is to reduce fraud. I applaud that.
It is a good plan for any (mobile) solution designer to understand the needs of law enforcement, and consider their contribution to the overall protection and safety of citizens. There is little doubt that this can be greatly enhanced by using the technology
already at our fingertips.
Some mobile transaction providers probably have a very good idea of the law enforcement issues. Perhaps the problem is that law enforcement haven't been made aware of the potential mobile transactions have in reducing these sort of risks.
I think there's a better plan than what is currently practised.
I don't really think that there is any question that there is room for improvement. Card transactions are already making attempts at incorporating the mobile as an additional security feature..just look at Visa.
Its great to see these points of view, and if one must take a position on it and not sit on the fence then I'll agree with the view that 'reducing the fraud' is the issue, and anytime now is a good time to do it.
But as Nick pointed out - its about what is good for the card networks, the issuers and the merchants, 'not' what is good for the consumer (or the planet). To these stakeholders it is affordable collateral damage. There are plenty of simple things that
would add security and reduce fraud, and not all of them involve delays at the POS. I for one would just like the option to receive an SMS every time my account is dipped into. I'd be prepared pay for the priviledge of doing my own fraud detection and it
wouldn't impact the sales process a jot.
You can argue (correctly) that this doesn't stop the fraud, it just detect it, so why bother? Well because as a customer I would feel better about it as a good option, and it can limit the degree of fraud, especially if combined with other controls like
user specified limits.
Now, as a declared interest, I'm into things-mobile, so I am as curious as some of you as to Deans claims. In the meantime, I'm happy to read the entertaining and thought provoking opinions. I too believe the mobile is for more than talk,text,time ; the
4th 't' just has to be 'transact'. It has to be convenient, cheap, trusted and timely (2CT ?) and until someone works out how to deliver this equation and make more money for someone, then adoption of the service is at risk.
Lastly, back to the question of why fraud isn't tackled more than it is - imho someone has to be made liable for the 'loss+cost'. i.e. make it hurt the pocket more and things will be done.
Unlike 3-party (merchant : cardholder : bank) protection schemes that are difficult to implement, cardholders can directly authenticate themselves with their issuing banks prior to doing card-not-present transactions, ATM transactions or cross-border card-present
transactions. I suppose we can call this a 2-party scheme (cardholder : bank).
A system that eliminates ATM, cross-border or card-not-present fraud by enabling cardholders to authenticate themselves directly with their issuing bank by using one-time use pin-codes has been around for a number of years. This system also enables cardholders
to enter their own limits and prohibitions. Authorization requests willl then be processed based on the normal checks and also these strongly authenticated cardholder limits and prohibitions. And you don't need EMV or CAP to do this.
Therefore, it has always been possible to close this breach that fraudsters have used to their advantage. Instead, the claim that only the global adoption of EMV will reduce card fraud has mislead not only consumers but merchants as well. Curiously, VISA
itself has stated that instead of changing over 12 million terminals in the U.S, money would be better spent on other fraud-fighting technologies.
ABOUT TESCO :
Although TESCO has also issued chip and pin co-branded cards, I was told that they request authorization for almost all card transactions that they process. It's not exactly helping the queue to go faster but they must have good reasons to request authorizations
almost 100% of the time.
Marite - just to be clear I did not claim that ONLY the adoption of EMV globally would reduce card fraud. I merely put it forward as an approach which is currently being adopted (to differing degrees) around the world. EMV has its faults and like the mobile
is not the 'silver bullet' it is at least a widely adopted fraud prevention method that people understand.
I love new technologies and embrace concepts that can a) reduce fraud, b) add value to customers, c) reinvigorate businesses. That is why I became involved in smart cards. I look forward to the day that I see a product/proposition that is proven to do all
of these and is widely adopted.
I certainly do appreciate the discussion too.
As I may have mentioned before, my interests have always included security, although primarily I'm into 'doing things easier' and often at lower cost.
In making something related easier (a way to buy) it was necessary to improve the security because of the high incidence of card-not-present fraud, and the possible impact it would have on the business model. In the process of solving that issue I realised
that we could 'make it even easier' by taking the card right out of the equation.
This might also have the benefit of reducing costs for the advertiser/merchant. In discussions with bricks-and-mortar merchants it became apparent that they had issues too.
The transaction system was then adapted to encompass the store and the internet, a little bonus on the original application, along with tickets, parking, identity, and a host of other applications.
Security is better (according to me), and the costs for merchants might be lower, additionally that may be the case for banks, depending on their involvement.
Given the difficulty in getting everyone together to agree, ie the banks, it was decided that a plan which did not require their 'approval' as such might have a better chance of success. A mobile solution which merely requires the co-operation of the merchants
(and not their money for infrastructure, with possibly lower fees) and equally the consumers getting additional security and convenience and other benefits, may have a better chance of success.
I don't know how anyone else has arrived at their particular approaches, however I really didn't have anyone but the merchant and the customer in mind. Of course we can secure card transactions, before the fact, rather than after, but I am not in the card
business, so that is not my priority and the card industry has not shown interest.
Perhaps that is the limitation of some other 'solution providers', they are already in the business and any 'solution' comes out of their environment, not as a fresh new approach to what the merchants and the customers want, utilising every aspect of the
fabulous modern technology available at our fingertips.
I see possibilities for both NFC and other mobile solutions to co-exist where there is a compelling business case, but I see mobile only eventually displacing the former and doubt that the opposite would be possible.
There are a lot of side issues such as fraud and terrorism, identity theft, privacy etc, and I have sought to address them, but I fail to see how keeping the card in the equation is good practice or business, except perhaps for a card brand.
I'm always willing to listen, and help.
Joe, no I was not referring to your particular comment. There are enough comments here in finextra and news articles all over that promote the holy EMV grail.
APACS, UK's card fraud statistic gathering body also frequently states that "as more countries follow UK's lead and upgrade to chip and pin, the opportunities for criminals to use stolen mag stripes and pin-codes overseas will decrease". A statement like
this coming from APACS whose charter is supposedly to co-ordinate activities to tackle payment-related fraud terribly misleads consumers, merchants and banks into thinking that chip and pin is the only solution. What would be great is if an organization such
as APACS truly plays neutral and lists all the available solutions in the market. It is only then that consumers, merchants and banks may get the chance to see what is possible and what is best for them.
Oh, by the way, UK followed France's lead when it comes to pin and chip.
Sure, I hear that some people don't want to enter their own limits. But most people do, specially for their debit and prepaid cards. Consumers have a different mindset with credit cards. Since its not their money, they'll just refuse to pay the bill if the
card transaction is fraudulent. Sometimes, they also refuse to pay the bill and pretend that the card transaction is fraudulent. This is where banks are now getting hit. Some insurance companies now refuse to pay for these losses. Perhaps these insurance companies
know that there are indeed other fraud fighting methods and waiting for worldwide EMV to happen is no longer a valid excuse. Some banks are now considering other systems since they are directly affected by card fraud. And these banks are prepared to enable
their cardholders to set their own 'strongly authenticated' limits and restrictions. The alternative, which is to second-guess their cardholders and block them in the process is a poor choice.
Marite, another benefit of using a mobile solution is that it can very effectively put the customer 'in' the transaction, rather than just the card or the number on it. This is likely to lead to less of the incidents you refer to.
Iit would be very difficult for a customer to repudiate the right type of mobile based transaction, if in fact they had carried out the transaction, and if they hadn't carried out the transaction, it would likely have failed and there probably wouldn't be
a transaction to repudiate anyway.
Setting limits has all sorts of connotations outside security, such as exceeding your limit and 'attracting' (to use bankspin) a fee.
The US is probably going to prevent card companies from allowing their customers to go overlimit, if it attracts additional fees, certainly not without notifying the account holder first.
It would seem that with cards there is no limit to the fees.
I have, in the very first instance, because of the nature of our original application for mobile transactions, included all sorts of easy to use, and change, limits on both transaction amounts and type, location etc, etc, and you are 'preaching to the converted'
albeit we already had it as a feature in the 90's. I am happy to allow customers to set their own limits provided they do so according to the correct procedure within our system. They won't need their credit card company or bank to empower them to do so. It's
Marite - I don't see how anyone can interpret the statement of fact from APACS (increase in global acceptance of EMV will decrease opportunity to clone mag stripes) can be interpreted as misleading or portraying Chip & PIN as the only solution.
Chip & PIN is currently the solution in force in the UK so they are merely reporting its percieved benefits. What else do you expect them to say?
Oh and thanks for the history lesson, I am well aware of the development path of smart cards though and the different implementations prior to EMV
Just for Joe's benefit, let's keep the discussion to fraud other than insider fraud. That opens up a whole can of worms, although proper procedures and (mobile) authentication can certainly reduce the opportunities. There is probably little difference between
occasions where someone might have made bad investments and cost a bank billions of dollars and tried to hide it, and what the 'rogue traders' did. I believe most institutions have learned a thing or two since then.
Dean. Happy to keep to the topic away from insider fraud. Merely challenging your opening statement that "most fraud is card based".
If you don't like being challenged maybe post blogs that you can substantiate.
Joe certainly wins that one. Bernie Madoff has pushed fraud to new heights. $75B is unlikely to be eclipsed by even the most determined fraudsters - unless they have very good connections in government.
Card fraud is only peanuts. The real fraud is the banking system.
19 Mar 2009
This post is from a series of posts in the group:
A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.