Blog article
See all stories ยป

An article relating to this blog post on Finextra:

US retailers face $100bn in ID fraud losses a year - study

US retailers rack up around $100 billion in identity fraud losses every year, absorbing nearly 10 times the cost incurred by financial institutions, according to a study from LexisNexis and Javelin St...


See article

If US banks still need convincing on chips ...

If only we could get our collective heads around the problem of assuring the pedigree of online information -- be it credit card numbers, or simply name and address -- the ROI for chip cards would be plain to see.

Observation:$100B worth of fraud is ID related

Premise: To prevent personal data being replayed behind the backs of its owners, those data can be communicated from shopper to merchant in digital certificates issued to shoppers' personal hardware devices, like smartcards, SIMs or smartphones. 

Methods: Most browsers and most servers have the cryptographic APIs and components already built in.  The acts of requesting a digital certificate from a smartcard, presenting the certificate to a server, and signing transactions with it, can all be implemented at the server, using XML and Java and the like.

Submitting personal details to merchant sites by smartcard would be an option alongside regular manual entry of 'naked' credit card details.  Merchants (or Acquirers) might levy a surcharge of 1% or so for manually entered data in line with the elevated risk, to help shoppers switch behaviour.

ROI:

(1) For maybe $1B the majority of merchant websites could be upgraded to process ID data via digital certificates (economies of scale would come from Merchant Acquiring banks and payment gateways making the software upgrades in common shopping cart software)

(2) For a very conservative $5B, every one of 50M American online shoppers could be given a smartcard reader, training and support (in an increasing number of cases, consumers will find they have smartcard readers built into their computers, like the Dell e6500 and numerous HPs; the penetration of integrated smartcard readers would jump overnight* if banks supported smartcards for secure transactions over the Internet)

(3) For no more than $1B, Issuers could switch 100s of millions of magnetic stripe cards to chip (and many are going to do this anyway in response to demands from travellers who have trouble using their regular US issued cards overseas)

(4) Let's ignore the oft-cited $10-20B "EMV enablement" cost in the US since that figure is dominated by retail merchant switching costs, but what I'm talking about is using chips online for e-commerce, with no new hardware at all for merchants.

So for a $7B investment, most of the e-commerce component of the $100B loss could be saved. The same digital certificate methods could be used in any setting where identity data is presented online and there is a risk to the receiver of impersonation; e.g. new account origination (as discussed recently by Robert Siciliano), and all manner of e-health apps.

It's ironic that the business case for EMV cards -- intended originally to address card present fraud -- might be more attractive if they were initially used in the US for online shopping, not face-to-face.  Why not let bricks & mortar Acquirers and retailers follow in their own good time?

Stephen Wilson, Lockstep.

 

*Footnote.  Rapid deployment of integrated smartcard readers has happened before.  In January 2003, Bill Gates announced that smartcards were Microsoft's preferred means for future authentication; their software from XP onwards already included native smartcard APIs.  Within a mere four months of the announcement, Dell released the first notebook PC with a built-in smartcard reader; Acer, Compaq and others followed quickly.  Third party smartcards and applications failed to materialise in significant numbers, and through 2004 the computer manufacturers took the readers out of their products, to use the precious space for other features.  The lesson is that computer companies are at a tipping point.  Now that there are over a billion smartcards on issue, all it would take to see integrated readers become ubiquitous would be for a large institution to release a smartcard based online payment or ID solution. 

 

3594

Comments: (5)

A Finextra member
A Finextra member 11 November, 2009, 08:01Be the first to give this comment the thumbs up 0 likes

" Merchants (or Acquirers) might levy a surcharge of 1% or so for manually entered data in line with the elevated risk, to help shoppers switch behaviour."

WOW. A merchant that does this is on a suicide mission.

"For maybe $1B the majority of merchant websites could be upgraded to process ID data via digital certificates (economies of scale would come from Merchant Acquiring banks and payment gateways making the software upgrades in common shopping cart software)"

For no charge to online merchants, issuing banks can fully secure online card payments by allowing their cardholders to turn on or turn off their card accounts. This solution is applicable to any kind of card, mag-stripe or smart card. It would not require chips or smartcard readers. This solution can also utilize one-time non-replayable time based pin-codes that are sent through out of band channels.

Guarantee of payment (cost of fraud) is part of the interchange fees that merchants pay to Issuing Banks.

If there is one entity in the payment chain that should provide the necessary security and guarantee the payment, it should be the Issuing Banks

"For no more than $1B, Issuers could switch 100s of millions of magnetic stripe cards to chip (and many are going to do this anyway in response to demands from travellers who have trouble using their regular US issued cards overseas)"

I have trouble using my CHIP and PIN here in FRANCE just like american travellers have trouble using their regular US mag-stripe issued cards here in France.  

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 11 November, 2009, 09:30Be the first to give this comment the thumbs up 0 likes

 

Marite,

Turning one's account on and off because it's inherently insecure against fraudsters is really just shifting the risk (and the blame).  How does risk get apportioned once users are making active risk decisions?  What if they forget to turn off?

Further, I'm thinking way beyond card accounts.  The fundamental problem underlying almost all ID related fraud is that nothing stops personal data being replayed.  We should be using smartcards, smart phones and the like -- with embedded private keys -- to digitally sign our data when we present it.  Health IDs, name & address, social security numbers, anything. 

You can't jury-rig magnetic stripe cards to create digital signatures.  The technology is a total dead end in the digital economy.

Cedric Pariente
Cedric Pariente - EFFI Consultants - Paris 11 November, 2009, 10:48Be the first to give this comment the thumbs up 0 likes

Hi Stephen,

It is a very interesting topic you are talking about.

Even if I'm not convinced that you are on the right track you seem passionate and only good things come out of it.

However when you say:

Merchants (or Acquirers) might levy a surcharge of 1% or so for manually entered data in line with the elevated risk, to help shoppers switch behaviour.

You cannot be serious.

You are missing a very important component in this analysis: the client.

You cannot FORCE him to change his behavior.

Are you really serious when you say you want to surcharge 1% to the client?

Either you really don't believe in your system or you are convinced that others don't. In any case you are killing your penetration rate even before starting.

The question in everyone's head when buying something or using a service is very simple WIIFM: What's in it for me?

I'm sure that you don't think that clients are interested in security because that would be a joke, they simply don't care.

They only care about more of "things they like" and less "things they don't like".

Security is none of their concern.

Simply ask yourself what you honestly would like to have as a consumer. And be honest. Forget that you are selling smart cards and you'll find the key to success.

Consumers in the US right now want to keep their houses, have more money, be happy again by any mean. They don't give a **** about security and definitely wouldn't pay for it.

Consumers in Australia, well you know them better than me. But you need to put them at the center of any of your decisions, otherwise none of them will buy any of your ideas or systems.

A Finextra member
A Finextra member 11 November, 2009, 11:15Be the first to give this comment the thumbs up 0 likes

"Turning one's account on and off because it's inherently insecure against fraudsters is really just shifting the risk (and the blame).  How does risk get apportioned once users are making active risk decisions?"

The risk has already been defined and merchants are already paying for the risk of accepting card payments, which is embedded in the interchange fees that they pay Issuing Banks.

Think of the Issuing Bank's authorization system as having the one and only spigot that would allow the flow of funds. This spigot can be turned on and off. It should be turned on and off.

Your idea of turning on and off this spigot requires that the control of this spigot is passed on from the cardholder to the merchant to the Issuing Bank, which is quite inefficient and still insecure considering the link between the cardholder and the Issuing Bank remains vulnerable. As long as this link between the cardholder and the Issuing Bank remains expose, whatever solution you force onto online merchants will lack that universal security that should be given to cardholders.

"What if they forget to turn off?"

Cardholders will not forget to turn it off, since a 'turn-on' can be for one transaction.

"Further, I'm thinking way beyond card accounts.  The fundamental problem underlying almost all ID related fraud is that nothing stops personal data being replayed.  We should be using smartcards, smart phones and the like -- with embedded private keys -- to digitally sign our data when we present it.  Health IDs, name & address, social security numbers, anything."

Here, when we speak of Identity Theft, we're talking about social security numbers, passport numbers, driver license numbers, etc. Yes, of course, as a consumer and as a past-victim, I would not want anyone else to be able to use my Identity.

Just like my card number, whose custodian is really my Issuing Bank, other entities were responsible for issuing these other Identity cards. If and when I apply for credit, whoever needs to check my credit history has to check it with a credit bureau. Well then, this credit bureau would then be much like my Issuing Bank. My health ID was issued by the french government (CPAM), then this bureau is the custodian of my health id/'account'.

Do consumers really care about digitally signing anything? NO. What a consumer cares about is that NO ONE else other than himself is allowed to use his many different ID cards. Hence, we return to the same equation as payment cards. All of my ID accounts remain vulnerable as long as I do not have a direct link to these custodians. As a consumer, my interest lies in my ability to control the usage of my ID cards/ID accounts. Perhaps for other ID accounts that do not involve money such as my health card, it would suffice for me to get a notification each time my health card account is used.

"You can't jury-rig magnetic stripe cards to create digital signatures.  The technology is a total dead end in the digital economy."

See my comments above about digital signatures. As a cardholder, generating a digital signature truly does not interest me. What interests me is that I am able to use my chip and pin here in France to pay for a 1 euro toll, for example, because I am not able to... And since it is my money (its a debit card), I would like to be able to control what goes out of my account through this debit card. I would like to have that peace of mind that when I wake up tomorrow, the couple of hundred euros in that account is still there.

Would it appease you if I say that the system of card reader/smartcard would be more efficient if the communication is only between the cardholder and his Issuing Bank? Would you also consider that the link between the cardholder and the Issuing Bank can be secured by means other than a smartcard, static pin-code and a smartcard reader? 

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 11 November, 2009, 17:32Be the first to give this comment the thumbs up 0 likes

Marite,

Generating a digital signature is not as complicated as you imply.  It is not something that has to "interest" any consumer.  It's a completely transparent process.  I think you know that every time you use a DDA EMV card, digital signatures are created by the card, automatically.  So nothing in my vision for securing digital identity is any more complicated for the cardholder than simply inserting their card and entering their PIN.

What I'm advocating (and it's not my solution, this is just a basic technology) is that whenever a remote party wants to know your important ID -- whether it is your name and address, credit card number, health ID, whatever -- then it's best to present that ID by way of a certificate and digital signature.  Different chips would naturally hold different IDs.  A practical example: your smart driver licence, REAL ID or ID card (in applicable jurisdictions) could carry a certificate that conveys your name and address.  Imagine you are originating a bank account online and the bank wants you to prove where you live.  You could insert your smart driver licence into a reader at your PC at home, enter a PIN, and the chip would send a tamper resistant cryptogram to the bank that includes your name and address.