Blog article
See all stories »

How much worse can CNP fraud get?

The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period.

For the first time in many years, Australian card fraud has grown in all categories.  The ratio of Card Not Present fraud to all fraud remained steady at just under three quarters.  An up-turn in skimming and counterfeiting is surprising given the strong penetration of chip-and-PIN cards in Australia, although most ATMs here still use the stripe and remain vulnerable to carding.  It will be interesting to watch card present stats in the next 6-12 months.

Still, CNP fraud remains the preferred modus operanum of organised crime; the  cost of CNP fraud grew by 61% from 2010 to 2011.

"Innovation" is a topical notion in Australian payments systems circles, but for the most part innovation is confined to back end systemic improvements to interbank settlements. Regulators take a light touch on the user side.  The market is fostering innovative payments applications in mobile devices, but so far, security still proves to be too hard.  APCA's only position on security is to wait and see what happens when 3D Secure comes to Australia.  Given that nothing has stood in its way, and CNP fraud is doubling every two years, the very absence of 3D Secure here should be worrying to the regulators. 

3D Secure is awkward and off-putting to users, expensive to implement, slow to process, and above all, incredibly costly thanks to high abandonment rates.  In contrast, we could solve CNP fraud online in exactly the same way as we solved carding, simply using asymmetric cryptography to render stolen account details non-replayable. 

After all, CNP fraud is just online carding.



Comments: (2)

A Finextra member
A Finextra member 20 July, 2012, 12:36Be the first to give this comment the thumbs up 0 likes

Great post.  But when you thrown about terms like 'asymmetric cryptography' assuming we all know what it means, you lose points!  Please at least explain what you mean - one-way encrypted data - otherwise known as a hash.

Add my vote to the scrapping of 3D Secure too.

Stephen Wilson
Stephen Wilson - Lockstep Consulting - Sydney 21 July, 2012, 02:05Be the first to give this comment the thumbs up 0 likes

Thanks for the feedback.

Asymmetric cryptography describes a big class of technoloigies, including hashes but also digital signatures, which is an even better way to protect the pedigree of data sent from a device, on behalf of its owner.

A digital signature is created by processing transaction data through a private key kept in a chip like a smartcard, mobile phone SIM, NFC element, Trusted Platform Module and so on. The signature code can be readily processed by any receiver that has been preconfigured with the corresponding public "master" key [skipping some unimportant details here about public key certificate paths]. Modern Internet servers come with the master keys of almost all commercial PKI providers, plus the necessary software primitives.

CNP fraud is just online carding, and could be solved the same way.  Magnetic stripe carding was solved by Chip-and-PIN's asymmetric cryptography.  Each transaction is digitally signed in the chip before being sent across to a terminal, making the transaction specific to both the session and the card, and thus non-replayable. The very same chip could be used to digitally sign CNP transactions sent from browsers or mobile devices over the Internet to a merchant server, to prevent replay attack and CNP fraud, and thus neutralise the black market in stolen card details.

If we used personal smart technologies to sign transaction data sent  to merchants, then we would prevent replay attack at its roots. We could then preserve the entire four cornered settlement model, and avoid the legal and technological complexity engendered by 3D Secure etc. It's nuts that we don't leverage chips to perform the same security services in the online channel as they do in offline. 


Now hiring