David Birch - Tomorrow's Transactions - London 18 July, 2012, 08:41 0 likes

Attention fraudsters: I've stopped signing Carlos Tevez. Thanks to my unbreakble, Enigma-style algorithm, you'll never be able to guess which South American Manchester City striker I'll be using in future.

A Finextra member 18 July, 2012, 10:27 0 likes

Dave, I look forward to you having enough room to sign the name Sergio Leonel "Kun" Agüero del Castillo.

Keith Appleyard - available for hire - Bromley 18 July, 2012, 15:29 0 likes

Some years ago a colleague in Arizona showed me that many people had adopted the scheme of not countersigning the Signature Panel, but clearly writing in it "ASK FOR PHOTO ID" - ie ask for a Drivers License to prove you are the rightful owner of the Card.

When I was working in Japan some 20 years ago I was shown how new Cardholders who didn't know how to write their Signature 'western style' would be taught how to form a Signature by the Customer Service people when they collected their Card.

Stephen Wilson - Lockstep Consulting - Sydney 19 July, 2012, 05:58 0 likes

I agree that the problems are of the payment industry's making, but I disagree that cards "are not really fit for use on the Internet".  For the purposes of payments, at a network level, the Internet is just another comms channel.  As we all found in the late 1990s, the decades old MOTO rules and Four Party settlement model {Cardholder, Merhcant, Issuer, Acquirer} extend very nicely from mail orders and telephone to the web.

Let's be very clear about why paying by credit card online is risky, who bears the risk, and what should be done about it. When cardholder details are presented online, a merchant cannot tell if the 1s and 0s are stolen or original.  It's not actually a safety issue for customers, but rather for merchants.  E-merchants could reassure onine shoppers all they like of their PCI-DSS compliance, but that's not the point, and in any case, most stolen card details are taken from big retailer and processor databases, not e-merchants.

All we need to do to make cards safe online is to better protect the presentation of cardholder detals to merchants.  Asymmetric cryptography would do the trick very nicely. If merchant servers were equipped to tell real PANs from stolen ones, then it wouldn't matter at all if the human-readable numbers and photos were posted online. 

One of the deep problems with 3D Secure is that it breaks the Four Party model.  It joins the Cardholder to the Issuer in real time to complete a redundant secondary authentication handshake, complicating not only the user experience but also the merchant's legal arrangements, and slowing the transaction to a crawl.

CNP fraud is just online carding, and could be solved the same way.  Magnetic stripe carding was solved by Chip-and-PIN's asymmetric cryptography.  Each transaction is digitally signed in the chip before being sent across to a terminal, making the transaction specific to both the session and the card, and thus non-replayable. The very same chip could be used to digitally sign CNP transactions sent from browsers or mobile devices over the Internet to a merchant server, to prevent replay attack and thus neutralise the black market in stolen card details. We should be solving CNP fraud the same way as we did skimming and carding, without overturning the decades old settlement processes. The payment card concept has decades of life left in it.

A Finextra member 19 July, 2012, 12:50 0 likes

Great post Aden. I agree that debit or credit cards are social objects. Often they are the only physical thing that customers have which ties them to their bank. For some it is a point of pride - cards that live in your wallet every day are a very personal item (after your phone!), so they create a sense of identity that you want to share with your friends and community. In NZ we have a bank which issued debit cards that were totally black. Customers loved them - so different, so distinctive - they would display them with pride. If your debit card is the only thing that you carry with you that identifies you with your bank, then hell yes, you should be able to share that on social media - it is not the customers fault that this dated payment method has fraud concerns.

A Finextra member 20 July, 2012, 12:29 0 likes

Seems to me that although Issuing Banks are clearly experts in managing risk, they also don't mind just waiving the problem of fraud under the carpet.  I wonder what percentage of low value CNP fraud goes undetected and therefore paid by the customer? The rest are disputed and the resulting chargeback is borne by the merchant.  No wonder the banks don't do enough to evolve to better solutions.  Even the 3D Secure pain is simply a way to defer the liability from the Issuing Bank to the Consumer.

A Finextra member 23 July, 2012, 18:15 0 likes

Great refreshing post. We have often had hard time explaining to the financial industry the importance of emotional attachment to the product/service - it's good to see some companies warming up to the idea. Barclays is also offering card personalization service - and Dave Birch seems to be a huge fan (he spent more time choosing a design for his card than he spent on choosing a drink in a pub - just joiking).

@Stephen - "The very same chip could be used to digitally sign CNP transactions sent from browsers or mobile devices over the Internet to a merchant server, to prevent replay attack and thus neutralise the black market in stolen card details."

That's exactly what our company does. Via a "social object", by the way.

Online payments fraud is not just merchant-related. You could use a legit card online, but if those details are stolen you become a victim of the online payments fraud.