Blog article
See all stories ยป

Who's in your Wallet?

We face a real and present threat to our national security. This threat originates from both domestic and foreign sources. As an increasing number of countries move to adopt secure credit card transaction technology, eastern European cartels are turning their attention to the relatively unprotected US card transaction system. However more sinister organisations may already be at work.

International intelligence sources report that money obtained through credit card fraud has been used to fund terrorist activities. When, in December 2000, police agencies intercepted an attempt to bomb the Christmas Market in Strasbourg France, they uncovered an al-Qaeda cell operating across international borders. During subsequent interrogations and investigations it was discovered that the cell's activities had been financed by the use of cloned credit cards. These activities included the purchase of bomb making materials for use in the Strasbourg attack. Several cloned cards were recovered during raids on apartments and houses used by cell members in Frankfurt Germany and London England. The activities leading to the arrest and conviction of two suspected Algerian terrorists by UK authorities are thought to be indicative of more widespread use of credit card fraud by extremist organizations.

Crimes involving credit card cloning and identity theft are growing in scope and frequency. In the USA a fraudulent card transaction is completed every 8 seconds. According to the Federal Trade Commission, card fraud accounts for 42% of complaints registered by consumers. With U.S. intelligence agencies in possession of this information, surely the declared 'War on Terrorism' could be most effectively waged by denying illegal organizations the oxygen of funds; especially funds stolen from U.S. citizens and corporations. This is not a matter of whether losses through fraud are sustainable; it is a matter of morality and national security. Losses resulting from fraud are ultimately reflected in the charges levied on credit card users. American consumers are unknowingly financing terrorist activities. Why then do U.S. authorities appear to be so slow in responding to this avalanche of fraud?

In Britain retailers have been 'encouraged' to invest in a new 'secure' transaction technology in part by a shift in responsibility for fraudulent transactions. The credit card companies simply changed the rules! They mandated that if retailers failed to adopt a more secure 'chip and PIN' technology the retailer would bear an increased responsibility for the losses caused by fraud. The banks and the card companies would no longer pick up their share of the tab. Unsurprisingly, most retailers could not insure against the risk, nor could they bear the potential losses. The net result was a dash to install new and more secure payment terminals before the deadlines kicked in. By the end of 2004 British consumers were not able to use their credit cards without keying in a four digit 'Personal Identification Number' (PIN). The credit card they 'insert' (note; insert not swipe) will need to have a secure embedded micro-processor (chip) carrying details of their identity and transaction status. This new 'chip and PIN' system dispenses with subjective (and notoriously unreliable) signature checking. The new credit and debit card terminals also include sophisticated fraud detection and protection systems at hardware, firmware and software levels. Any attempt by fraudsters to tamper with the system, at any level, will trigger the protection measures. Precise details of how these measures work are withheld for obvious reasons.

This 'Chip and Pin' card technology is in stark contrast to the U.S. transaction system which requires only possession of the credit card (or a copy of it). The new European system requires possession plus knowledge. To make any transaction you need possession of the card and knowledge of the PIN. Without both these things all transactions will be refused. No worries if you accidentally leave your card in a gas station. Without your PIN the card is useless (unless of course the card details are exported to the USA). Industry analysts predict that in the future, possession, plus knowledge, plus attribute may be required to ensure ultimate levels of security. An attribute is a characteristic unique to you as an individual. It may be a finger-print, a palm print, a retina pattern or even a thermal map of your head. All these bio-metric recognition technologies exist now. They are commercially available.

The Federal Trade Commission rates card fraud as one of American consumer's major concerns. Are we right to be concerned? Let's consider what happens when we visit the gas station to fill up, a transaction completed by millions of Americans each and every day. As we swipe our card through the pump's magnetic stripe reader (MSR) does anyone check for a signature, or even ask our name? No!  Okay, but before the bad guys can start filling their cars (or trucks) at our expense they are going to need a copy of our card. How could they get that?

It's easy! Many reputable electronic component distributors will sell you a card reader. Some so small you could hide one in the palm of your hand. Every time we hand our credit card to a sales assistant or restaurant waiter we run the risk of 'card skimming'. You don't even have to hand the card over! Merely swiping your own card at the gas pump exposes you to the risk of card cloning. If the 'bad guys' can open the gas pump's control panel they can install a miniature reader (referred to as a bug) which copies the data from the magnetic stripe on your card. A clone of your card can be made within seconds! This may sound like science fiction, but the truth is it happens every day! Bugs have been found in gas pumps, vending machines, ATMs, public internet terminals, car wash program selectors and ticketing machines. The more responsible equipment manufacturers have already recognized the problem and are moving to secure their machines against unauthorized access; but there are currently millions of insecure installations spread across the continental U.S.

It seems too obvious to say that we must improve the security of our transaction infrastructure, but without the adoption or (dare I say) Federal mandating of new standards for credit card technology there is a danger that the American public will lose confidence. We should be able to use our cards without wondering "who's in our wallet". Confidence in the security of our financial systems is essential not only for our economy but also our national security. Will we be seeing a new generation of 'street wise' transaction terminals here in the USA? Let's hope so!

The initial breakthrough came over Christmas 2000 when the German equivalent of the SAS burst in on a flat in Frankfurt. They arrested four men and uncovered an arsenal with bomb-making chemicals, weapons, cloned credit cards and false documents.  Extract from BBC News "The secret war against al-Qaeda" broadcast 10th Feb 04.

background - published 2004

3491

Comments: (4)

A Finextra member
A Finextra member 18 March, 2008, 15:40Be the first to give this comment the thumbs up 0 likes

Great post, Jarvis.  I'm always amazed at how little mainstream coverage this issue attracts.

Regulators have an increasingly difficult job keeping up with advancements in financial technologies, particularly in the payments and processing areas, and the myriad ways to exploit these systems.  But the burden seems to be largely on the private sector.  Clearly market forces are a powerful motivator - lost confidence means lost revenues.  The slow response on the part of regulators may also be driven by institutional cost/benefit analysis: fraud losses are already built into the revenue models, and as long as this provision remains within a certain band, why deal with the authorities and risk drawing unwanted publicity?

 

A Finextra member
A Finextra member 18 March, 2008, 20:44Be the first to give this comment the thumbs up 0 likes

IDENTITY IS ESSENTIAL INFRASTUCTURE 

The fundamental  methodology of retail transactions has been ego based rather than logic based. Having your name on a card was a 'cool' marketing idea back in the 70's but it's recently become a real hazard. Any system which transmits useful information in order to complete a transaction is open to abuse. The information becomes the currency rather than the means, because it gives the means for fraudsters to carry out transactions. Just like currency, when you get a lot of counterfeiting you are forced to issue new notes to get the fake ones out of the system, but the same can't be done with identity data.

We need to apply a new methodology which renders the personal information worthless and devalues the fake identities. Thieves will stop being interested in personal data if it loses loses any value to carry out fraudulent transactions.

Identity is essential infrastructure for business, government and citizens and it's time we put the control of our identities back in our hands, not with cards with details on them or 'in' them.

We could use the 3.3 billion mobile phones we already have to put the human back into the transaction without needing to replace card readers every other week. Of course the smart card lobby don't like that idea, but with recession looming - who wants to spend a billion on a hardware solution? Only fools I believe.

Alex Noble
Alex Noble - McAfee - London 19 March, 2008, 14:59Be the first to give this comment the thumbs up 0 likes

Hi Jarvis,

I think you've got some very good points about card fraud and fraud commited with stolen/ cloned cards at point of sale.

The challenge in Europe is that we see fraud migrating to channels without chip and pin, especially overseas transactions and 'card not present' fraud in the telephony and internet channels. At least, that's what the latest statistics from the UK payments body seem to show.

One trend I see in European financial services is biometrics as part of the counter to 'card not present' fraud and as a back up identity validation. Chip and pin doesn't work (as yet) online or in telephone transactions and in these areas biometrics might offer an additional line of defence. I'd would though never suggest biometrics as a sole authentication, as if they are compromised, they are a little difficult to reset!

You might also be interested in the recent experience of Barclays, where their chairman was subjected to identity theft and fraudulant card use. I've got more details on my blog in this article from January; "Security, Call Centres and Fraud

Thanks for an interesting article,

Alex

A Finextra member
A Finextra member 25 March, 2008, 16:50Be the first to give this comment the thumbs up 0 likes

and if you think Canada and south America is moving to EMV,  US will be stucked in the middle.

I guess, if US market decides to move chip&pin it will take at least 7 years from now on.

But somethimes, like F1 racing, coming from behind could be an advantage  Because US can see and learn from chip migration and because the tech is evolving in every day they would adopt or migrate to new authentication methods like biometrics or non-card forms such as phones and NFC.

 

Retired Member

Member since

19 Mar 2009

Location

Blog posts

6,184

Comments

6,322

This post is from a series of posts in the group:

Trends in Financial Services

A community to discuss the future of financial services and any other interesting trends, strategies, ideas, views.


See all