23 October 2017
Stephen Wilson

Stephen Wilson in Lockstep

Stephen Wilson - Lockstep Group

34Posts 132,555Views 174Comments

How much worse can CNP fraud get?

17 July 2012  |  3118 views  |  1

The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period.

For the first time in many years, Australian card fraud has grown in all categories.  The ratio of Card Not Present fraud to all fraud remained steady at just under three quarters.  An up-turn in skimming and counterfeiting is surprising given the strong penetration of chip-and-PIN cards in Australia, although most ATMs here still use the stripe and remain vulnerable to carding.  It will be interesting to watch card present stats in the next 6-12 months.

Still, CNP fraud remains the preferred modus operanum of organised crime; the  cost of CNP fraud grew by 61% from 2010 to 2011.

"Innovation" is a topical notion in Australian payments systems circles, but for the most part innovation is confined to back end systemic improvements to interbank settlements. Regulators take a light touch on the user side.  The market is fostering innovative payments applications in mobile devices, but so far, security still proves to be too hard.  APCA's only position on security is to wait and see what happens when 3D Secure comes to Australia.  Given that nothing has stood in its way, and CNP fraud is doubling every two years, the very absence of 3D Secure here should be worrying to the regulators. 

3D Secure is awkward and off-putting to users, expensive to implement, slow to process, and above all, incredibly costly thanks to high abandonment rates.  In contrast, we could solve CNP fraud online in exactly the same way as we solved carding, simply using asymmetric cryptography to render stolen account details non-replayable. 

After all, CNP fraud is just online carding.


a member-uploaded image TagsSecurityPayments

Comments: (2)

A Finextra member
A Finextra member | 20 July, 2012, 12:36

Great post.  But when you thrown about terms like 'asymmetric cryptography' assuming we all know what it means, you lose points!  Please at least explain what you mean - one-way encrypted data - otherwise known as a hash.

Add my vote to the scrapping of 3D Secure too.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney | 21 July, 2012, 02:05

Thanks for the feedback.

Asymmetric cryptography describes a big class of technoloigies, including hashes but also digital signatures, which is an even better way to protect the pedigree of data sent from a device, on behalf of its owner.

A digital signature is created by processing transaction data through a private key kept in a chip like a smartcard, mobile phone SIM, NFC element, Trusted Platform Module and so on. The signature code can be readily processed by any receiver that has been preconfigured with the corresponding public "master" key [skipping some unimportant details here about public key certificate paths]. Modern Internet servers come with the master keys of almost all commercial PKI providers, plus the necessary software primitives.

CNP fraud is just online carding, and could be solved the same way.  Magnetic stripe carding was solved by Chip-and-PIN's asymmetric cryptography.  Each transaction is digitally signed in the chip before being sent across to a terminal, making the transaction specific to both the session and the card, and thus non-replayable. The very same chip could be used to digitally sign CNP transactions sent from browsers or mobile devices over the Internet to a merchant server, to prevent replay attack and CNP fraud, and thus neutralise the black market in stolen card details.

If we used personal smart technologies to sign transaction data sent  to merchants, then we would prevent replay attack at its roots. We could then preserve the entire four cornered settlement model, and avoid the legal and technological complexity engendered by 3D Secure etc. It's nuts that we don't leverage chips to perform the same security services in the online channel as they do in offline. 


Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Stephen

Now is not the time to go soft

03 August 2012  |  3917 views  |  2 comments | recomends Recommends 0 TagsSecurityPayments

How much worse can CNP fraud get?

17 July 2012  |  3118 views  |  1 comments | recomends Recommends 0 TagsSecurityPayments

Credit card numbers are like nitroglycerine

13 January 2012  |  4619 views  |  0 comments | recomends Recommends 0 TagsSecurityPayments

Banks really know their customers

13 December 2011  |  3223 views  |  1 comments | recomends Recommends 1

Taking full advantage of Chip

02 June 2011  |  4407 views  |  6 comments | recomends Recommends 0

Stephen's profile

job title Managing Director
location Sydney
member since 2008
Summary profile See full profile »
I specialise in digital identity, privacy, smart technologies and fraud prevention. I run the Lockstep Group, which researches and develops innovative solutions to Card Not Present fraud and identity...

Stephen's expertise

Member since 2008
34 posts174 comments

Who's commenting on Stephen's posts