Online fraud continues to grow. The UK Fraud Barometer, for example, suggests that the average loss from online fraud currently stands at £697/$1120 per person, against £352/$566 in March 2010. One in 10 people report that they have been victims of online fraud or theft.
Although banks express growing concern about theft – and theft attempts – from online accounts, card fraud remains the industry’s, and the economy’s, biggest problem.
Banks have acted to reduce the risk of account fraud both by more sophisticated security systems, such as one-time passwords and multi-factor authentication for customers, and analysis software that looks for suspicious transactions at the back end. Executives at one UK bank, which has deployed a secondary authentication system based on bank cards and one-time codes, say privately that none of their customers using the additional security measures have suffered account fraud.
"Information on stolen cards is being distributed faster to the end points" |
Amachai Schulman, Imperva |
The picture with credit cards – and other cards used for online payments, including debit cards and business charge cards – is far more mixed. Payment cards, some security experts suggest, are the industry’s weak spot, with fraudulent transactions still relatively easy to carry out.
The Chips Are Down
Measures designed to reduce fraud in the physical world, such as EMV (also known as Chip and Pin), have been successful in Western Europe markets, but they have also shifted the balance of fraud attacks to the online world. So-called customer-not-present fraud, which includes online, as well as telephone and mail order transactions, has increased dramatically. Figures from the European Payments Council put the annual cost of card fraud at more than £1.3bn/$2.1bn.
“In Europe, where EMV was introduced a while back now, the proportion of face-to-face versus online fraud has completely reversed; it was 70% offline and 30% online. Now it is closer to 70% online”, says Neira Jones, security expert at Barclaycard. She points out that in the US, where EMV is only now being rolled out, in-person fraud still accounts for most losses on payment cards.
"The best protection for the payments industry is defense in depth" |
Jackie Barwell, NICE Actimize |
Despite some highly publicized academic attempts to break EMV encryption – and even some successful criminal attacks against the card network – fraudulent use of Chip and Pin cards offline remains rare. EMV cards are hard to clone, with key data encrypted in the chip and, in theory, only accessible to a secure reader on a secure network.
A casual criminal would not obtain enough information to create a working clone of an EMV card from sight alone, or even from the magnetic stripe. Nor would a consumer have access to all the information in the EMV chip, so a criminal could not create a cloned card from details obtained from an online transaction, for example, or even a sophisticated phishing attack.
The best the fraudster could hope for in most cases would be to create a card with a non-functioning chip, and use that in countries that still rely on the magnetic stripe. With Europe now largely using EMV and take-up increasing in North America, the window for such fraud is closing.
Virtual Currency
The need for criminals to hop between geographies – by using a skimmed or cloned European card in a magstripe reader in Asia, for example – reduces the value of the fraud and also increases the chances of detection by the banks and card clearers’ increasingly sophisticated back office software.
This leaves online card use as the payment industry’s soft underbelly, and also as the area where consumers are most at risk. Criminals have become more sophisticated at finding ways to obtain customer card details, as well as critical secondary verification information such as an address, date of birth, and CVC (card verification code) details.
As Ori Eisen, founder of online intelligence and identification vendor 41st Parameter, points out, the percentage of transactions carried out on the internet remains below 5% of all retail volumes, but an online transaction remains at least ten times as risky, in fraud terms, as one carried out at the point of sale. “Before the internet took off, most credit card fraud was the result of skimming, counterfeiting, or ATM fraud. Now, banks are saying that 90% of fraud is online. The rest is ‘card non received’ fraud or account takeover. For criminals, the internet brings mass scale, global anonymity, and speed.”
"There is increasing interest amongst the banks in protection on the desktop" |
Mickey Boodaei, Trusteer |
The growth of fraud against online-only accounts, including payment services such as PayPal and more recently even Apple’s iTunes, has given fraudsters another outlet: online account hijacking can provide a source of virtual currency and a way to turn stolen card details into ready cash.
Individual consumers, though, remain the most popular source of those card details in the first place, and a rising percentage of those customers are taken in by phishing attacks, or fall victim to malware.
Stealth Attacks
Criminals committing online payment fraud rely on three main mechanisms to obtain card details. These include phishing or malware attacks directed at the consumer, and mass-scale hacking attacks against merchants and the payment network itself.
Although some large-scale attacks – such as that against US payment processor Heartland, and the retailer TJX (which operates as TJ Maxx in North America and TK Maxx in the UK) – have generated publicity, the payment industry believes that these attacks are in decline.
Tighter security measures, including the implementation of the PCI Data Security Standard (PCI DSS) by merchants and payment processors, has made it considerably more difficult to obtain payment card details en masse. Better industry co-operation is also making the criminals’ task harder: merchants and payment processors are now better at notifying both banks and card issuers, and customers, about data theft or loss.
"Provided it is well implemented, there should be no reason that 3D Secure will cause lost transactions" |
James Rendell, Deloitte |
This allows the networks to block compromised cards more quickly, reducing the losses and also reducing the value of stolen cards to criminal groups. Verified card details are understood to have dropped in value from around $5 to a dollar on some online data markets used by criminal groups.
“The lifetime of a fraud [based on the mass theft of cards] is becoming shorter”, says Amachai Schulman, CTO of Imperva. “That is due to improved fraud detection by the credit card companies. Information on stolen cards is being distributed faster to the end points [retailers]. So the value of an individual card has dropped.”
As a result, criminals are moving to stealthier techniques to obtain card details. Of these, Symantec calculates that 90% of consumer fraud is either the result of malware or phishing. It also means, Schulman warns, that criminals need to steal more cards to achieve their ends.
Socially Engineered Credit
When it comes to obtaining card details, phishing remains the most common form of social engineering method. But there has also been a recent increase, in markets such as the UK, of phone-based social engineering attacks, including a recent spate of calls purporting to come from Microsoft and directed at convincing consumers to hand over card or bank details to “disinfect” their PCs.
In some cases, criminals rely on simple strategies, such as convincing-looking emails that persuade consumers to email credit card details or to enter them into a fraudulent site. Increasingly, however, social engineering, including posts on social networks such as Twitter and Facebook, are used to take consumers to a site that loads malware to their PCs. That malware, in turn, captures credit card and other sensitive data, for use in fraud.
Social engineering attacks are also becoming bolder. According to James Rendell, an online security expert at consultants Deloitte, phishers are now asking for customers’ PINs, and Verified by Visa or MasterCard SecureCode details (see box: 3D Secure). “No normal purchase would ask for these details. They are the crown jewels”, he warns.
"For criminals, the internet brings mass scale, global anonymity, and speed" |
Ori Eisen, 41st Parameter |
Such boldness is causing banks and merchants to put more emphasis on security. As Jackie Barwell, financial crime products manager at NICE Actimize says, the best protection for the payments industry is defense in depth. This means more real-time and post transaction analysis. In some ways it also means more inconvenience for consumers, as legitimate but unusual transactions are more likely to be blocked.
Consumers, though, can help themselves. The banks and card issuers have stepped up their education through fraud advice sites, and are providing more information to retailers and other merchants on card security measures, including how to spot potentially fraudulent sales online.
“The second line of defense is to analyze transactions and stop them before they go out”, says Mickey Boodaei, CEO of Trusteer, a fraud protection vendor. “But it is a constant battle. There is increasing interest amongst the banks in protection on the desktop, to protect against card details that are stolen and customer not present attacks.”
But for consumers, the simplest and best advice is to guard card details as they would cash, to monitor their accounts, and to exercise caution online. The payment industry’s protection measures may be ever-more sophisticated, but as the e-commerce market grows, so do cybercriminals’ incentives to stay one step ahead.
Recent fraud data for the UK shows that total losses on payment cards fell to £365.4m/$595m last year, from a peak of £610m/$993m in 2008. Much of that decline is attributed to improved security measures. Sophisticated software, deployed by the banks and card companies, is now much more effective at detecting fraudulent transactions. Measures aimed specifically at reducing fraud online have also improved. In Europe, the most prominent of those techniques is 3D Secure. Known as Verified by Visa and MasterCard SecureCode, the technology requires consumers shopping online to identify themselves using an additional password. The technology also supports stronger authentication methods, such as one-time codes. In Europe, around 40% of online merchants support 3D Secure. Although there were initial concerns that the extra authentication step would deter some consumers from shopping online, that does not appear to have been the case. The level of “false positives” – legitimate shoppers whose transactions are declined – is also low, according to industry sources. Around 90% of blocked transactions are fraudulent. The system has, however, met with some criticism, especially for reliability. The online merchant’s website needs to forward the transaction to the bank or card company for 3D Secure verification, and that did cause transaction failures early on. Regardless, most merchants, and their IT suppliers, are now familiar with 3D Secure, and the benefits in fraud reduction outweigh the set-up costs. “Provided it is well implemented, there should be no reason that 3D Secure will cause lost transactions”, says James Rendell, head of the e-crime unit at Deloitte. |