Card fraud is a problem for all banks, but it is one that has been rapidly growing in recent years due to the boom in e-commerce and credit card use. There are many types of card fraud regularly committed throughout the world, including lost and stolen card fraud, mail non-receipt card fraud and identity theft card fraud. Amongst the different card fraud techniques, counterfeit fraud has always been one of the most prevalent and costly types because international organised crime groups use it on a large scale, generating funds for other serious crimes. Counterfeit cards are those that have been fraudulently printed, embossed or encoded, or cards that have been validly issued then altered or recoded. The most common form of counterfeiting is called skimming, which involves copying the magnetic stripe on a credit or debit card by swiping it through a small card reader. The information gained is then used to make counterfeit cards.
The increasing ability for criminals to successfully commit card fraud, especially counterfeit and mail non-receipt fraud, clearly demonstrated that magnetic stripe cards simply were not secure enough for regular use in the modern transaction environment. The rising levels of card fraud prompted the introduction of smart cards so that banking could become more secure. In addition the smart card provides the scope for multiple additional applications beyond simple debit and credit functionality, such as loyalty points, and the ability to generate entirely new revenues and product differentiation. EMV, (Europay, MasterCard, VISA), is the global standard that ensures smart cards, terminals and transaction processing systems can interoperate.
The major advantage of smart cards is the increased security they provide. The chip technology uses sophisticated processing techniques to authenticate cards and make counterfeiting extremely difficult and expensive. Combining this with a PIN is a proven system for combating fraud as it provides the two-factor authentication of ‘something you have’ (the smart card) and ‘something you know’ (the PIN). This makes the probability of fraudulent transactions taking place in an ordinary retail environment practically impossible.
In Europe the deadline for becoming EMV compliant was 1st January 2005 . Now that this liability deadline has passed, it means that any retailer that is not EMV compliant will be liable for all fraud committed on an EMV card in their stores. Conversely, the banks will be liable for fraud committed in an EMV compliant store with a non-EMV card. In the Middle East the EMV compliance deadline is 1st January 2006 and there is now the clear and present need to implement the required technology infrastructure to become compliant in advance of this date.
Regional requirements
While the traditional method of card issuance is from a central, well-secured bureau and then via post to the recipients, many banks in the Middle East need the ability to issue smart cards from their branches. This is an important difference between banking processes in the Middle East compared to Europe . For banks and other financial institutions, branch issuance presents three powerful customer relationship management (CRM) opportunities. Firstly, the ability to combat mail non-receipt fraud where cards are fraudulently intercepted en route to the account holder and at the same time allow the account holder to select their own memorable PIN. Secondly, to quickly and efficiently replace lost or stolen cards within the branch, maximising account transaction opportunities, and thirdly, to provide added value application services in-branch, such as the loading of loyalty services.
In-branch issuance enables banks to maintain total control over customer records, as they never have to leave the bank’s data preparation facility in an unencrypted form. The card blanks are electronically secured and cannot be enabled fraudulently. Further, they do not need to be stored in the branch for collection as the process of cryptographically downloading information and completing the card body takes only a few moments. The issuing bank also saves costs in generating secure PIN mailers and the processes that support them.
The increased complexity of smart card issuance compared to magnetic stripe has potentially made the in-branch smart card issuance process far more difficult for banks to implement. In many parts of the world, such as the Middle East , in-branch card issuance for magnetic stripe cards is the norm. It is a practice that should be maintained due to the obvious benefits of the approach and systems have therefore been developed that are scalable, easy to implement and enable banks to issue smart cards from their branches with minimal impact on existing systems.
New Threats
As banks have the ability to provide EMV cards in the manner of their choosing, they are beginning to make greater use of the potential of smart cards. Today’s highly connected world now provides a vast array of opportunities for banks to interact with customers, for example Internet and phone banking. However, these new channels, allied with the boom in credit card use, have prompted a migration by organised card crime - seeking ways to attack and benefit from these new and immature transaction methods.
The last couple of years has witnessed significantly increased losses associated with these attacks, so much so that counterfeit fraud has now been overtaken as the most costly type of card fraud by a newer method; that of Cardholder-Not-Present (CNP) fraud. In 2004, CNP fraud was responsible for losses of over £150m in the UK alone – more than any other type of card fraud.
CNP transactions are performed remotely, when neither the card nor the cardholder is present at the point-of-sale. CNP transactions take many forms such as orders made over the phone or Internet, by mail order or fax. In such transactions, retailers are unable to physically check the card or the identity of the cardholder, which makes the user anonymous and able to disguise their true identity. Fraudulently obtained card details are generally used with fabricated personal details to make fraudulent CNP purchases. The card details are normally copied without the cardholder’s knowledge, taken from discarded receipts or obtained by skimming. This means that while the three or four digit Card Security Code on the back of cards can help prevent fraud where card details have been obtained, it does not prevent fraud in cases where the card itself has been stolen.
One should not be surprised to find that the advent of EMV smart cards is another major reason for the increase in CNP fraud. By making cardholder present fraud so difficult through the introduction of smart cards, it is predicted that CNP fraud will increase to even higher levels as organised crime groups pursue this avenue more actively. e-Commerce and Internet banking activities continue to rise and more and more transactions are now performed without the physical presence of the user or card, prompting criminals to attack these systems using advanced Internet fraud techniques.
Two-factor authentication is key
Banks need to ensure that they are fully prepared for this scenario, but few areyet. At the moment the maximum level of security available to consumers for e-transactions is user ID and password authentication. However, this method has been recognised as inadequate for securing financial transactions and is another of the drivers behind the move toward EMV.
The reason that the EMV smart card is not already used within consumer e-transactions is the difficulty of including the card within the transaction process. The solution for this, an unconnected reader, is not new. However, the barrier has always been around cost. In other words, is it more cost effective for the bank to accept current levels of fraud rather than the expense of rolling out millions of unconnected readers to consumers? The continuing rise of CNP fraud is now tilting the argument in favour of the rollout option.
In terms of the technology behind the unconnected smart card readers, it is the introduction of a common standard that is the most important innovation. APACS, in association with MasterCard, recently released specification standards for unconnected smart card readers which have allowed leading manufacturers to offer products for mass consumption at a commercially viable cost.
The reader provides the user interface to the card and displays a one-time passcode once it has read the smart card and the user has entered his/her PIN. The user then manually types this passcode into the computer at the appropriate prompt. Only the issuing bank can authenticate this one-time passcode. To avoid repeat attacks, the one-time passcode can also be linked to the individual transaction by a more secure, yet still simple, challenge–response process. In that case, should the passcode be intercepted, it is of no use whatsoever beyond that single transaction. However, it is not just internet-based transactions that will benefit. Theoretically, any transaction where the card has to be used, and the cardholder is not present, could use this system. For example, if purchasing a good or service over the phone, the user could simply read the one time passcode to the person at the other end who could validate it in the usual way through the payment system. As such, the smart card is transformed into a personal security module to validate every financial transaction the user wishes to make.
Challenges of securing multiple channels
Whatever the transaction method employed, each and every transaction has to be successfully authenticated. As the previously simple process of authenticating a magnetic stripe card transaction gives way to the complexities of multiple application smart cards including EMV payment, EMV authentication, loyalty and identity applications, the typical bank’s transaction system has ballooned to cope with multiple types of card platform. At the same time, the front end has to deal with multiple channels of transaction from the traditional EPoS and ATM, to everything from telephone banking to Internet transactions and mobile payments.
At the moment card issuers would require a separate platform for each transaction channel. This isolation of back office systems into individual silos generally prevents the card issuer using a single authentication method for all transaction channels. In turn, this makes the implementation cumbersome and hard to maintain. It is for this reason that card issuers are beginning to investigate the need for a single, flexible authentication platform.
The natural place for such an innovative authentication backbone is between the access points and the back-office - the middle office. Deploying a middle office platform would mean that the costly process of changing or replacing any of the front or back office systems need not happen. Instead, all transactions, whatever their source, could be authenticated on a single platform that is seamlessly integrated with the card issuer’s application environment, including 3-D Secure as well as other back office systems using a Java or XML interface.
The advantages of this approach are twofold. Firstly the card issuer would be able to manage all its transaction channels from a single platform, dramatically improving ease of management. Combined with this is the ability to embrace new transaction technologies and channels without needing to implement a new platform and most importantly without compromising robust security. Secondly, a single centralised platform will have significantly lower total costs of ownership than employing multiple platforms.
But the benefits of taking a strategic approach are not limited to dealing with multiple channels. It is also possible to use a single middle office authentication server to process transactions from multiple trust schemes. Regardless of whether it is an existing authentication token, EMV smart card or PKI scheme, it is possible for a single middle office system to perform the appropriate authentication and message validation.
The real power of a single middle office authentication platform is truly realised when combined with a centralised identity management system. Together, a bank will be able to provide the appropriate level of identity authentication on a flexible platform. By doing so, banks are able to reduce the costs associated with allocating the appropriate level of authentication, as calculated by the risk assessment, required for each cardholder. As the single platform is able to authenticate all trust schemes, the bank is able to apply whatever level of authentication it deems satisfactory in accordance with its risk management policies. More importantly, it can change this as often as required with no cost implications for the authentication systems.
As well as the cost benefits, a single platform will also provide a range of other efficiency improvements. For example, it will become far easier for banks to maintain a secure audit trail of transactions. In addition, it could help in other new services that many banks are experimenting with at the moment. One such example is account aggregation, which allows individuals to manage all their various accounts through a single interface. This obviously involves the handling of multiple identities but this task would be simplified if done through a centralised identity management and authentication platform. A single, middle office authentication platform is therefore a growing priority for card issuers not only in terms of instant cost and management benefits, but also for providing authentication agility for the future.
The future for two-factor authentication
Technology will continue to develop rapidly and open up further channels of communication and transaction. This growth provides the possibility for increased revenue growth but also the attraction for criminals to exploit any potential security weaknesses. Banks and other organisations must ensure that they are fully prepared for this possibility. The use of smart cards and two-factor authentication to combat the rise of CNP fraud is proving to be the most effective and efficient technique available. But this is only one of many potential applications of smart cards and two-factor authentication. As users become more at ease with using smart cards in their everyday life and realise the high level of security they can bring, smart cards can be expected to eventually fulfil their potential as scalable personal information and security modules capable of performing multiple functions in an integrated secure environment.
