homesite mapcontact search
Newsroom   
Careers   
Solutions     
Products & Services    
Support    
Whitepapers     
Case Studies    
Alliances     
Sales     
Offices     

Articles

Combating Cardholder Not Present fraud

By Paul Meadowcroft, head of transaction security of the e-Security activities of the Thales Group

The recent development and progress of EMV migration is one that has been well documented. 2004 saw many European banks make the necessary preparations in readiness for the roll out of chip and PIN in 2005, as business continued its attempt to combat the numerous threats of card fraud. There has been good reason for the introduction of EMV as levels of card fraud have risen dramatically in the past few years, primarily caused by the explosion in the number and usage of payment cards and the associated high level of organised card crime activity. This is highlighted by the enormous increase in fraud losses on UK-issued plastic cards from £96.8m to £402.4m a year over the past decade. And these figures do not take into account any 'soft' costs related to card fraud, such as tarnish to reputation and potential legal costs.

New year and new threats

The most commonly known and widely committed type of card fraud has always been counterfeit card fraud. However, more recent years have seen the creation of numerous new transaction channels, for example internet and phone banking. These new channels, allied with the boom in credit card use, has prompted a migration by organised card crime - seeking ways to attack and benefit from these new and immature transaction methods. And it seems that, so far, this move has proved a success.

The last couple of years has witnessed significantly increased losses associated with these attacks, so much so that counterfeit fraud has now been overtaken as the most costly type of card fraud by a newer method; that of Cardholder-Not-Present (CNP) fraud. In the UK last year, CNP fraud was responsible for losses of £116.4m - more than any other type of card fraud.

CNP transactions are performed remotely, when neither the card nor the cardholder is present at the point-of-sale. CNP transactions take many forms such as orders made over the phone or internet, by mail order or fax. In such transactions, retailers are unable to physically check the card or the identity of the cardholder, which makes the user anonymous and able to disguise their true identity. Fraudulently obtained card details are generally used with fabricated personal details to make fraudulent CNP purchases. The card details are normally copied without the cardholder's knowledge, taken from discarded receipts or obtained by skimming. This means that while the three or four digit Card Security Code on the back of cards can help prevent fraud where card details have been obtained, it does not prevent fraud on cases where the card itself has been stolen.

One should not be surprised to find that the advent of EMV smart cards is another major reason for the increase in CNP fraud. The major advantage of smart cards is the increased security they provide. The chip technology uses sophisticated processing techniques to identify authentic cards and make counterfeiting extremely difficult and expensive. Combining this with a PIN is a proven system for combating fraud as it provides the two-factor authentication of 'something you have' (the smart card) and 'something you know' (the PIN). This makes the probability of fraudulent transactions taking place in an ordinary retail environment extremely low.

By making cardholder present fraud so difficult through the introduction of smart cards, it is predicted that CNP fraud will increase to even higher levels. e-Commerce and internet banking activity continues to rise and more and more transactions are now performed without the physical presence of the user or card, such as advanced internet fraud techniques like phishing.

Phishing involves sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The email directs the user to a web site where they are asked to update personal information such as bank details or passwords that the legitimate organisation already has. This is a sizeable business problem that is set to grow further. For example, in May 2004, Gartner reported that 57 million US adults thought they had received a phishing e-mail within the past year. While there have been no major stings so far, it is only a matter of time before phishing becomes costly both in terms of brand image and from money lost through fraud, unless the problem is dealt with quickly.

Two factor authentication is key

Today's highly connected world now provides a vast array of opportunities for banks to interact with customers. It has meant that whether as a consumer or a business, the number of transaction channels is now extremely varied and continuing to grow, yet it is not a scenario that all banks are fully prepared for.

At the moment the maximum level of security available to consumers for e-transactions is user ID and password authentication. However, this method has been recognised as inadequate for securing financial transactions and this is one of the drivers behind the move toward EMV, which has been accepted as the most effective method for reducing card fraud, including CNP fraud.

The reason that the EMV smart card is not already used within consumer e-transactions is the difficulty in including the card within the transaction process. The solution for this, an unconnected reader, is not new. However, the barrier has always been around cost. In other words, is it more cost effective for the bank to accept low levels of fraud rather than the expense of rolling out millions of unconnected readers to consumers? The continuing rise of CNP fraud is beginning to tilt the argument in favour of the rollout option.

In terms of the technology behind the unconnected smart card readers, it is the introduction of a common standard that is the most important innovation. APACS, in association with MasterCard, released specification standards for unconnected smart card readers which have allowed leading manufacturers to offer products for mass consumption at a commercially viable cost. With costs currently estimated at around £7.50 per reader most banks, as well as organisations such as the Association for Payment Clearing Services (APACS), could opt for this method.

The reader provides the user interface to the card and displays a one-time passcode once it has read the smart card and the user has entered his/her PIN. The user then manually types this passcode into the computer at the appropriate prompt. Only the issuing bank can authenticate this one-time passcode. To avoid repeat attacks, the one-time passcode can also be linked to the individual transaction by a more secure, yet still simple, challenge-response process. In that case, should the passcode be intercepted, it is of no use whatsoever beyond that single transaction.

Assuming that consumers will not resist the introduction of unconnected readers, this new system will have an extremely positive effect on fraud and in turn help boost consumer confidence in e-Commerce. However, it is not just internet-based transactions that will benefit. Theoretically, any transaction where the card has to be used, and the cardholder is not present, could use this scheme. For example, if purchasing a good or service over the phone, the user could simply read the one time passcode to the person at the other end who could validate it in the usual way through the payment system. As such the smart card is transformed into a personal security module to validate every financial transaction the user wishes to make.

The security benefits are clear to see. The inclusion of a smart card in every financial transaction will add a crucial second layer of authentication. This two-factor authentication process of something you have as well as something you know should dramatically reduce fraud.

Challenges of securing multiple channels

As the previously simple process of authenticating a magnetic stripe card transaction gives way to the complexities of the multiple application smart cards including EMV payment, EMV authentication, loyalty and identity applications, the typical bank's transaction system has ballooned to cope with multiple types of card platform. At the same time, the front end has to deal with multiple channels of transaction from the traditional ePoS and ATM, to everything from telephone banking to Internet transactions and mobile payments.

At the moment card issuers would require a separate platform for each transaction channel. This isolation of back office systems into individual silos generally prevents the card issuer using a single authentication method for all transaction channels. In turn, this makes the implementation cumbersome and hard to maintain. It is for this reason that card issuers are beginning to investigate the need for a single, flexible authentication platform.

The natural place for such an innovative authentication backbone is between the access points and the back-office - the middle office. Deploying a middle office platform would mean that the costly process of changing or replacing any of the front or back office systems need not happen. Instead, all transactions, whatever their source, could be authenticated on a single platform that is seamlessly integrated with the card issuer's application environment, including 3-D Secure as well as other back office systems using a Java or XML interface.

The advantages of this approach are twofold. Firstly the card issuer would be able to manage all its transaction channels from a single platform, dramatically improving ease of management. Combined with this is the ability to embrace new transaction technologies and channels without needing to implement a new platform and most importantly without compromising robust security. Secondly, a single centralised platform will have significantly lower total costs of ownership than employing multiple platforms.

The future for two-factor authentication

Technology will continue to rapidly develop and open up further channels of communication and transaction. With this growth comes the attraction for criminals to expose any security weaknesses and banks and other organisations must ensure that they are as fully prepared for this possibility. Smart cards and the use of two-factor authentication to combat the rise of CNP fraud are proving to be the most effective and efficient technique available. But this is only one of many potential applications of smart cards and two-factor authentication. As users become more at ease with using smart cards in their everyday life and realise the high level of security they can bring, smart cards can be expected to eventually fulfil their potential as scalable personal information and security modules capable of performing multiple functions in a fully secure environment.
Articles
           © Thales 2007         Legal Notice