When explaining my profession to people I meet, they often tell me about the time their card was "frauded." I always enjoy this conversation, as it provides insight into the human victim element of a fraud event. The breadth of emotions typically ranges from, "How did this happen and how do we track down the bad guys" to "I don't care...it's the bank's money anyway."
Everyone has been the victim of credit card fraud, or, knows someone who has been. When you review the statistics, this anecdotal observation is not surprising. Take Australia as an example - in the twelve months ending June 2016, over two million fraudulent online credit card transactions were made, with a total fraud loss of $402 million AUD. This is an increase of 24 percent versus 2015, and it will become a billion-dollar problem within 5 years, if no action is taken. In relative terms, the current per annum losses translate to $17 worth of online card fraud for every Australian.
If we examine the problem from a global perspective, the card-not-present (CNP) fraud numbers quickly add up to a huge number.
- United States: $3.8 billion*
- United Kingdom: $487 million
- Canada: $400 million
- Australia: $290 million
- TOTAL: ~ $5 billion USD
CNP Fraud is Growing Fast
There are three key takeaways from these details:
- Credit card numbers are everywhere. If you use your card for online shopping, then it is inevitable that at least one merchant will be storing card details with weak or no encryption. Large scale data compromises mean that stolen credit card numbers can be bought in the cyber underground for as little as $1 per card.
- Weak authentication. The key elements authenticated during a CNP transaction are credit card number, expiry date and security code (CVV/CVC). In the low % of cases where the merchant is enrolled in 3D Secure, the additional authentication is often based on static data (e.g. password). This data is easily compromised by phishing, social media, malware (on the consumer's device) or a third party data breach.
- Lack of data and focus. Credit card issuers typically have limited data to make an accurate fraud risk decision for a CNP transaction. The key data fields are merchant, country, date/time, amount and merchant category code, but issuers are missing important information around how the transaction was initiated (e.g. device, IP). Additionally, card scheme (e.g. Visa, MasterCard) rules determine that the merchant normally carries loss liability for a CNP fraud event. The reality is that banks place greatest focus on losses that sting them directly on the balance sheet.
How do we solve this problem?
Like most risk management scenarios, there is no silver bullet and a multi-layered control approach is required.
Step 1 - Devaluing card data. i.e. tokenization
Tokenization is simply replacing stored credit card numbers with a unique value (token) that cannot be used elsewhere - therefore rendering the data worthless. The momentum for card tokenization is starting to build and has great potential as a partial solution. The key challenges are primarily around large scale adoption, as well as the bespoke nature of interpretation and implementation. These challenges are consistent with previous PCI programs to protect credit card data.
Step 2 - Stronger authentication during a CNP transaction
The first attempt to improve authentication (with somewhat mixed results) was 3D Secure 1.x. This is more commonly known by names such as 'Verified by Visa' and 'MasterCard SecureCode'. The protocol itself is actually very powerful and effective in reducing online fraud. When implemented via a risk based, dynamic authentication approach, it becomes even more successful. The challenges have been centered around poor implementation and the flow-on effect of low merchant adoption.
One of the innovations on the horizon to improve authentication, data sharing and customer experience is 3D Secure 2.0. Since 2013, there has been much talk of 3D Secure 2.0, but this is the year when it will become reality.
The 2.0 specification was published by EMVCo in October 2016 and card scheme mandates will be rolled out in 2017. The new protocol has many goals, but the main objective is to decrease CNP fraud, whilst delivering a seamless and mobile enabled shopping experience.
Step 3 - Collaboration between merchants and card issuers
Improving collaboration between merchants and card issuers (banks) has enormous potential to reduce online fraud. Both parties have access to discrete data, which if shared, would help the other party make a far more accurate fraud risk decision.
A hypothetical example - I'm shopping on my iPhone, buying a $499 fishing rod on Amazon and paying using my ABC Bank credit card.
- Amazon knows my email address, the exact rod being purchased, and that I'm making the purchase using my iPhone from an IP address in Melbourne.
- ABC Bank only knows I am buying something online from Amazon for $499. However, they do have additional context in that I have spent the last 40 minutes making other low risk online purchases with the same card.
If additional data was shared between the two parties, then a far more accurate risk decision could be made. This would result in a better customer experience and a more secure transaction. Again, 3D Secure 2.0 will provide a partial solution, by sharing additional data fields during a CNP transaction.
Tips for Safe Online Transactions
Aside from not using your credit card online, it is actually difficult to protect your own card, as the data compromise normally happens at a third party location (e.g. merchant).
However, if you're after a checklist, here are a few simple ideas:
- Use a secure device to do online shopping. e.g. iPhone, iPad
- Have a dedicated online shopping 'burner' card, without direct debits attached. This saves the hassle of updating all your bills in the event your card is compromised.
- Shop at reputable merchants, with basic security in place (e.g. https)
- Don't click on dodgy emails, URLs and open suspicious attachments
A credit card is a great way to shop online. It provides consumer protection via card scheme dispute rules and ultimately it is the bank's money if something does go wrong.
The opportunity is for the ecosystem of banks, merchants, card schemes and 3D Secure ACS providers (such as RSA) to work together to improve the security of online shopping and reduce this $5 billion fraud problem.
*Estimate based on Australian loss rate of $12 USD per capita ($17 AUD @ 0.72 FX rate). Validated by Canadian loss rate of $11.40 USD fraud loss per capita.
Author: Tim Dalgleish
Category: RSA Fundamentals
Keywords: 3-D Secure, Consumer Security, Credit Card Fraud, Cybercrime and Fraud, Fraud