Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Chip and PIN

The hospitality industry increases it’s adoption of Tokenization and P2Pe

The 2014 and 16th edition of the Hospitality Technology magazine Restaurant Technology Study has produced an 18 page report. 

Of specific interest to me was Chapter 5 Payment Security – “End of Swipe-and-Sign Looms”, the chapter states:-

The U.S. payment industry is in a period of transition. October 2015 will mark the end of swipe-and-sign. While card brands are committed to swapping mag-strip for EMV chip-based cards, the standard for authentication remains under debate: signature capture or PIN. While PIN authentication is considered the more secure option, there’s concern that Americans, who tend to have a variety of credit cards, would struggle to manage multiple PINs.

As the restaurant industry, and U.S. merchants at large, take a wait-and-see approach, HT (Hospitality Technology) measures the industry’s current and planned payment security practices in its 2014 Restaurant Technology Study.

The food service industry, with its fragmented technology, has historically been a target for card data theft. The sunset for swipe cards will be a welcome improvement. EMV preparedness is on restaurants’ radar, with 70% of those surveyed agreeing that it is important to have a well-defined roadmap for EMV preparedness.

When asked about their organization’s current approach to preparing for EMV

  • 26% report having some form of road-map in place; likely due to the lack of a standard
  • 37% will make this a priority in the year ahead.

What’s more, confusion with the current PCI DSS remains:-

  • 86% reporting that their organizations are “in compliance” but far fewer are able to identify compliance with some of the 12 specific requirements
  • 72% report that their organization maintains a policy that addresses information security for employees and contractors (item 12 of the PCI DSS).

With payment security an on going process and a moving target, restaurants are leveraging third parties for assistance. More than half of those surveyed outsource their PCI compliance efforts (54%), and nearly as many (52%) have purchased some form of breach protection or insurance.

Respondents were further asked about their organizations’ use of tokenization and point-to-point encryption (P2PE). Though not a requirement of PCI DSS, these technologies can reduce scope by shrinking the footprint where cardholder data is located throughout the organization.

  • 43% use P2PE and 33% plan to add the technology by 2016
  • 36% use Tokenization and an additional 30% have future implementation plans

The full report can be found here..    

Most Americans feel EMV chip cards make their debit or credit card transactions more secure

NXP Semiconductors has announced the results of its ‘Security Matters: Americans on EMV Chip Cards’ survey.

To gain further understanding of how confident Americans are in the security of EMV chip card technology and debit/credit card purchases in general, NXP polled more than 1,000 American adults on credit card usage, behavioural trends and consumer sentiment toward the electronic and cashless movement.

Attitudes towards Breaches and Retail Hacks
Overall sentiment reveals that while consumer confidence in credit card technologies remains high, Americans continue to demand better solutions that protect identity, personal information and financial data. With recent reports of compromises in security at Target, Neiman Marcus, PF Chang’s and other retailers, Americans are more likely to pay in cash following a security breach at large retailers, with 37% of the millennial age group (18 to 34 years of age) being the most likely to convert to cash. For example, 80% of Americans are confident in their financial institution and the security of their financial accounts, as well as the security and protection of their credit/debit cards (73%).

However, once a security breach at a major store occurs, consumers automatically turn to less convenient forms of payment (64%) – such as cash – to complete a purchase.

Credit Card Protection Technology
Respondents were asked a number of questions pertaining to security, confidence in financial institutions and credit cards, purchasing habits, geographic location, gender and general understanding of current magnetic strip and EMV technology. When asked specifically about the underlying technologies of a credit or debit card, Americans responded favourably, with 69% stating that EMV chip cards are making their debit and credit card transactions more secure, with only 5% feeling chip cards make their transactions less secure. When asked about the tap and pay feature available on some EMV chip cards, the most common concern expressed was an increased risk of theft (61%), followed by 37% expressing concerns about being charged incorrectly for purchases.

Security and Personal Information

  • 69% of Americans feel EMV chip cards make their debit or credit card transactions more secure
  • 28% believe they are much more secure
  • 31% of men believe they are much more secure compared to 24% of women

Security of finances

  • 73% of Americans are confident in the security of their credit/debit cards or their financial accounts (80%) with their primary financial institution
  • 33% are very confident in the security of their accounts, compared to 26% feeling very confident in the security of their credit/debit cards
  • 64% of Americans say they are more likely to pay in cash after hearing about security breaches at large retailers
  • 36% say they are not more likely to pay in cash
  • 37% of 18 to 34 year olds say they are much more likely compared to 27% of 35 to 54 year olds and 23% of those 55+
  • 5% believe chip cards make their transactions less secure

From this survey, we see a high consumer awareness of EMV chip card security and readiness to adopt secure technologies that protect credit and debit card purchases,” said Brintha Koether, Director Payments at NXP Semiconductors. “We recognize the sensitivity and loss of trust consumers immediately feel after learning of a major security breach. We have seen how secure chip technology employed outside the U.S. drastically reduces fraud as well as builds consumer confidence in card transactions, financial institutions and retailers

For full NXP Retail Hacks survey click NXP Study.

EMV – The perspective of a QSA who has worked on both sides of the Atlantic

With the spate of cyber attackers on US retailers recently Coalfire’s European MD, Andrew Barratt considers how the attacks on retailers differ outside the US and what the potential impact of similar attacks is in a world where Chip and Pin technology is more widely deployed.

Working in both the US and Europe gives us a good perspective on the payment security landscape.  The US has a much higher rate of credit card usage than most European countries, loyalty schemes and reward incentives are much more mature and embedded in consumer culture.  In Europe card usage is increasing but the type of card varies by country.  In the UK credit card use is moving in a similar direction to the US and includes a high rate of debit card usage; cards are quickly replacing cash. The UK now has lots of innovative mobile tech trying to disrupt the card market as well.   Germany is very different, credit card usage is very low (consumer culture is quite averse to borrowing) and the debit scheme is a closed system.  However both of Europe’s large economies moved away from using the magnetic stripe years ago.

EMV or Chip and Pin as it is more commonly referred to in the UK has been in heavy use since 2006 which has helped lower the impact of brick and mortar retail breaches significantly.  It doesn’t rely on sending the full track information to the payment processor meaning that the data is easier to secure.

With retailers adopting more of the security controls detailed in the Payment card industry data security standard and with widespread adoption of Chip and Pin for authenticating customers huge losses from face to face retailers are less common.

Large US retailers are being targeted for smash and grab style payment card data breaches because the data is easier to use fraudulently.  If a cyber-attack steals a lot of magnetic stripe data, this can be used to clone cards, which can then be used in stores to make fraudulent purchases.

Where transactions are authenticated using EMV’s Chip and Pin verification method less data is transmitted to the processor.  If this data is stolen it is harder to be used fraudulently.  It’s not impossible but a lot harder.  EMV is not without its flaws and a number of attacks have been demonstrated by Professor Ross Anderson’s research team at Cambridge University.  These typically attack the card reader and try to grab the Pin as it is sent to the smart card on the Chip for verification.

For US retailers minimizing exfiltration possibilities should be a high priority, lock down and monitor the outbound connections.

The fraud bubble has been squeezed attackers focus on e-commerce operations in the UK, service providers and other businesses that handle lots of cardholder not present transactions.  As the cost of implementing attacks against the smart card declines Europe serves to be a good learning ground for the US.  If the US adopts a future EMV model adoption can be considered with lessons learned overseas for more consumer protection.

Article written by Andrew Barratt

Twitter:     @Andrew_barratt

LinkedIn:  http://www.linkedin.com/in/andrewbarratt

How the British have changed the way they spend their money over the last decade

The UK Payments Council has published its latest report, The Way We Pay, and brings together all the significant trends over the past decade. It shows how many cash payments are continuing to migrate to debit card, how the debit card has won the day for now, but also how it’s possible to see the end of the road for plastic as the mobile phone could take over our payments arsenal. 

Executive Summary

Getting Paid

  • The shift from cash is gathering pace as firms, the state, and pension funds increasingly eliminate cash and cheques from their payments to individuals
  • Now only 9% of adults do not have a current account, and only 4% have no sort of account at all. Use of branches has declined sharply but having an account is the key to accessing all the modern ways to pay

Spending it

  • Cash still makes up the largest proportion of our daily one-off transactions – three in five of our purchases – but they are very small in value
  • Just ten years ago, three quarters of our shop purchases used cash. Now just over half do
  • Debit cards are quickly taking over in the lower value transaction
  • Contactless payment is poised to become ever more popular, and will push even more transactions onto plastic
  • We use our credit cards for bigger purchases than debit cards, and we use them less than we used to
  • Cheques are very niche nowadays with usage halving every five years, but remain popular with some groups of people and some organisations. Effectively gone from the high street, we mainly use them for financial transactions
  • Supermarkets now account for over half of our retail spending, up from 46% in 2001 as they have added more and more products and opened stores rapidly
  • Entertainment spending is the big winner. The economy may be gloomy, but we are spending more having fun, and doing more of it on plastic
  • Spending abroad doubled in a decade

Regular Payments

  • Automatic payments (like Direct Debit) are now over three quarters of our regular commitments – up from half in 2001
  • Housing costs have escalated, whether you own or rent
  • Charities have shown great success in a decade of recruiting Direct Debit commitments
  • Flashing less cash, but plastic may quickly lose its place in the sun to more innovative forms of payment, like mobile payments
  • Number of cash machines doubles in decade, as people abandon the bank queue for the hole-in-the-wall
  • But cash is becoming less important to us, particularly by value
  • By value debit cards overtook cash in 2010, even before contactless took off
  • Debit card holding is now 90%, up from 84% in 2001
  • In 2001 debit card spending caught up with credit cards, but now far exceeds them
  • Credit cards matured in the 2000s, and card holding even declined

How businesses do it

  • 98% of businesses are small, with fewer than 20 employees, so the payment needs of firms vary enormously according to their size and complexity
  • Cheque usage is still popular with the smallest firms, but even so, cheque usage by business continues to fall sharply
  • The smallest firms bank more like consumers, and often even use personal accounts
  • Use of Direct Debit among businesses lags behind consumer use. Businesses prefer the flexibility on the timing of payments

The future

  • The use of contactless debit cards is set to increase. Many chains of stores already have point-of-sale devices to accept them, with more retailers planning to come on stream, this will continue to increase consumer awareness
  • The debit card may have had its day. New technology means payment chips are now being embedded in phones, with more innovation to come
  • New entrants may also appear. Smartphones are capable of scanning barcodes, a system which could easily be designed to take a payment from an account at a point-of-sale
  • Paying a friend or business on your mobile as easily as sending a text is set to become a mainstream option in spring 2014, when the Payments Council launches the new mobile payments service. The service will be the first to link up every bank account in the country with a mobile number
  • In future, the wallet may be obsolete altogether as more payments become electronic and our phones become the hub of our financial transactions

Summarised details from the report

Debit cards are currently making gains in sectors previously dominated by cash and are likely to take a greater share as contactless cards reach mass adoption.

  • 28% of our spontaneous transactions are made on a debit card (a rise of 59% over the last five years), with the average transaction size at £42 and falling
  • 56% debit card purchases are between £10 and £50
  • 91% of all our one-off cash transactions were under £25
  • the contactless payment limit of £20 would allow many cash payments to potentially migrate onto cards. Debit card holding is widespread across all ages and socio-economic groups.

The triumph of the debit card, but has it passed its peak?

The arrival of the debit card in the 1980s, which was billed as the consumers’ alternative to the cheque, also provided customers with an alternative to the credit card. 84% of adults had a debit card in 2001, but they were less widely accepted, and many people still preferred cheques and cash. Spending was still just higher on credit cards (£93 billion) than debit cards (£77 billion) at the turn of the century. The balance tipped in favour of debit cards in 2001. As businesses like pubs, dentists and hairdressers began to accept the cards, thanks partly to the introduction of chip and PIN and to the rapid roll out of hand held point-of-sale devices, usage and card holding took off and the dominance of the debit card was secured.

Credit cards, by contrast, are more commonly used by people drawing higher incomes or in higher social classes. This reflects the fact that they are more able to access credit and pass credit scoring criteria. They also have greater spending power and appetite to accumulate rewards such as Air Miles and cashback through their credit cards. Credit cards account for one in twelve of our spontaneous payments with an average value of £56 per transaction.

Cheques account for just 1% of spontaneous transactions, but have an average value of £375, as they are more likely to be used for high value payments such as financial transfers (see section on cheques for more detail). There is now a quite narrow demographic profile for cheque usage which reflects its diminishing status as a mass payment method. Cheques tend to be favoured by older people who are used to paying that way, the self-employed and families with children who have to pay for childcare and children’s activities.

Between 2005 and 2011 the total value of plastic card spending increased by £179 billion. 91% of this growth was attributable to debit cards. In 2011, debit card spending in the UK amounted to £334 billion from 7.3 billion transactions. This was approximately two and half times the amount spent on credit cards of £140 billion from 2.1 billion transactions. This represented an increase of 252% on the corresponding amount spent in the year 2001, making this rate of growth three times higher than that recorded for consumer spending over the decade to 2011. In the next decade debit card spending in the UK could close to double – as we forecast £664 billion from 14 billion transactions, with credit card spending projected to be £204 billion from 3.1 billion transactions.

Debit card holding is much more widely spread across the social spectrum than credit cards, with 90% ownership across the adult population in 2011. 98% of AB adults held a debit card compared to 57% of E adults in 2011. For credit cards the figure is 77% v 26% respectively. The wide issuance of debit cards has positive social consequences as it means lower income consumers are able to access the world of e-commerce.

Without the mass adoption of cards the e-commerce industry could never have developed, and self-service in shops and filling stations would be non-existent.

In 2001 online purchases took just 3.3p in every £1 spent on a card. By 2011, that had risen almost quadrupling to 12.8p in every £1, and the total continues to grow.

Contactless functionality means debit cards can continue to take a greater share of our spending, but in the longer term, the future of the piece of plastic could be impacted by the arrival of mobile payments. The huge success of the debit card has opened the door to new technologies that could even lead to its own demise, or at least heavily impact its use. In the next few years, if card technology gets incorporated into mobile payments, it could become possible to use the physical phone to make a debit card type payment instead of the physical card in a shop and if this happens the debit card as we know it today could become a thing of the past. reach maturity

The demise of the debit cards is still some way off, as despite having saturated the market, the use of debit cards will continue to grow for the time being. By contrast, the credit card market has already matured and usage has been subdued since 2009. Credit card issuance grew very strongly in the 1990s and 2000s as credit was more easily available.

Credit cards are a very useful tool in our payments arsenal, but they are not the payments of choice for a lot of our day-to-day purchases. They are most useful where a large expense needs to be spread over a longer period, or for the protection offered under section 75 of the Consumer Credit Act 1974, or indeed because a credit card is ring-fenced away from a current account.

Rapid growth in consumer borrowing and the increase in credit card usage in the early 2000s meant that 69.9 million credit cards were in issue by 2005, along with 4.7 million charge cards. Two thirds of adults held a credit card. During the recession a greater focus on the need to borrow and lend responsibly saw consumer attitudes to credit card use change. By 2011, there were 15.4 million fewer credit cards in our wallets, compared to 2005.

Spending on credit cards has increased by just 7.7%, which was well below the cumulative rate of inflation over the period. Last year we spent £140 billion and made 2.1 billion purchases in the UK. During the recession, repayments increased and in 2011 around 60% of cardholders paid off their balance in full each month, up from 54% in 2003.

In terms of business-to-business payments, the trends stay true. Last year, spending on credit cards fell and cardholding was also down by 2.7% compared to 2010, resulting in a total of 1.9 million cards. Interestingly it is larger businesses that are most likely to use credit or charge cards, whereas smaller businesses use debit cards.

The final piece of the cards puzzle is the continued expansion in the usage of prepaid cards. They are already ubiquitous in replacing gift vouchers, but more sophisticated versions are available for example for business-to person disbursements such as payments under reward, loyalty and incentive schemes. The insurance sector is also starting to issue prepaid cards to claimants, for use in a specific retail sector to cover a claim. Another area where these cards are starting to forge ahead is in the travel industry. They seem to have become a more attractive proposition compared with traveller’s cheques as they can be used directly in shops or to withdraw cash, as well as offering competitive rates for fees and charges when used abroad. However, though this market continues to expand, it is still at a slower rate than in 2009. Ultimately it is hard to imagine prepaid cards developing beyond a small niche.

How will we pay for it in the future?

Contactless payment technology began in the UK in 2007, but those living in and around London would have been familiar with the principle, having had the contactless Oyster card since 2003 for using public transport. The London Olympics used its venues as a testing ground for contactless cards. In 2011, all the major UK card schemes (American Express, MasterCard and Visa) began processing contactless payments. By December 2011, six major UK issuers were issuing cards with contactless functionality and the number of these cards reached 23 million, an increase of 75% from the end of 2010. Adoption is still slow however, as retailers and consumers are yet to embrace the changes in a big way. This will change, but first requires more retailers to roll-out more terminals, and for banks to issue more cards.

Ironically contactless technology may eventually contribute to us becoming less reliant on a physical piece of plastic, as it can be incorporated into a mobile phone or any other popular item, rendering it a payment tool. Only ten years ago paying for items on your mobile was unthinkable, but now one wonders why it’s not here in a bigger way already. The increasing demand for convenience and accessibility, along with the rising penetration of smartphones has driven the growth in mobile payment. The bold prediction made by PayPal that by 2016 people will no longer need to take a wallet with them shopping may be premature but nevertheless at some point we may be leaving the house just asking ourselves ‘keys, phone?’ KPMG expect mobile payments to be mainstream within the next 2-4 years, while Visa, which recently released its digital wallet V.me in November 2012, expects half of all payments to be made through mobile devices by 2020.

New entrants are muscling in to help us pay in shops. Google Wallet which launched in the US last year has already agreed deals with 25 national retailers to support the system through MasterCard’s PayPass programme. Google’s rival, Apple has yet to launch a competing system, but with such a huge, loyal customer base, well used to making many small transactions through iTunes all the time, it will surely not be far off. Microsoft has already announced that there will be a wallet feature on the Windows Mobile 8 operating system. Three of the big telecoms operators, Verizon, T-Mobile and AT&T are developing a service known as Iris.

For tradesmen on the move, new hardware is also on the market. Payment method Square, a mobile app and phone attachment which serves as its own cash register, has been created by one of the founders of Twitter and is in use in the US. This sort of kit will reduce the reliance among mobile tradesmen on cash and cheques. O2 UK also launched a new service that enables retailers to accept card payments on a smartphone or tablet by using a special keypad that connects via Bluetooth. A free app then manages the card transaction and sends a receipt.

For moving our money around, Barclays already offers a mobile payment service (Pingit). Anyone with a mobile phone can sign up with Barclays to receive payments though Pingit, but only Barclay’s customers can send payments. A similar service has also been launched by phone provider O2, with customers able to transfer up to £500 via text message. Similarly, PayPal has also recently launched an app in the UK that allows users to pay for items with their mobile phones across a number.

In addition to all these competitive offerings in the collaborative space, the Payments Council is developing the industry-wide, central service that will make it possible to send or receive a payment using just a mobile number, no matter who you bank with. The new service could be a handy way to split a bill for dinner or pay a tradesman without needing to know their account details. Payments made using the service will be protected by a passcode or similar security feature, and arrive almost instantly.

Internationally, consumers have been quicker to take it up mobile payments in Asia than in the West. In France McDonalds is currently testing mobile payments method arranged with PayPal. With over 30,000 restaurants worldwide, a McDonald’s deal would represent a larger business and cultural footprint for PayPal than perhaps any other mobile payment system in operation. In Africa payments technology is leapfrogging the developed world. Starting with few branch networks, fixed line telecoms and low card or bank account holding, banking is going straight to consumers’ mobiles. Since 2007, Kenya has been using a system called M-Pesa which allows mobile money transfer through a text message, with over 50% of the population already using this service. The Payments Council’s mobile payments database will make payment by mobile a possibility for the UK too, but it will be developed using existing payment systems, such as the Faster Payments Service or the Link network.

Worldwide the UK presents a key growth area in the uptake of mobile payment. Businesses should be planning now or risk falling behind consumer demand. From a consumer perspective in terms of making purchases using our phones, the amount of devices and potential new options, on offer at the moment can be confusing as people still grapple with all the commercial developments. Whilst the future may be unclear, it is exciting, and it will bring convenience and choice far greater than we have known until now. Ultimately only a handful of providers and products will create the winning proposition. Undeniably these new technologies will transform the way we manage our finances and the way we pay over the next decade.

Adrian Kamellard, chief executive of the Payments Council, says: “We scarcely notice the steady changes in the way we pay, yet someone in their thirties today will see more change in their lifetime than in the entire history of money. Even recent innovations such as payment via a mobile phone, which ten years ago some felt to be science fiction, will soon be commonplace. The 2000s were the decade of the debit card. The 2010s are likely to be the decade of the mobile phone. Just as we can’t imagine how we ever did without the internet, many people will soon wonder how we used to be so dependent on cash and cheque. Twenty years from now even cards may seem archaic.”

He adds: “The quiet revolution in payments has enabled the creation of whole new industries such as e-shopping, it has changed our behaviour, and it has reduced transaction costs, and increased the speed and efficiency with which we can all pay each other. The next ten years will see even faster change. It’s easy to imagine a future where we merely pat our pockets for our keys and phone. The wallet could become a historical curiosity.”

View the Payments Council Press Release here.

.

Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals

Europol’s Situation Report for Credit Card Fraud 2012 summaries fraudulent activity for credit cards across Europe is a very interesting read. It explains how the criminals act and with what types of techniques and why the Law Enforcement Agencies struggle to catch them.

A summary of the Europol report is below.

  • The criminal market of payment card fraud within the European Union (EU) is dominated by well-structured and globally active organised crime groups (OCGs). Criminal networks have managed to affect non-cash payments in the EU to the extent that protection measures are very expensive and need to be implemented on a global level. Consequently, the use of payment cards can be inconvenient and no longer fully secure for EU cardholders.
  • Payment card fraud is a low risk and highly profitable criminal activity which brings organised crime groups originating from the EU a yearly income of around €1.5 billion euros. These criminal assets can be invested in further developing criminal techniques or can be used to finance other criminal activities or start legal businesses.
  • The EU is increasingly exposed to the threat of illegal transactions undertaken overseas and should develop more efficient solutions to help law enforcement authorities (LEAs) combat the fraud. Europol, gathering intelligence on fraudulent overseas transactions affecting the EU, as requested by competent authorities of Member States (MS), is not entitled to cooperate with non-EU police forces or request specific measures to help combat and prevent fraud against the EU.
  • The majority of illegal face-to-face card transactions affecting the European Union take place overseas, mainly in the United States. The EU should take urgent measures to promote the EMV standard as a global solution against the counterfeiting of payment cards. As full EMV implementation will take time, a temporary solution could be applied, namely the implementation of GeoBlocking, blocking overseas transactions using EU-issued cards unless they have been activated in advance.
  • Common European legal solutions for the security of on-line retail payments (internet, mobile), as well as the mandatory reporting of financial data breaches, should be considered to prevent fraud affecting EU citizens. Prevention and combating card-not-present (CNP) fraud requires specific regulations on the customer’s identification (3D secure protocol) and security of the on-line payment environment. The role of the European Central Bank and Europol is crucial to present the problems and propose specific solutions.

Security of non-cash means of payment is a key factor in the economic stability of the European Union

According to statistics, the total number of payment cards issued in the EU in 2011 reached 726,906,710

The value of legitimate non-cash transactions with EU cards exceeded 3000 billion euros. From a security perspective, EU industry has taken an important step forward by fully implementing the EMV (chip-embedded cards) standard for card-present (CP) transactions, and is advanced with the protection of on-line transactions through the strong identification of customers (3D secure).

Banking institutions are profit-making businesses, so reducing the illegal income of criminals is not always a priority for them when introducing new banking products or services.

Acceptable levels of fraud and expected net profit for banks are more important than the real prevention of fraud that would lead to depriving criminals of the huge amounts of money they are stealing using EU payment cards. With the current global nature in which the banking sector and non-cash transactions operate, security measures in place on a regional (EU) level are not sufficient and have been exploited by criminal networks.

The illicit activities and fraudulent transactions of OCGs performed outside the EU have affected the security and convenience of non-cash payments in Europe and have consequently caused substantial losses to the EU economy.

This report is based mainly on data provided by law enforcement agencies from EU Member States and some cooperating non-EU States. The figures and latest trends were identified based on information from

  • The European Central Bank
  • European Payments Council
  • European ATM Security Team (EAST)
  • Card schemes
  • Fuel Industry Card Fraud Investigation Bureau (FICFIB)
  • “Some” card issuers (note: why not all?)

Since criminals affect both physical transactions with payment cards (shops, ATMs), and the internet environment, for the purpose of this report payment card fraud is divided into card-present (CP) fraud and card-not-present (CNP) fraud.

The implementation of EMV (Chip and PIN) technology in the European Union is seen as the key driver to reducing domestic payment card fraud. It should be stressed that cardholders’ confidential data is more secure on a chip-embedded payment card than on a magnetic strip card. Chip-embedded cards support dynamic authentication, requiring dynamic values for each transaction, and cannot be easily copied. The EMV card is considered to be well protected against skimming.

As the EU banking industry migrates to the EMV environment, losses caused by illegal domestic transactions in the EU have gradually decreased since 2008. However, at the same time, the level of illegal transactions overseas has seen a sharp increase. In 2011, almost all fraudulent face-to-face transactions with EU cards took place overseas. This phenomenon is determined by the level of technical protection of EU payment card terminals, ATM and Point-of-Sale (POS) terminals are fully EMV compliant. In response, criminal networks have targeted the weak points of the system and have undertaken criminal activities using non-EMV compliant terminals overseas. Due to this phenomenon, and the lack of specific agreements on reimbursement of losses caused by less protected terminals, the majority of the loss burden caused by this fraud is on the EU card issuers, which are specific banks in the EU.

Europol note “there has been no specific solution to this problem proposed by the card industry”

There are several countries operating as a substantial market for illegal transactions with counterfeit EU cards. The problem of illegal transactions in the US has been reported to Europol by all 27 EU Member States. There are also other locations where criminal groups with EU origins are cashing counterfeit cards.

The top six locations are:

  1. United States
  2. Dominican Republic
  3. Colombia
  4. Russian Federation
  5. Brazil
  6. Mexico

This trend has led to a situation in which, even after huge investments by the EU banking industry to install hardware and software to accept EMV cards, the problem has become even bigger, as it is extremely difficult to prevent and investigate crimes committed outside of EU borders.

The ultimate solution to this problem would be to implement the EMV standard on a global level, including making United States’ merchants compliant.

As a short term solution, in October 2010 Europol and the European Central Bank recommended that all SEPA (European-issued) cards should be EMV (chip-embedded) only. The first Member State to follow this recommendation is Belgium, where debit cards have chips embedded and the magnetic strip is no longer active. This solution, called GeoBlocking, in practical terms limits the possibility to misuse debit cards in regions without Chip and PIN verification. The implementation of GeoBlocking has been extremely positive from a security point of view with significant falls in skimming incidents and skimming-related losses (a decrease to almost zero in Belgium).

It should be stressed that there are some constraints to such solutions. The baseline for branded cards is that the cards are accepted globally. From this perspective the chip-only cards are not in line with this policy. The use of GeoBlocked cards is also less convenient for card holders as the card must be activated every time before travelling to non-EMV compliant countries. According to a research poll carried out by EAST, 60% of customers would be in favour of the GeoBlocking solution, including 28% of respondents who would be happy to contact their banks to activate the magnetic strip on their cards, and 12% who would like to hold a chip-only card.

This compromise is the price that card issuers and card holders pay as a result of the criminal activities of organised networks. It can be concluded that organised criminal groups have already managed to affect the EU payment card market to the extent that the use of cards is not cheap for card issuers and is less convenient for cardholders.

Investigations into card-present (CP) fraud
Industry reported an increasing number of incidents against ATMs in the EU were 20,244 in 2011 compared to 12,383 in 2010.

The statistics include all types of attacks against ATMs, including

  • skimming
  • using stolen cards
  • physical traps to obtain cash

According to reports provided by EU law enforcement authorities, organised crime groups adjust their profiles and criminal techniques relatively quickly and smoothly. Not only can they produce skimming devices to bypass the latest anti-skimming technology but they also explore new possibilities, including cash traps, prepaid cards or malware, as a source of cash and card data.

Most criminal structures operate internationally so cross-border cooperation is a key to final success. Taking into account that suspects use specific countermeasures, corrupt police officers and hire the best lawyers, investigative measures in such cases are very difficult. The criminals’ use of sophisticated technical equipment forces investigative teams to cooperate closely with forensic experts, who can decode information and analyse seized electronic storage devices. Unfortunately, in most of these cases, investigative measures focus on the criminal activities taking place in the European Union. Law enforcement agencies and judicial authorities, being limited by legal provisions, time frames and financial restrictions, can rarely investigate fraudulent transactions performed overseas.

In practical terms, investigative measures rarely lead to dismantling the whole criminal structure. Judicial authorities press charges mainly for the part of the criminal activities that are performed in the EU, which is usually considered as the preparatory stage and not always associated with any financial losses. Consequently, in the majority of such cases the sentences are relatively lenient and suspects can leave jail on bail. Even if some criminals from an OCG are arrested for a period of time they can be easily replaced by others so that the criminal group is still active.

In June 2011 a global operation, ’Night Clone’ was brought to a successful conclusion with almost 70 suspects arrested in the EU and overseas. The operation had a very big impact and for several months, illegal activities of many other OCGs ceased.

Card-not-present (CNP) fraud
Payment card data is the ideal illicit internet commodity as it is internationally transferable. Europol, in its report on Internet Facilitated Organised Crime concluded that organised crime groups clearly benefit from globalisation, using foreign payment card data to purchase goods and services on-line. Credit card information and bank account credentials are the most advertised goods on the underground economy’s servers.

According to Europol’s intelligence, in 2011 around 60% of payment card fraud losses, totalling 900 million euros, were caused by card-not-present (CNP) fraud.

Within the major card-not-present fraud investigations supported by Europol, the main sources of illegal data were data breaches, often facilitated by insiders and malicious software. In most of these cases the quantity of compromised card details is substantial, reaching hundreds of thousands or millions, enabling criminals to sell the bulk data on the internet.

So far most of the credit card numbers misused in the EU have come from data breaches in the US. However, since 2010, Europol have observed a growing number of financial data breaches against EU-based merchants and card processing centres. Most of the investigations into these breaches are based on information on illegal transactions carried out using compromised cards, as the reporting of such attacks by the affected companies is still a weak point.

A major problem in the EU is the lack of proper regulations for reporting data breaches to police authorities. Law enforcement agencies, even if aware of a breach, have difficulties finding information on, and links to, the point of compromise, stolen data and illegal transactions. The lack of legal provisions on reporting data breaches is not the only problem. One of the key factors making industry reluctant to report incidents to law enforcement authorities is the lack of trust in investigative possibilities as well as the need to maintain the reputations of the respective private entities. On the other hand, the lack of reporting leads to a small number of international investigations and a low level of prioritisation of such cases within LEAs. The problem ends up with the situation where, despite a dynamic increase in CNP fraud, it is not reflected in the statistics of cases reported and investigated by EU police forces. Consequently, since the problem is not reflected in police statistics, this phenomenon is not prioritised and it is difficult to initiate international cooperation in such cases.

From the security perspective, as with the security of face-to-face transactions, there is a lack of common global standards on the protection of card-not-present transactions. Major investments by EU industry have been made in the 3D secure protocol (MasterCard secure code; verified by VISA). However, despite this strong 3D secure verification, it is not a worldwide solution and, even on the EU level, not all on-line transactions are protected with it.

Investigations into CNP fraud and its initial stage data breach is typically very demanding. As identified by Verizon, such cases are usually quite large and complex, often involving numerous parties, inter-related incidents, multiple countries, and many affected assets. In addition to that, as stated earlier, the majority of such cases are not reported to LEAs, as industry mainly focuses on preventive measures rather than relying on the outcome of investigations. The results of internal inquiries are used to improve security measures and rarely focus on the identification of individuals responsible for the breaches.

As far as investigations into illegal on-line card transactions affecting the EU are concerned, they are mainly concerned with:

  • illegal ordering of high value goods on the internet
  • combating networks of mules set up to receive and transfer goods ordered on the internet
  • illegal transactions – purchases of services from travel companies/airlines
  • physical transactions with counterfeit credit cards – with data sourced from the internet
  • investigations into OCGs from the Baltic states and South East of Europe
  • the proper coordination of information – where possible, data breaches should be linked to illegal transactions
  • assets seizure – the network of mules shall be determined in order to localise the entry/exit points of goods

EU Member States reported many constraints and challenges faced during such investigations. The lack of legal provisions for reporting on-line incidents and data breaches, which are usually of an international nature, creates problems in individual cases under the responsibility of the respective MS, including the possibility to connect illegal transactions reported by other countries and decisions on the place of final prosecution. The global dimension and protection of financial and personal data is a major problem as far as the efficiency and time-frames of investigations are concerned. From a practical perspective, the involvement of Russian-speaking, well organised and hermetic structures cause huge problems with regards to infiltrating individuals and collecting evidence on their criminal activities. Since the majority of criminal activities are on-line, the best solution is to task specialised cybercrime teams with such cases.

As there is still little experience on such card-not-present fraud cases where data breaches and illegal transactions make EU companies and consumers the key targets the role of Europol is crucial, to analyse information and spread strategic and operational information, ultimately ensuring the efficiency of investigative measures.

Europol Summary of Credit Card Fraud in 2012
The financial crisis has had a big impact on the approach of private financial services companies and LEAs. Currently, all decisions are thoroughly scrutinised and assessed from an economic and ‘priority’ perspective.

Private industry focus on products and services which bring profit in the first instance. Such companies can accept a certain level of fraud without making any effort to identify the individuals responsible for that fraud. From the law enforcement perspective it is increasingly suggested that, since losses caused by payment card fraud can be easily covered by private industry, there is no point in investing resources on investigations. The problem is even bigger as investigations must be performed on an international level, so the investment must be higher and comes with no guarantee of final success or seizure of assets.

All that leads to the dangerous situation in which the illegal income for members of organised crime groups, reaching 1.5 billion euros a year, is not identified and recovered. It seems that the EU response to the payment card fraud problem is not harmonised or fully supported by all actors card schemes, card issuers, processing centres, law enforcement agencies and judicial authorities.

The EU still has to rely on outdated technology which does not adequately protect payment card transactions. One policy option available to strengthen security levels is to abandon the magnetic strip on payment cards for internal EU transactions.

As far as new technologies are concerned, including mobile or contactless payments, it is still not well analysed but there are certain doubts about their properly coordinated and standardised implementation to guarantee resistance to fraud.

The coordinated approach of industry and LEAs should lead, not only to the security of non-cash payments, but should also make sure that all incidents, including data breaches, are reported for further investigation. The position or reputation of the reporting entity should be protected and should not be undermined based on such a report.

Taking into account the global dimension of the problem, law enforcement and judicial authorities should take necessary steps to increase knowledge and awareness on the investigative skills and possibilities available. The role of Eurojust, as the agency for judicial cooperation, is extremely important to coordinate investigations and ensure the efficiency of prosecution and assets seizure in such cases.

The EU still has to rely on outdated technology which does not adequately protect payment card transactions. One policy option available to strengthen security levels is to abandon the magnetic strip on payment cards for internal EU transactions.

As far as new technologies are concerned, including mobile or contactless payments, it is still not well analysed but there are certain doubts about their properly coordinated and standardised implementation to guarantee resistance to fraud.

The coordinated approach of industry and LEAs should lead, not only to the security of non-cash payments, but should also make sure that all incidents, including data breaches, are reported for further investigation. The position or reputation of the reporting entity should be protected and should not be undermined based on such a report.

Taking into account the global dimension of the problem, law enforcement and judicial authorities should take necessary steps to increase knowledge and awareness on the investigative skills and possibilities available. The role of Eurojust, as the agency for judicial cooperation, is extremely important to coordinate investigations and ensure the efficiency of prosecution and assets seizure in such cases.

Proper coordination of information processing and reporting to the involved countries is critical for efficient investigations. A centralised database is very important to link members of criminal networks, fraudulent incidents and investigations. Europol, having a specialised team with an existing operational database and a newly-created technical platform, can play an important role in such cases.

The missing links that remain are the legal solutions on cooperation with non-EU States and the communication of data with non-EU States and the communication of data with Private Industry.

You may also with to read

.

UK Card Fraud losses fall because of technology and risk awareness

The UK Card Association along with the Cheque & Credit Clearing Company, Financial Fraud Action UK and other industry groups has produced their report on UK fraud activities during 2011.

The results released in March 2012 show, Fraud losses on UK cards fell 7% from £365.4m in 2010 to £341.0m in 2011, a ten year low.

The reductions have been attributed to the efforts of the industry to “deter, detect and prosecute fraudsters”.

Card Scheme initiatives have been noted as working, for example:

  • MasterCard SecureCode
  • Verified by Visa
  • American Express SafeKey

Awareness and technology have combined to improve fraud protection by:

  • Offering advice to retailers and consumers
  • Improved the sharing of fraud data and intelligence within the industry
  • Sharing fraud data with law enforcement
  • Chip and PIN equipment
  • Fraud detection tools

Payment Card Industry Compliance was not mentioned in the release but from experience the majority of awareness campaigns, training and policies implementations by Merchants have resulted from the mandates of PCI DSS.

Of interest is the switch in direction by the fraudsters to older fraudulent methods e.g. telephone and cheques, see the exact numbers at the end of the post.

Melanie Johnson, Chair of The UK Cards Association comments:

Driving down fraud and keeping cards safe continues to be a priority for the industry. This is the third year card fraud losses have fallen – clear proof that our endeavours to fight fraud are packing a punch. Customers have also played their part in driving down losses by taking heed of advice about looking after their personal and financial details. Fortunately, they can always be confident that if they are the innocent victim of fraud, they have excellent fraud protection that they don’t get if they use cash.”

DCI Paul Barnard who heads up the industry-sponsored police squad, the Dedicated Cheque and Plastic Crime Unit says:

As technological advances have made our payments more secure, we’ve seen a spike in more simplistic crimes. Many scams involve customers being conned into handing over their cards and PINs, or their telephone banking security details by someone calling, pretending to be their bank or police. Our appeal to the public is to be wary of any unsolicited phone calls or emails. Never hand over your card and PIN or bank security details in full as neither your bank or the police will ever ask you for these.”

UK Fraud broken down by type over the past 5 years is shown below:

Card Fraud Type on UK-issued credit & debit cards 2007 2008 2009 2010 2011 % +/- 10/11
Telephone,   internet and mail order fraud (card-not-present fraud) £290.5m £328.4m £266.4M £226.9m £220.9m -3%
Counterfeit   (skimmed/cloned) fraud £144.30 £169.8m £80.9m £47.6m £36.1m -24%
Fraud on lost or stolen cards £56.2m £54.1m £47.7m £44.4m £50.1m 13%
Card ID theft £34.1m £47.4m £38.2m £38.1m £22.5m -41%
Mail non-receipt £10.2m £10.2m £6.9m £8.4m £11.3m 34%
TOTAL £535.2m £609.9m £440.0m £365.4m £341.0m -7%

See a summary of the 2010 figures here.

.

The U.S. Leads the World in Credit Card Fraud

In the Nilson Report: Global Credit Card Fraud Losses they reveal that the U.S. currently accounts for 47% of global credit and debit card fraud even though it generates only 27% of the total volume of purchases and cash, according to the Nilson report: Global Card Fraud.

Payment card fraud losses totaled $3.56 billion last year in the U.S. from all general purpose and private label, signature and PIN payment cards.

“The U.S. has a disproportionate percentage of the global total losses for two reasons, U.S. banks have been slow to adopt newer technologies such as EMV chip cards, and issuers are reluctant to decline card authorization from merchants because they don’t want to alienate their cardholder,” said David Robertson, publisher of The Nilson Report.

“Competition among U.S. issuers, which has resulted in the average cardholder having four credit cards in their wallet, makes any issuer reluctant to decline an authorization. The consumer will just pull out a competitor’s card,” said Robertson.

Institutions across Europe, Latin America, the Middle East, Africa and Asia have introduced security processes and technologies to reduce fraud for example Chip and PIN.

Global card fraud worldwide as a percentage of total volume has decreased. In 2010, total fraud losses equaled 4.46c per $100 in total volume of purchases and cash, down from 4.71c per $100 in 2009.

Total global fraud losses, at $7.60 billion, however, increased in 2010 by 10.2% compared to the prior year, because the rate of spending is outpacing losses.

The payment card industry is expected to continue to grow sales volume at a faster pace than thieves can compromise the system.

The Nilson Report is a highly respected source of global news and analysis of the credit, debit and prepaid card industry. The subscription newsletter provides in-depth rankings and statistics on the current status of the industry, as well as company, personnel and product updates. Nilson Report Publisher, David Robertson, is a recognized expert in the field, and is a frequent speaker at industry conferences.

.

UK Cards Association warns of growing Credit Card fraud phone scam targeting the over-60s

Basic creditcard / debitcard / smartcard graph...

The UK Cards Association has warned about an old-style phone scam that is increasingly being used by fraudsters across the UK.

The scam involves unsuspecting cardholders being called and duped into handing over their debit or credit card, and revealing their PIN, by a fraudster pretending to be from their bank, card company or the police. Just this year more than £750,000 has been lost to this type of fraud, with the criminals responsible stealing an average of £10,000 per incident.

The scam begins with the fraudster phoning up, typically claiming to be from the prospective victim’s bank, and saying either that their systems have flagged up a fraudulent transaction on their card or that their card is due to expire and needs replacing. By seeming to offer assistance, the fraudster tries to gain the victim’s trust. In most cases the victim is then asked to ‘activate’ or ‘authorise’ the replacement card in advance by keying their PIN into their phone’s handset.

The fraudster or an accomplice then poses as a bank representative or a courier to pick up the customer’s card from them at their home, sometimes also giving the victim a replacement card (which is a fake). In some cases a genuine courier company is hired to pick up the card, which the victim has been asked to place in an envelope. Once they have the victim’s card and the PIN the fraudster uses them to withdraw cash and go on a spending spree.

Top tips to avoid this scam:

  • Your bank will never ring you and tell you that they are coming around to pick up your card, so never hand it over to anyone who comes to ‘collect it’.
  • Your bank will never ask you to ‘authorise’ anything by entering your PIN into the telephone.
  • Never share your PIN with anyone – the only times you should use your PIN is at a cash machine or when you use a shop’s chip and PIN machine.

If you think you may have been the victim of a fraud or a scam of this nature you should call your bank or card company immediately.
DCI Paul Barnard, Head of the Dedicated Cheque and Plastic Crime Unit (DCPCU), the special police unit established by the banking industry to fight fraud, said:

“You should never hand over your bank card to someone who turns up on your doorstep, however convinced you are that they are genuine. Likewise, you should never give anyone your PIN or punch the number into your phone as a result of someone contacting you out-of-the-blue – wherever they claim to be from. If you have any doubts when approached in this way you should hang up the phone and call the organisation back on a number that you know is correct. If you think you have already been a victim of this scam, contact your bank or card company immediately. If you are the innocent victim of card fraud you will not suffer any financial loss.”

.

Card fraud and online banking fraud down, but cheque and phone banking fraud up

New figures released on the 5th October 2011 show that fraud losses on UK cards decreased in the first half of 2011 compared with the same time last year, as did fraud on online bank accounts. However, cheque fraud and fraud on phone banking accounts increased over the same period.

Total fraud losses on UK cards fell to £169.8 million

Between January and June 2011 a 9 per cent reduction compared with losses in the first half of 2010. This half-year total is the lowest for eleven years and also the third consecutive decrease. The sustained fall is due to the success of a number of industry initiatives such as the increasing use of fraud detection software, the roll-out of updated chip cards and the increasing roll-out of chip and PIN technology abroad. Lost and stolen card fraud losses rose slightly, increasing by £4.4 million. Initiatives such as chip and PIN have made it harder to commit ‘high-tech’ frauds, and criminals are instead reverting to more basic frauds centred around stealing people’s cards and PINs. These scams range from distracting people in shops or at cash machines and then stealing their cards without them noticing, to simply tricking them into handing over their cards and PINs on their own doorstep.

Online banking fraud losses totalled £16.9 million

During January to June 2011 a 32 per cent fall on the 2010 half-year figure. A variety of factors have contributed to the decrease in online banking fraud, including increased customer awareness of computer security combined with banks’ use of fraud detection software.

Phone banking fraud losses rose to £8.6 million

A 48 per cent increase during January to June 2011. As with card fraud, criminals are focusing on the straightforward crime of duping a customer into believing they are dealing with a bank or police representative and getting them to disclose their financial security details, such as PINs, passwords and login details, which the criminal then uses to access the customer’s bank account over the phone.

Cheque fraud losses increased

Cheque fraud losses increased from £14.0 million in the first half of 2010 to £16.4 million during the same period in 2011. Although this is a 17 per cent increase, the overwhelming majority of this type of fraud is stopped before the cheque is paid. In fact, more than £254 million of attempted cheque fraud was spotted and stopped during the clearing process in the first half of this year.

DCI Paul Barnard, Head of the Dedicated Cheque and Plastic Crime Unit (DCPCU), the special police squad which is sponsored by the banking industry and has an ongoing brief to help stamp out organised payment fraud across the UK, said:

Losses are appreciably lower than they were a few years ago and everyone involved in tackling fraud has reason to be encouraged by this and that includes bank customers who, as their own front-line of defence, have certainly played their part too.

“However, there has been an increase in old fashioned scams criminals using distraction techniques and social engineering methods to get hold of people’s cards or phone banking details. We are urging everyone to be on their guard. Your bank or the police will never cold call you or email you and ask you for your login details, cards or PINs. If anyone does, they are probably  a criminal, so hang up the phone or delete the email.”

Card Fraud Type – on UK issued credit and debit cards Jan-June 2007 Jan-June 2008 Jan-June 2009 Jan-June 2010 Jan-June 2011 +/- 10/11
Phone, internet and mail order fraud (Card-not-present fraud) £137.0m £163.9m £134.0m £118.2m £109.2m -8%
Counterfeit (skimmed/cloned) fraud £72.3m £88.8m £46.3m £28.2m £18.0m -36%
Fraud on lost or stolen cards £30.7m £26.8m £25.1m £21.3m £25.7m 20%
Card ID theft £18.7m £19.5m £23.9m £15.0m £11.5m -23%
Mail non-receipt £4.9m £5.3m £3.5m £3.8m £5.4m 42%
TOTAL £263.6m £304.2m £232.8m £186.8m £169.8m -9%

The release places some of the success on fraud detection solutions and Chip and Pin but lets not underestimate the impact of the improved focus on IT Security which is being enforced by compliance and regulatory requirements like PCI DSS and the Data Protection Act.

.

Comparison Of Cost Of Ownership Between In-House And Managed Pay

Firmenkarten
Image via Wikipedia

Interesting article comparing two payment methods a Merchant could choose.

It is written by a managed Payments Provider but tries to deliver the assumptions and figures as accurately as it can.

“The objective of this study is to compare an in-house supported credit/debit card EMV (Europay,MasterCard and Visa) Chip & PIN and PCI-DSS(Payment Card Industry Data Security Standard) accredited payment solution with a managed outsourced payment service solution provided by YESpay through a comprehensive financial model analysis, consisting of cost-of-ownership and cash-flow analysis.

Cost-of-ownership and cash-flow analysis provides a good base for comparing the financial propositions of the two payment solutions, namely, in-house and managed. Combining this with the intangible costs and benefits of the two systems gives a complete comparative analysis.

The result of this study shows that by outsourcing their payment solution to a third party payment service provider, mid- to top-tier retailers can save more than 50% on cost of ownership of their payment solution depending on size of the POS till requirements.”

Access the white paper here Comparison Of Cost Of Ownership Between In-House And Managed Pay registration required and was written by Vivek Singh

For more information on PCI DSS visit the PCI Resouce centre here

.

Fraud losses drop on UK cards, cheques and online banking

The UK Card Association reports that fraud losses over 2010 in the UK on cards, cheques and online backing has dropped against 2009 figures.

Total fraud losses on UK cards fell to £365.4 million in 2010 – a 17 per cent reduction compared with losses in 2009. This is the lowest annual total since 2000 and follows on from a fall of 28 per cent in 2009. This current downward trend is due to the banking industry’s ongoing investment to deter, detect and prosecute fraudsters.  Initiatives include: better awareness amongst retailers about how to protect their chip and PIN equipment from criminal attack; greater sign-up to online fraud prevention initiatives such as MasterCard SecureCode and Verified by Visa by cardholders and retailers; improved industry sharing of fraud data and intelligence; increasing use of fraud detection tools by banks and retailers; the increasing roll-out of chip and PIN abroad and the upgrade of chips on UK cards.

Online banking fraud losses totalled £46.7 million in 2010a 22 per cent fall on the 2009 figure. Factors contributing to this fall include customers better protecting their own computers with up-to-date anti-virus software combined with banks’ use of sophisticated fraud detection software. This decrease has occurred despite a continuing rise in phishing attacks, up 21% from 2009.

Phone banking fraud losses totalled £12.7 million during 2010, an increase of five per cent from 2009. Most losses involve customers simply being tricked into disclosing their personal security details – through cold calling or fake emails – which the criminal then uses to commit fraud. This suggests that some customers are still not aware that their bank will never cold call or email them to ask for login details and passwords.

Cheque fraud losses decreased from £29.8 million in 2009 to £28.9 million during 2010. The vast majority of attempted fraud gets stopped before the cheque is paid. The industry’s ongoing work to prevent cheque fraud has helped drive these losses down. The continuing drop in cheque usage has also contributed to the three per cent fall in overall cheque fraud losses.

Detective Chief Inspector Paul Barnard, Head of the Dedicated Cheque and Plastic Crime Unit (DCPCU) – the industry-sponsored specialist police unit that tackles the organised criminal gangs behind fraud – comments: 

“Whilst another drop in fraud is good news, the fraudsters haven’t shut up shop which is why there can be no room for complacency on the part of the banking industry, retailers, law enforcement or indeed customers themselves.  By taking simple steps, such as:  shielding our PIN with our free hand whenever we enter it, particularly at cash machines; being wary of unsolicited emails or calls; and making sure that our computers have regularly updated anti-virus software in place, we can make life harder for the criminals.

“Fortunately in the UK – unlike some other countries – innocent victims of any type of payment fraud on their debit or credit card or account are protected and should not suffer any financial loss.”

Melanie Johnson, Chair of The UK Cards Association, which represents UK credit and debit card providers said:

“The cards industry is greatly encouraged by the major decrease in card fraud losses for a second successive year, but we will not be easing off our efforts as a result. It is essential to us that customers feel safe and secure when they use their cards and we will continue to invest in a wide range of fraud prevention initiatives to keep it this way.”

Fraud figures released by the National Fraud Authority (NFA) earlier in the year also serve to put these banking fraud losses into perspective. The NFA estimated that fraud in all its guises costs the UK more than £38 billion a year – card and banking fraud accounts for just over one per cent of this figure.

Details of the figures from 2007, 2008, 2009 and 2010 compare can be found here http://www.theukcardsassociation.org.uk/media_centre/press_releases_new/-/page/1323/

Blog at WordPress.com.

Up ↑

%d bloggers like this: