[LINK] SMH: 'Card fraud soars'

Stephen Wilson swilson at lockstep.com.au
Tue Jul 17 13:36:40 AEST 2012 

On 13/07/2012 10:08 PM, Roger Clarke wrote:

 > [The article ... is important for what it says, but also for what
 > it failed to say:
 >
 >> [ABA Munchkin] said that, when fraud did occur, customers were not
 >> liable for losses from unauthorised transactions where it was
 >> clear that the user has not contributed to the loss.
 >
 > [And there's the con.
 > [Consumer are not *liable* for losses.
 > [But they wear them, and they will increasingly wear them.
 > [The first reason is that, in order to recover each loss, you have
 > to: (a) get a statement of all transactions on each of your
 > accounts (b) reconcile each of your accounts against vouchers (c)
 > detect transactions that aren't yours (d) construct a complaint (e)
 > submit the complaint (f) say 'yes, I really mean this and I don't
 > mind if it costs me $10 to find out' (g) wait (h) remember (i)
 > maintain the rage (j) follow up, if and when they forget

Roger,

While I agree with most of your analysis of payments fraud, I think 
you're over-stating the difficulty consumers have getting fraud 
reversed.  I find that disputing a charge and recovering losses is so 
very easy it's suspicious.

I've had two personal experiences of my credit card account being 
co-opted and charged.  The first time, after finding my card maxed out 
unexpectedly and finding a sus transaction, I reported the matter, as 
directed to an investigatory help desk, spent 10 minutes answering a 
questionnaire, and got all my money back including reversed overlimit 
charges the very next day.  The second time, the bank spotted the fraud 
before I did, called me to check on a Saturday morning, cancelled the 
cards, reversed the wrong charges and gave me new cards within 48 hours.

So my analysis is that banks want to make the fraud experience so 
painless that we won't really mind.

Apart from that, you're right that we all pay in the long run. Right now 
the last thing the banks want is a reversion to face-to-face business 
that would result from a loss of online confidence. So they continue to 
wear the cost of most online fraud, as a cost of doing business. And to 
be fair, the cost of online fraud remains proportionately low.

But several things really stink about the state of play.

[I'll declare an interest here: Lockstep Technologies does R&D on card 
fraud solutions.]

1. The state of the art in Internet banking and payments is just so 
technologically backward.  There are all sorts of identity security and 
related privacy issues online that deserve attention and higher tech 
solutions.  CNP fraud is just a special case.

2. The payments industry's one and only preferred solution "3D Secure" 
is a dog.  It's awkward to use, incompatible with pop-up blockers, slow, 
architecturally and legally horrible, and not actually much more 
secure.  It breaks the time honoured Four Party model for no good 
reason.  In Europe, e-commerce merchants report abandonment rates of 
fifty percent or more.  They hate it, and MasterCard and Visa appear to 
be losing faith.  It amazes that APCA here holds out that CNP fraud will 
eventually come down thanks to 3D Secure.  The Australian banking 
industry has had access to 3D Secure for many years but still declines 
en masse to adopt it.

3. Meanwhile, absent a decent technological fix to CNP fraud, payment 
regulators continue to subtly (?) blame the user.  The APCA press 
release is full of advice about shopping safe on line. This type of 
advice is bullshit. The majority of stolen card details come from 
organised crime's concerted attacks on big services and retail chains 
(eg TJMaxx, Sony PSN) and processors (eg Heartland, Global Payments).  
You can shop online as safely as you like (or not shop online at all) 
and still have your details stolen from a department store database.

4. Solving skimming and carding was simple: they moved from mag stripe 
to chip.  We could do the same thing and use asymmetric cryptography 
online to render card details non-replayable.

For more on Lockstep's interested angle on these issues, see

http://lockstep.com.au/blog/2012/04/01/kill-two-birds-with-one-chip
http://lockstep.com.au/blog/2012/03/27/cnp-fraud-is-online-skimming
http://lockstep.com.au/blog/2012/07/17/au-cnp-fraud-cy2011

Cheers,

Steve Wilson

Lockstep
http://lockstep.com.au
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy.  Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.

More information about the Link mailing list