[LINK] SMH: 'Card fraud soars'
swilson at lockstep.com.au
Tue Jul 17 13:36:40 AEST 2012
On 13/07/2012 10:08 PM, Roger Clarke wrote:
> [The article ... is important for what it says, but also for what
> it failed to say:
>> [ABA Munchkin] said that, when fraud did occur, customers were not
>> liable for losses from unauthorised transactions where it was
>> clear that the user has not contributed to the loss.
> [And there's the con.
> [Consumer are not *liable* for losses.
> [But they wear them, and they will increasingly wear them.
> [The first reason is that, in order to recover each loss, you have
> to: (a) get a statement of all transactions on each of your
> accounts (b) reconcile each of your accounts against vouchers (c)
> detect transactions that aren't yours (d) construct a complaint (e)
> submit the complaint (f) say 'yes, I really mean this and I don't
> mind if it costs me $10 to find out' (g) wait (h) remember (i)
> maintain the rage (j) follow up, if and when they forget
While I agree with most of your analysis of payments fraud, I think
you're over-stating the difficulty consumers have getting fraud
reversed. I find that disputing a charge and recovering losses is so
very easy it's suspicious.
I've had two personal experiences of my credit card account being
co-opted and charged. The first time, after finding my card maxed out
unexpectedly and finding a sus transaction, I reported the matter, as
directed to an investigatory help desk, spent 10 minutes answering a
questionnaire, and got all my money back including reversed overlimit
charges the very next day. The second time, the bank spotted the fraud
before I did, called me to check on a Saturday morning, cancelled the
cards, reversed the wrong charges and gave me new cards within 48 hours.
So my analysis is that banks want to make the fraud experience so
painless that we won't really mind.
Apart from that, you're right that we all pay in the long run. Right now
the last thing the banks want is a reversion to face-to-face business
that would result from a loss of online confidence. So they continue to
wear the cost of most online fraud, as a cost of doing business. And to
be fair, the cost of online fraud remains proportionately low.
But several things really stink about the state of play.
[I'll declare an interest here: Lockstep Technologies does R&D on card
1. The state of the art in Internet banking and payments is just so
technologically backward. There are all sorts of identity security and
related privacy issues online that deserve attention and higher tech
solutions. CNP fraud is just a special case.
2. The payments industry's one and only preferred solution "3D Secure"
is a dog. It's awkward to use, incompatible with pop-up blockers, slow,
architecturally and legally horrible, and not actually much more
secure. It breaks the time honoured Four Party model for no good
reason. In Europe, e-commerce merchants report abandonment rates of
fifty percent or more. They hate it, and MasterCard and Visa appear to
be losing faith. It amazes that APCA here holds out that CNP fraud will
eventually come down thanks to 3D Secure. The Australian banking
industry has had access to 3D Secure for many years but still declines
en masse to adopt it.
3. Meanwhile, absent a decent technological fix to CNP fraud, payment
regulators continue to subtly (?) blame the user. The APCA press
release is full of advice about shopping safe on line. This type of
advice is bullshit. The majority of stolen card details come from
organised crime's concerted attacks on big services and retail chains
(eg TJMaxx, Sony PSN) and processors (eg Heartland, Global Payments).
You can shop online as safely as you like (or not shop online at all)
and still have your details stolen from a department store database.
4. Solving skimming and carding was simple: they moved from mag stripe
to chip. We could do the same thing and use asymmetric cryptography
online to render card details non-replayable.
For more on Lockstep's interested angle on these issues, see
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy. Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.
More information about the Link