[LINK] Parltry Ctee: Contactless cards should be Opt-In

Roger Clarke Roger.Clarke at xamax.com.au
Tue Sep 8 10:12:30 AEST 2015 

[Background paper from 5 years ago here:
http://www.rogerclarke.com/EC/CPS-12.html ]

Banks should make contactless cards opt-in: MPs
Allie Coyne
itNews
7 Sep 2015
http://www.itnews.com.au/news/banks-should-make-contactless-cards-opt-in-mps-408933

Finance report also calls for audit of ASIC's tech skills.

Australia's police agencies have convinced a parliamentary committee that the country's banks should make contactless payments an opt-in service, in order to combat fraud.

In its report into financial-related crime, tabled today, the parliamentary joint committee on law enforcement said it shared concerns that banks rolling out new technology without consulting law enforcement had the potential to drive up crime in the sector.

It said banks and other financial service providers should consider law enforcement issues "more carefully" and discuss new technologies with law enforcement before they are rolled out.

"While banks have argued the fraud risk of new technologies is accounted for in their banking systems, the committee believes that consumers should have the option of disabling contactless payment features," the committee wrote.

It therefore recommended that providers issuing debit and credit cards require customers to consent to contactless payment technology on their cards before it is activated.

Law enforcement agencies had argued to the committee that such technology had expanded the scope of credit card fraud, where criminals conducted multiple low-value purchases from different cards to escape detection.

Contactless payment technology allows customers to pay for products or services worth under $100 by waving or tapping their card to a terminal.

But in its submission to the inquiry, Victoria Police said the technology had contributed to the rise of 100 extra credit card deceptions weekly in the state, and criticised financial institutions for not engaging with police prior to rolling out such features.

Banking representatives denied contactless payment technology posed a significant fraud threat.

Audit ASIC's tech skills

The committee also raised concerns about the Australian Securities and Investment Commission's technological ability to detect and deter financial-related crime.

It highlighted a submission by the National Credit Providers Association which criticised ASIC's reaction to a scam that misused a member's AFS license information.

The NCPA said ASIC did not act until 101 days after the association notified it of the scam, and even then only issued a media release. Similarly, the NCPA said it later found out ASIC had known about the scam for four months before the NCPA's notification.

"I had a fairly frank conversation with one of the investigators, who said that basically ASIC does not have the technology to try and track down these scams,  does not have the resources to do this and  the processes of ... deciding whether this even falls within ASIC's gamut to investigate .. appear to be basedŠon paper, fax and letter-type dealing with the process rather than the fact that we are in a global economy and these scams are over and done with very rapidly," National Financial Service Federation CEO Philip Johns said.

When questioned on the delay by the committee, ASIC said it had determined that the most appropriate regulatory response was to issue a media release to "educate members of the public" and to "disrupt the scam".

The committee labelled ASIC's response "extremely tardy" and said it appeared to be indicative of ASIC's usual response timeframe - meaning its typical reaction for similar types of financial-related crimes was between 65-110 days.

It also said issuing a media release did not send a "sufficiently robust deterrance message to future internet scammers".

"As many witnesses have observed, the use of modern technologies makes the transacting of internet scams incredibly rapid. If ASIC is to deal with internet-based financial related crimes in an effective manner into the future, it must improve its response times to preventing and disrupting such criminal activities," the committee said.

ASIC needs to have the technology capacity to effectively and appropriately respond to such issues, the committee said, recommending that the National Audit Office (ANAO) undertake a performance audit of ASIC's technological abilities.

The ANAO report would outline ASIC's IT requirements and capabilities as well as any deficiencies that would prevent the agency from performing its regulatory role.

ASIC famously blocked 250,000 websites accidentally in 2013 in an attempt to shut down just 1200.

The committee also recommended that ASIC make its response to internet-based financial crimes "far more expeditious".

...

-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916                        http://about.me/roger.clarke
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list