01 November 2007 Features

 

Learning to live with fraud

Heather McKenzie

Fraudsters keep changing their targets, so banks have to keep changing their security processes; but that can run the risk of alienating users.

Despite advances in technology, the banking industry continues to battle fraudsters, particularly when it comes to card payments. Figures released in October by UK payments body, the Association for Payments and Clearing Services, revealed that total plastic card fraud losses in the first six months of 2007 were up 26%, compared with the first half of 2006.

Ironically, the fraud has been driven by technology – the chip and PIN format that was introduced to reduce the incidences of card fraud. What has happened is that while card fraud in the UK has fallen, fraudsters have looked to transact overseas at retailers and banks that are not chip and PIN compliant. The increase was driven by a 126% rise in fraud on UK-issued cards being used overseas. In contrast, domestic card fraud fell 11%.

The fraudsters have also targeted “cardholder not present” transactions such as those made online, by phone or mail order. Losses here were up by 44% to a total of £137 million. Counterfeiting incidents were up 37% to £72.3 million in losses and card identification theft was up 24% to £18.7 million.

Mark Bowerman, a spokesperson for Apacs, said the banking industry knew at the time it opted for chip and PIN that certain areas of card fraud would increase. “Chip and PIN has been a good thing for the UK and that is borne out by the fact that losses here are decreasing,” he says. “There are certain areas where chip and PIN technology is not used and we are waiting for other countries to catch up with the system.”

While France has used chip and PIN since the early 1990s, the system was only a domestic one and the UK was the first country to adopt the global chip and PIN system, which is based on the EMV technology. Visa, MasterCard and Europay defined the international payment standard, EMV, to allow payments to be processed via chip technology. By using EMV technology as a global standard, card payments can be accepted all over the world. For example, in October last year I was able to use a UK-issued debit card at a retailer in New Zealand, entering my PIN to authorise the transaction.

With Christmas looming, online fraud prevention company Retail Decisions says fraudsters have already started their Christmas shopping. According to the company’s figures from online retailer clients, online sales transactions are rising, and so too are the cases of fraud.

During one week in October, says Retail Decisions, online card fraud in the retail sector rose 131%. When criminals shop online they tend to make more extravagant purchases – the average fraudulent transaction is around £525, compared with less than £200 for genuine online shoppers.

“Paradoxically, the successful roll-out of chip and PIN in 2005 closed down many opportunities for criminals to carry out illegal transactions on the UK high street, forcing them instead to try their luck at card not present channels, notably the internet, mail order and telephone order,” says Retail Decisions. “At the same time, highly organised gangs share stolen card records and use technology to allow them to generate false consumer details in an automated fashion and then automate the generation of these transactions at web stores. Another development in criminals’ favour is the increased availability of goods on the internet with short delivery times. This enables fraudsters to acquire a wide range of goods in as quick a time as possible before the e-tailer has the time to check the validity of the transaction.”

Retail Decisions has technology that is able to identify each month which are the most fraudulent originating countries outside of the UK and share these with its retail clients. In September, for example, the top such country was the US, followed by Ireland, Germany, Spain and France.

It is likely that the US will continue to be a target for fraudsters, given that it has not adopted EMV technology. In an October 2005 article in the magazine of US professional banking association the Bank Administration Institute, the introduction of EMV in the US was estimated to be as far as a decade away, despite the fact that both Canada and Mexico are rolling out EMV cards. Americans’ greater reliance on cheques and cash is the reason often cited for the delayed migration to EMV, said the BAI.

Apacs’ Bowerman says it is likely the US will become “the number one spot for fraudsters” as EMV is rolled out to more countries worldwide.

Back in Europe, Michelle Weatherhead, manager of risk solutions, EMEA at ACI wonders whether fraudsters are more committed to perpetrating frauds than banks are in fighting it. “Fraudsters

seem to be always one step ahead,” she says. “Generally they are tech savvy people and are well organised.” Weatherhead says blogs alert fraudsters to countries or banks that are either vulnerable or have too rigorous security procedures.

EMV is not the only measure the banking industry is taking in fighting card fraud. Artificial intelligence systems, usually neural networks, are deployed by banks to identify fraudulent activities. But a problem is that not all banks fully use the capabilities of existing technology.

For banks, the problem is a generic one, but for customers it is highly personal – we all have our own experience of being inconvenienced, or worse.

In my own case, transactions on my debit card were blocked after I successfully withdrew some cash from an ATM during a holiday in Rome during August. It transpired that my bank Abbey National, had blocked further transactions as a “security measure”.

Which is all well and good, but I had been in Rome in January and had no problems withdrawing cash or making purchases on the same card. I had also been in Paris and Monte Carlo in the months leading up to August and had again used the card without any problems.

I am not alone in being inconvenienced like this: a friend was recently in New York, a city he had already visited this year, and transactions on his debit card were blocked, though he had used it only the week before in Boston. Another friend, based in Ireland, complains that each time he moves out of the county in which he lives, transactions on his UK-issued card are blocked.

When I complained to Abbey National the response was that when travelling in future I will be required to contact the bank to inform them of my plans. [Abbey National did not respond to a request for an interview for this article.]

Many, if not most, of the other banks also now require this of their customers. This is an clearly inconvenience and given existing technology, should not be necessary.

The banks argue that security is paramount. Apacs’ Bowerman says banks must tread a fine line between delivering good customer service and ensuring card transactions are authentic. Weatherhead says: “A bank will have targets to meet in terms of reducing fraud, but it also has customer satisfaction targets. Customers will be happy if you can prove to them that a judgement on a card transaction was based on past activity.”

Neural network technology enables banks to build a profile of their customers, so those that travel frequently shouldn’t have their cards stopped while overseas. But it appears this simply isn’t happening for most bank customers.

“One of the key elements in combating fraud is to build a good customer profile and to store that for as long as possible,” says Weatherhead. “The profile can be custom built and be flexible enough so that the rules that triggers alerts on transactions can be changed if necessary. This needs to be sophisticated because the methods of fraud are always changing.”