Addressing Mobile Payments RisksBiometrics Could Play a Key Role
As most international markets complete their migrations to card technology that complies with the Europay, MasterCard, Visa standard, criminals have turned their attention toward lingering non-EMV markets, such as the U.S., says U.K.-based card fraud expert Neira Jones.
"If we look at skimming, that's very prominent in the United States," says Jones, who formerly oversaw payment card security and fraud at Barclaycard, during an interview with Information Security Media Group [transcript below].
That's because the U.S., along with a handful of other countries, continues to rely on magnetic-stripe card technology. And skimming fraud is just too easy to pull off, she says.
"While the chip card cannot be cloned, the magnetic stripe can be," Jones says. "You see a migration of fraud going to countries that have not deployed chip and PIN," which complies with the EMV standard.
EMV does not eliminate all fraud, such as card-not-present fraud, but it has nearly eliminated face-to-face and skimming fraud, she says.
"EMV constantly evolves in terms of the technology that's actually on the chip," Jones says, "as well as in terms of how the information is encoded on the chip."
Only 6 percent of card fraud losses recorded in 2012 in the U.K. were linked to counterfeit cards, she says. The majority of card fraud in the U.K. is now tied to card-not-present transactions, which EMV does not prevent.
During this interview, Jones discusses:
- Emerging mobile payments platforms;
- How card fraud is migrating to non-EMV markets, such as the U.S.;
- The impact retail breaches are having on card fraud throughout the world.
Jones has more than 20 years of experience in financial services. As a partner at financial services consultancy Accourt Ltd., Jones provides strategic advice on risk management and security. Previously, she was director of payment security and fraud at Barclaycard, where she was responsible for the security compliance and risk management of 100,000 merchants and third parties. Jones also is chairwoman of the Cybercrime Advisory Board for the Centre for Strategic Cyberspace and Security Science.
Card Fraud Trends
TRACY KITTEN: You've reviewed some of the results from our recent Faces of Fraud Survey, and you've noted that some of the credit and debit fraud losses that were reported by U.S. card issuers are not surprising. What can you tell us about the card fraud trends that you're seeing in the U.S.?
NEIRA JONES: It's a difficult question to answer. It's very easy for me to answer that question for Europe, and certainly the U.K., because we have global bodies that monitor fraud, such as the U.K. Cards Association and so forth. We have these very, very real figures coming from financial services themselves, and that's very closely monitored. As far as I can tell, in the United States, we actually rely on analysts and researchers to produce surveys and give us some figures which sometimes can be quite surprising. It's a very difficult question to answer.
European Fraud Trends
KITTEN: What types of trends are you seeing n markets where EMV is widely adopted?
JONES: EMV, since its adoption in the European countries, and the U.K. in particular, has more or less eradicated face-to-face fraud when it comes to card payments. ... To give you an idea, if we take banking fraud across the U.K., it amounted to about Â£475 million in 2012. If you look at plastic card fraud more specifically, and if we're to relay that to phenomena that we observe in the U.S., account takeover, for example, was 6.2 percent of the total of plastic card fraud, which was Â£388 million. Counterfeit cards are only 10.8 percent. That's an interesting point because plastic card fraud within the whole of retail banking fraud represents more than 81 percent of total fraud; and therefore, what we observe is that CNP fraud - cardholder not present fraud - is actually 63.4 percent of the total. The conclusion we can reach is that since EMV adoption, fraud has shifted to the card-not-present space; it's very, very obvious.
Skimming, Retail Breaches
KITTEN: Going back to the U.S., would you say that skimming attacks or retail breaches are most often to blame for some of the card fraud losses?
JONES: Correlating many research papers including, for example, the Verizon Data Breach Investigations Report, the Trustwave Global Security Report and also some other reports, the retail sector is subject to fraud quite a lot due to the volume. If we look at skimming, that's very prominent in the United States, from what I can tell, because it's actually very easy to skim magnetic-stripe cards, whereas that type of fraud, essentially, doesn't happen in the U.K. Issuers even in Europe have to issue dual-purpose cards. They have to have a chip, obviously, but they also have to have a magnetic stripe. While the chip card cannot be cloned, the magnet slide can be; but it can only be used abroad. You see a migration of fraud by going to countries that have not deployed chip and PIN.
KITTEN: How would EMV better protect card numbers compromised during breaches of retailers and payments processors - things that go beyond just skimming?
JONES: With EMV, the card is secure. I know there have been lots of detractors and some security professionals saying that chip cards can be hacked. But let's face it, anything can be hacked at any point in time. There's no such thing as being 100 percent secure. But it depends on the type of attack, and is it worth doing; is it worth the effort of doing it for a very little payload and a lot of effort, which is why we're still seeing card-present fraud decreasing in EMV markets.
KITTEN: Are these retailer and processor breaches a global problem or just a U.S.-centric problem, when it comes to card fraud?
JONES: It's not just a U.S. problem. But with Canada now being on EMV, you're probably seeing right now the migration of fraud across the border, hence the migration of fraud to countries that don't accept EMV, because it can't be reused. EMV constantly evolves, in terms of the technology that's actually on the chip, as well as in terms of how the information is actually encoded on the chip.
U.S. Adoption of EMV
KITTEN: Do you have thoughts about how much progress has been made in the U.S. toward EMV adoption?
JONES: We haven't got a very good handle on how much progress has been made in the U.S., but what's very obvious is that there are a lot of retailers that are absolutely pro-EMV. I know, for example, Walmart has been in the news for quite a few years in Canada wanting to deploy EMV and being an absolute advocate of the technology. Over the past couple of years, you started seeing issuing banks in the United States deploying EMV cards for their travelers abroad. It's starting to happen. When you look at some reports, especially U.S. citizens themselves traveling abroad, they're actually finding it increasingly difficult to use their cards in European countries, especially at unattended terminals.
KITTEN: In which markets has adoption of mobile payments been the greatest?
JONES: It depends on what you mean by adoption of mobile payments. ... In Europe, adoption is actually quite high, and I think in the U.K., it's one of the countries where the adoption is ramping up. You have other modes of payment, such as, M-Pesa in Africa, where the adoption was due to the lack of a banking infrastructure and they found an alternative way to enable people to use mobile devices for day-to-day payments. So [it's] quite a large adoption, I would say. Certainly in the U.K. it's starting. But looking at the U.S. as well, Square has been very, very successful, even though it seems to be quite a contained environment.
KITTEN: Are there threats that we're not paying attention to?
JONES: I think everyone is paying attention to threats, but while adoption of mobile is ramping up, it's not yet a significant proportion of payments. While people are still busy trying to understand the benefits of the technology, both for businesses and consumers alike, we're starting to see now threats in relation to information security. I'm sure you've seen the reports yourself, in terms of malware on Android, and the potential cybersecurity risk associated with mobile. What I think will happen is there will be a drastic increase in identity and authentication technologies, and that will be driven by mobile adoption, because, as always in the digital space, the debate comes down to trust and security and we're starting to see technology and ideas in the identity and authentication space. That has been realized everywhere worldwide. Recently, I've heard that in the U.S. a group of 22 member banks has actually created a working party to find out how they can create credentialing across the board, so that's very interesting to see.
Closer to home, here in the U.K., the U.K. government has also initiated a working party to do work with identity assurance. This group has started with a number of organizations, including the U.K. Post Office, but also companies such as Verizon and PayPal, on the identity space. Identity and authentication is going to be quite big over the next decade. We're probably going to see a bit more adoption of biometrics in that space. I'm sure you've seen the potential announcement or rumor that the iPhone 5S is going to have fingerprint recognition with it.
Mobile Authentication Solutions
KITTEN: Do you see banking institutions investing in the right types of mobile authentication solutions? Could biometrics be the next step that they take in authentication for mobile?
JONES: In the mobile space, there's still very little understanding about what organizations - and that's not just financial services institutions - need to do. We're starting to see point solutions in that space, but a lot of banks, if not all, have deployed two-factor authentication using a one-time password, which is the most common method of dual-factor authentication at the moment. But when it comes to integrating and actually understanding the types of threats that the whole new mobile ecosystem brings with it, I think there's still very little understanding. There's still a relatively low adoption of device fingerprinting and other technologies that could help. I think integration will come, once it's more understood. I don't think we understand it right now.
KITTEN: Are there any areas where you would say U.S. banking institutions could learn something from European counterparts as far as mobile security is concerned?
JONES: Mobile adoption, in the grander scheme of things, is still not a very large percentage of payments. I think we're learning as much here as the United States is learning right now. I think we have to actually look at this in a holistic fashion, encompassing identity, authentication and mobile security within the whole of digital commerce.
We mentioned biometrics earlier on, which is one area I think is probably going to grow due to the growth in mobile adoption. The whole identity and authentication space is going to be very big. That's what I'd like to leave with you.