So what`s in a name - The world of identity fraud

Issued by Prism Holdings Limited
Johannesburg, 26 Oct 2006

Trusted transactions involve the transfer of electronic information of value between one or more authenticated parties. The confidentiality and integrity of the information being transferred must be assured, and the transacting parties cannot repudiate having sent or having been sent the information.

This is Prism`s area of expertise. Having played an integral role in the development and operation of southern Africa`s earliest electronic banking and electronic payment transaction network, Prism has over a decade of experience in secure end-to-end trusted transactions, retail payment systems and solutions.

However, while security and cryptography focus on authentication, integrity, confidentiality and non-repudiation, fraud is still the one determined factor trying to undermine all of the above.

What is fraud?

The criminal definition for fraud is the unlawful and intentional making of a misrepresentation with intent to deceive and to defraud by causing actual or potential prejudice.

Fraud is either physical world or online/electronic, and in focusing here on online fraud we highlight various types of online fraud including card, identity and Internet banking payment fraud and suggest ways in which chip and PIN technologies with their promise of improved security go a long way towards fraud reduction.

Stolen identity

Stolen identity is the first component of Internet payment fraud and occurs when fraudsters wrongfully and intentionally misuse the personal information of another individual.

The two most common forms of Internet payment fraud are bogus Web sites and keyboard recording. Fraudsters host fictitious Web sites offering goods and services, when payment details are captured these are simply recorded and later used for fraudulent transactions. These generally result in the consumer never receiving the goods as purchased, charges to credit card or accounts for purchases not made and more often than not, ends up with a judgement against the innocent consumer.

Internet authentication

There is a growing need for the authentication of Internet payments and one such scheme is Visa 3-D Secure. The 3-D Secure protocol underlies this Visa payment service designed to secure, enhance and validate payment made through the Internet.

MasterCard offers this standard under the "MasterCard SecureCode" label.

It is an authentication technology to allow merchants, issuers, acquirers and cardholders to identify/authenticate themselves in the Internet world for on-line card not present payments. It uses Secure Sockets Layer (SSL) encryption and a Merchant Server Plug-in to pass information and query participants to authenticate the cardholder during an online purchase and to protect payment card information as it is transferred via the Internet.

Keyboard recording

In the case of keyboard key capturing, each and every keystroke made on entering payment or banking details is simply recorded by the application which is then replayed for the fraudsters who can effect any transaction on your account. These tracking programmes are either software or hardware related.

Authentication tokens

The best way to reduce and combat Internet banking payment fraud at present is through the use of authentication tokens and challenge/response scenarios.

Secure authentication is the process by which your bank or financial institution verifies who you are.

Dynamic data authentication involves the use of a secure authentication password, this allows Internet banking clients, in unison with back-end banking systems, to dynamically generate a new password each time an online banking session is initiated. An authentication token, a small handheld device with or without a keypad and smart card reader, allows for this to happen. Some generate random numbers only and others work on a challenge/response basis.

Payment card fraud

Fraud is usually committed in such a way that the fraudster can get hold of the victim`s card to make fraudulent transactions. A major area of focus for fraudsters is the bank ATM with various techniques used in order to distract or put the public off guard when using ATMs.

* Card swapping - a consumer`s ATM card is swapped for another card without their knowledge while undertaking an ATM transaction.
* Card jamming - the ATM machine card reader is deliberately tampered with so that a consumer`s card will be held in the card reader and cannot be removed from the machine by the consumer - the fraudster then removes the card once the customer has departed.
* Vandalism - an ATM machine is deliberately damaged and/or the card reader is jammed preventing the customer`s card from being inserted.
* A physical attack - an ATM machine is physically attacked with the intention of removing the cash content.
* Mugging - a client is physically attacked while in the process of conducting a transaction at an ATM machine.

There are also examples of payment card fraud which involve illegitimate means of obtaining cards:

* Application fraud - legitimate cards obtained fraudulently and used
* Non-receipt fraud - where cards are intercepted in the mail
* Card-not-present fraud - the misuse of card details in purchasing goods via telephone, mail or Internet
* Lost or stolen card fraud
* Counterfeit fraud
* Account take-over fraud

Counterfeit fraud is a particular area of focus in which cards are illegally altered to mimic genuine cards. This is done by means of re-embossing genuine cards, re-encoding genuine account details into the magstripe on a different card, simple plastic cards can be made to mimic a genuine card or can take on the appearance and behaviour of genuine cards.

Once criminals have obtained your card details, they will impersonate you and are then able to gain access to your accounts, payment networks and gateways. Skimmers are easily able to swipe your card through a small handheld device that reads track data that can later be replicated or downloaded to another device.

EMV

EMV is a standard for interoperation of chip cards and chip card capable POS terminals, for authenticating credit and debit card payments. Chip card systems based on EMV are being phased in across the world, under names such as IC Credit and Chip and PIN. The EMV standard defines the interaction at the physical, electrical, data and application levels between chip cards and chip card processing devices for financial transactions. EMV promises improved security with the associated fraud reduction and the possibility for finer control of offline credit card transaction approvals. It is more secure as a result of the use of encryption algorithms such as DES, Triple-DES, RSA and SHA to provide authentication of the card to the processing terminal and the transaction-processing centre. The increased protection from fraud has allowed banks and credit card issuers to push the `liability shift` through so that merchants are now liable for any fraud that results from non-EMV transactions on their systems.

The majority of EMV implementations require the entry of a PIN to confirm the identity of the cardholder rather than signing a paper receipt. In future, systems may be upgraded to use other authentication systems, such as biometrics.

Prism has worked in partnership with and has many years experience in providing end-to-end EMV solutions.

Prism is a member of the EMV master and implementation forums, a long-standing member of the South African Smart Card Society, and a member of SARPA (the SA Revenue Protection Association).

Net1 - Prism

Net1 UEPS Technologies Inc acquired Prism Holdings Limited on 4 July 2006.

Net1 is a US-domiciled company, with its operations and management headquartered in South Africa and a market capitalisation of $1.4 billion. Net1 is an established NASDAQ-listed company, a market that provides a deep appreciation for intellectual capital and allows for the development and commercialisation of technology on an international basis.

Net1 provides chip card technologies and systems such as its Universal Electronic Payment System (UEPS) to establish a secure and affordable transacting channel between formal businesses and the un-banked and under-banked populations of developing economies.

Prism has historically focused on the provision of end-to-end EMV solutions, m-commerce technologies, GSM SIM mask technologies, and encryption products typically applied to high-end transaction processing for national retailers, banks and international network operators.

The combination of Prism and Net1 technology and service offerings creates an entity providing electronic payment solutions across all sectors of the economy including leveraging Net1`s pension payment infrastructure into the formal retail sector in South Africa, Africa and other global markets.

It is the convergence of core technologies and people coupled with Prism`s global reach, experience and knowledge of working within the Asian market as well as clear synergies between the two companies that has the potential to enhance the company`s geographical penetration, amplify the company`s technological advantage and increase the total number of transactions being processed.

The two companies will be fully integrated within the following six to 12 months.

Net1 (www.net1ueps.com)

Net1 provides its Universal Electronic Payment System (UEPS) as an alternative payment system for the unbanked and under-banked populations of developing economies. Net1 believes that it is the first company worldwide to implement a system that can enable the estimated four billion people who generally have limited or no access to bank accounts to enter affordably into electronic transactions with each other, government agencies, employers, merchants and other financial service providers.

UEPS accomplishes this by utilizing secure smart cards that operate in real-time but offline, this is unlike traditional payment systems offered by major banking institutions that require immediate access through a communications network to a centralised computer. This offline capability means that users of Net1`s system can enter into transactions at any time with other cardholders in even the most remote areas so long as a portable offline smart card reader is available. In addition to payments and purchases, Net1`s system can be used for banking, health care management, international money transfers, voting and identification.

Prism Holdings (www.prism.co.za)

Prism Holdings Limited is a trusted transactions company with expertise in the area of secure electronic transaction technologies and services. The company has a strong presence in South Africa, an established and expanding footprint across Africa and South-East Asia and local representation in the United Kingdom and Germany. Prism`s head office is located in Johannesburg, South Africa; there are regional South African offices in Durban, Cape Town and Springs, as well as an Asia-based office situated in Kuala Lumpur, Malaysia.

Prism has a proven track record in the delivery of own IP technologies, solutions and services. Its core competencies around secure online transaction processing, cryptography and integrated chip card technologies are principally applied to electronic commerce transactions in the telecommunications, banking, retail, petroleum and utilities market sectors.

Prism has developed and implemented innovative payment-centric products that bridge the following technologies:

* Chip and wireless products including telecoms and financial software, 2G and 3G GSM SIM cards and secure access modules.
* Incognito transaction security nodules, security products ensuring transaction authentication, confidentiality and integrity; third party products.
* OEM transaction modules including secure payment modules, encrypting PIN pads and outdoor payment terminals.
* Payment Solutions incorporating secure integrated POS payment systems, VeriFone products, EMV solutions/upgrades, payment software and the FlexiLANE/POS/GATE multi-lane chip payment system.
* EasyPay Services which controls the largest bank-independent financial switch in southern Africa.

Editorial contacts