Trusted transactions involve the transfer of electronic information of value between one or more authenticated parties. The confidentiality and integrity of the information being transferred must be assured, and the transacting parties cannot repudiate having sent or having been sent the information.
This is Prism`s area of expertise. Having played an integral role in the development and operation of southern Africa`s earliest electronic banking and electronic payment transaction network, Prism has over a decade of experience in secure end-to-end trusted transactions, retail payment systems and solutions.
However, while security and cryptography focus on authentication, integrity, confidentiality and non-repudiation, fraud is still the one determined factor trying to undermine all of the above.
What is fraud?
The criminal definition for fraud is the unlawful and intentional making of a misrepresentation with intent to deceive and to defraud by causing actual or potential prejudice.
Fraud is either physical world or online/electronic, and in focusing here on online fraud we highlight various types of online fraud including card, identity and Internet banking payment fraud and suggest ways in which chip and PIN technologies with their promise of improved security go a long way towards fraud reduction.
Stolen identity
Stolen identity is the first component of Internet payment fraud and occurs when fraudsters wrongfully and intentionally misuse the personal information of another individual.
The two most common forms of Internet payment fraud are bogus Web sites and keyboard recording. Fraudsters host fictitious Web sites offering goods and services, when payment details are captured these are simply recorded and later used for fraudulent transactions. These generally result in the consumer never receiving the goods as purchased, charges to credit card or accounts for purchases not made and more often than not, ends up with a judgement against the innocent consumer.
Internet authentication
There is a growing need for the authentication of Internet payments and one such scheme is Visa 3-D Secure. The 3-D Secure protocol underlies this Visa payment service designed to secure, enhance and validate payment made through the Internet.
MasterCard offers this standard under the "MasterCard SecureCode" label.
It is an authentication technology to allow merchants, issuers, acquirers and cardholders to identify/authenticate themselves in the Internet world for on-line card not present payments. It uses Secure Sockets Layer (SSL) encryption and a Merchant Server Plug-in to pass information and query participants to authenticate the cardholder during an online purchase and to protect payment card information as it is transferred via the Internet.
Keyboard recording
In the case of keyboard key capturing, each and every keystroke made on entering payment or banking details is simply recorded by the application which is then replayed for the fraudsters who can effect any transaction on your account. These tracking programmes are either software or hardware related.
Authentication tokens
The best way to reduce and combat Internet banking payment fraud at present is through the use of authentication tokens and challenge/response scenarios.
Secure authentication is the process by which your bank or financial institution verifies who you are.
Dynamic data authentication involves the use of a secure authentication password, this allows Internet banking clients, in unison with back-end banking systems, to dynamically generate a new password each time an online banking session is initiated. An authentication token, a small handheld device with or without a keypad and smart card reader, allows for this to happen. Some generate random numbers only and others work on a challenge/response basis.
Payment card fraud
Fraud is usually committed in such a way that the fraudster can get hold of the victim`s card to make fraudulent transactions. A major area of focus for fraudsters is the bank ATM with various techniques used in order to distract or put the public off guard when using ATMs.
* Card swapping - a consumer`s ATM card is swapped for another card without their knowledge while undertaking an ATM transaction.
* Card jamming - the ATM machine card reader is deliberately tampered with so that a consumer`s card will be held in the card reader and cannot be removed from the machine by the consumer - the fraudster then removes the card once the customer has departed.
* Vandalism - an ATM machine is deliberately damaged and/or the card reader is jammed preventing the customer`s card from being inserted.
* A physical attack - an ATM machine is physically attacked with the intention of removing the cash content.
* Mugging - a client is physically attacked while in the process of conducting a transaction at an ATM machine.
There are also examples of payment card fraud which involve illegitimate means of obtaining cards:
* Application fraud - legitimate cards obtained fraudulently and used
* Non-receipt fraud - where cards are intercepted in the mail
* Card-not-present fraud - the misuse of card details in purchasing goods via telephone, mail or Internet
* Lost or stolen card fraud
* Counterfeit fraud
* Account take-over fraud
Counterfeit fraud is a particular area of focus in which cards are illegally altered to mimic genuine cards. This is done by means of re-embossing genuine cards, re-encoding genuine account details into the magstripe on a different card, simple plastic cards can be made to mimic a genuine card or can take on the appearance and behaviour of genuine cards.
Once criminals have obtained your card details, they will impersonate you and are then able to gain access to your accounts, payment networks and gateways. Skimmers are easily able to swipe your card through a small handheld device that reads track data that can later be replicated or downloaded to another device.
EMV
EMV is a standard for interoperation of chip cards and chip card capable POS terminals, for authenticating credit and debit card payments. Chip card systems based on EMV are being phased in across the world, under names such as IC Credit and Chip and PIN. The EMV standard defines the interaction at the physical, electrical, data and application levels between chip cards and chip card processing devices for financial transactions. EMV promises improved security with the associated fraud reduction and the possibility for finer control of offline credit card transaction approvals. It is more secure as a result of the use of encryption algorithms such as DES, Triple-DES, RSA and SHA to provide authentication of the card to the processing terminal and the transaction-processing centre. The increased protection from fraud has allowed banks and credit card issuers to push the `liability shift` through so that merchants are now liable for any fraud that results from non-EMV transactions on their systems.
The majority of EMV implementations require the entry of a PIN to confirm the identity of the cardholder rather than signing a paper receipt. In future, systems may be upgraded to use other authentication systems, such as biometrics.
Prism has worked in partnership with and has many years experience in providing end-to-end EMV solutions.
Prism is a member of the EMV master and implementation forums, a long-standing member of the South African Smart Card Society, and a member of SARPA (the SA Revenue Protection Association).
Share