You are here: Home > Work & Money > Finance > Credit Cards
Credit Card

Where The Money Is - The Race to Defeat the Credit Card Fraudsters

By Nick Funnell
Friday 11th May 2007

‘Slick Willie’ Sutton was one of the most notorious bank robbers of the 1930s, stealing hundreds of thousands of dollars at gunpoint from various Philadelphia banks. When asked why he did it, his reply became famous: ‘That’s where the money is’.

In today’s consumer society, your credit or debit card is where the real money is- and also where the weakest links in the security chain are. The modern gangster constantly threatens, not with a gun, but with an ever-changing bag of tricks, mixing technology with old-fashioned confidence scams.

Card fraud costs the industry big money- £428m in 2006, down from an all-time high of £504m in 2004. Tackling it is a constant race between what the, what the fraudsters are doing, what the techies can come up with to combat them and of course, how much money the banks want to throw at the problem.

Signing Off On ‘Old School’ Fraud

Remember the good old days, when buying stuff with plastic entailed a hastily scribbled signature on a slip of paper? Ever see that signature being checked by the sales assistant? On the vast majority of occasions, probably not. Any warm glow of ‘security’ you felt from doing this was as much a con as anything the fraudsters pulled, as the ever-rising cost of fraud to 2004 proved. If your card was ever lost, stolen or ‘cloned’ and not cancelled immediately, you could always look forward to a host of unchallenged fraudulent purchases appearing on the next statement.

The fallacy of signature-based security was recently illustrated by US prankster John Hargrave (as documented at zug.com). Trying his best to have purchases refused he put a whole range of stores to the test, signing off his credit card slips with increasingly bizarre monikers. From the simple ‘Mariah Cary’ through ‘Shamu the Whale’ (on entering an aquarium) and ‘Service Sucked’ (at a restaurant where they mixed up his order), not once was the signature queried. Even ‘Found this in the trash- whoo-hoo!’ didn’t warrant a second glance.

The PIN is Mightier than the Fraud?

Now of course we have Chip and PIN, officially introduced in the UK in February 2006 and much vaunted by the industry as the new, ultra secure face of retail card transactions. The figures do seem to bear this out, with retail fraud nearly halving from £135.9m in 2005 to £72.1m in 2006. The necessity for fraudsters to obtain your card (or a copy of it) plus your PIN number certainly makes certainly makes their job harder.

But there’s never any room for complacency. The bad guys can always find ways to get their dirty hands on your account:

  • Shoulder surfing: that guy getting a bit too close behind you in the queue may be a bit creepy, but that may not be all. His proximity may be a rouse to look where your fingers are heading on the keypad.
  • Hidden cameras: near impossible for the customer to differentiate from normal security cameras. Petrol stations are a particular danger area here.
  • ‘Chip and Spin’: as demonstrated in a recent edition of BBC’s ‘Watchdog’. The customer is lured to enter their PIN into a fake terminal; their details can then be simultaneously used for fraudulent purchases elsewhere. Rather over-elaborate perhaps, but technically possible.
  • Going abroad: the chain is only as strong as the weakest link. There are plenty of countries around the globe that haven’t upgraded to Chip and PIN, and may not for a good few years to come. A simple cloned card will do nicely in any if these places; overseas fraud rose by 43% to £118m last year.

Best advice is to always keep your card in sight and use your body and free hand to carefully shield your PIN number entry from prying eyes (human or otherwise). And watch out for dodgy-looking terminals and/or shop staff!

Going Online- the New Frontier in Fraud

Of course, store-based security improvements such as Chip and PIN are rendered less relevant in the fight against fraud by the booming internet retail market. Card-not-present (CNP) fraud (which involves fraudulent purchases over the internet, by phone or via mail order) leapt 16 per cent from £183.2m in 2005 to £212.6m in 2006, now representing almost half of all fraudulent plastic losses.

While online transactions always require some form of ‘secure’ password to proceed, criminals can use an array of tricks to break this security. The most notorious is ‘phishing’, in which a spurious email asks the card user to send their account details and passwords to a bogus web address. This is usually done under the guise of the bank wishing to check details, or a prize needing to be claimed. One can be smug about the gullibility of people who fall for such tricks, but the fact is that the static password (i.e. remaining the same for at least a few weeks at a time) will always be vulnerable if your computer security is compromised in any way. Nasty trojans and ‘keyloggers’ can always slip onto your hard drive unnoticed through the broadband connection.

Designing a truly secure online card-usage system is a challenge the banks have been mulling over for a few years now. If they’ve not hit upon the solution yet, it’s certainly not for want of advice from technicians. Browsing IT community websites such as The Register (‘Biting the hand that feeds IT’) is to enter the world of the angry techie- always an unsettling place to be. “In the online banking case” writes ‘Surreptitious Evil’, “the challenge…needs to be a human parsable subset of the transaction details, containing enough information to validate both value and the 2nd party, as well as enough random data to prevent protocol level attacks. This is actually quite hard to do in a consumer-usable manner, especially given the restrictions around disability discrimination issues.” I think that last bit must refer to people like me who couldn’t understand the first part.

The Man in the Middle- Your Future Worst Enemy

Wading through the technical detail, the main solution seems to lie in ‘two-factor authentication’. This entails the card user possessing a device to generate a time-sensitive password or PIN- e.g. one that changes every 60 seconds. Only by entering this, in addition to the normal static password, will the transaction proceed. Barclays recently introduced this idea (‘PINsentry’) for their online banking, and others may follow, though the pace is slow. One blogger describes how his Estonian bank introduced this system several years ago, casting doubt on the UK banks’ willingness to invest the money required.

Two-factor authentication leaves the criminals with only one course of action- becoming the ‘man in the middle’. Somehow they must set up systems to intercept transactions in real-time in order to hack into your account- an online version of the ‘Chip and Spin’ tactic described above. Your criminal enemy of the future will be less a dodgy confidence trickster, more one of a coterie of highly skilled technicians running ever-changing hacking codes. Rumours abound of this nightmare scenario already being detected in some areas.

Banks and Fraudsters- a Win-Win Situation?

So, it seems 100% security is an ideal that can never be fully achieved. But would the banks ever really want to achieve it if they could? After all, a quick perusal of most credit card application leaflets shows card protection insurance being heavily marketed. These policies are not being offered out of goodwill. In a tough market, revenues from the inflated premiums are an essential part of card issuers’ business plans going forward. Unsettling headlines about the growth in card fraud (often with the added spice of ‘terrorist links’) is, for them, simply free advertising.

Well, you may feel I’m overdoing it on the conspiracy theory here. But then again, what do you think became of our famous bank robber Willie Sutton? Immediately following his release from prison in 1969, he appeared in a television commercial to promote a Connecticut bank’s new photo-security credit card programme. For the banks it’s the same old story- theft is always just part of doing business.

Other Related Articles 
Withdrawal Symptoms- Cash Costs on Credit Cards  - Thursday 3rd May 2007
Future Shock- How Credit Card Companies Will Continue Making Money - Thursday 3rd May 2007
How Credit Card Companies Make Their Money - Wedneday 25th April 2007
Revolvers, Tarts and Deadbeats – How Do You Use Yours? - Monday 16th April 2007
The Credit Card- Growing Old Disgracefully? - Friday 13th April 2007

Search the web

Can't find what you're looking for? Search here:

 
Credit Card Features
Featured Provider

Credit Cards News
Credit Card Guide
Credit Card Resources
Top Consumer Reviews
Latest Reviews
Top Searches