Monday, October 5, 2009

Card Not Present Fraud Strong Week



Last week was "Online Banking is Weak Week" and the PIN Payments News Blog enjoyed it's biggest week ever. 



This week is "Card Not Present Fraud is Strong/Week" and I'll start it off with a quick primer on exactly what  Card Not Present Fraud is, why it exists and what can be done to eliminate it. 



First off...Card-Not-Present fraud is responsible for the dramatic rise in card fraud.  Even though CNP transactions constitute less than 10% of all transactions, CNP fraud DOUBLED in 2008 and now is responsible for over 50% of ALL card fraud.  Transactions done via the Web are "typed" into boxes on merchant websites and therefore many report that the "web" is responsible for this tremendous surge.   I say it's not the web, it's the typing.  



Most people believe that despite the great efforts made to stem credit card fraud
the fraudsters will always find a way, with the latest figures showing a relentless increase in the crime – especially over the web.



But I say, there is a solution, but first we must change the way we pay online by morphing a "card not present" environment into a "card present" one.
  Actually it's a combination of two solutions.  1. Don't Type...Swipe and 2. Don't EVER allow unencrypted data to enter the browser space.  Do those two things and voilla!  Problem Solved!  HomeATM has a patented and PCI 2.x certified technology that provides both of those solutions.



Statistics from UK payments organisation APACS show the huge increase in ‘card-not-present’ fraud – use of your card on the internet, phone or mail order. This figure has more than doubled from £150.8m in 2004 to £328.4m in 2008. CNP Fraud represents half the total of card fraud losses of £609.9m in 2008



Today, most CNP fraud takes place on the Internet



In its simplest form Card Not Present (“CNP”) fraud involves the unauthorized use of a stolen credit or debit card number, by "typing"  vs. Swiping the card through a magnetic stripe reader.  By "typing" the Primary Account Number (PAN)  expiration Data and (if required by the merchant) the 3 Digit CVV Code, to purchase product or services...that information is captured by the bad guys instead of by a PCI 2.x certified magnetic stripe reader/PIN Entry Device. 







In most cases, the victims maintain possession of their card and are unaware of the unauthorized activity until notified by a merchant or they review their monthly statements. 



Once a criminal possesses the credit card number and potentially the cardholder name and address they have the necessary information to attempt CNP fraud.  Criminals use a variety of methods to gain access to credit card data,  validate that the cards are active and circulate the cards to perpetrate CNP fraud.





Some of the more common methods are summarized below.



Skimming - Skimming is the theft of credit card information by a dishonest employee of a legitimate merchant, by manually copying down numbers, or using a magnetic stripe reader device. Skimming often takes place in restaurants or bars where the skimmer has possession of the victim's credit card out of their immediate view.



Phishing -
Phishing is a criminal activity whereby fraudsters attempt to acquire sensitive information, such as credit card numbers, addresses, social security numbers, drivers’ license numbers, usernames and passwords by appearing as a trustworthy organization in an electronic communication. Phishing is typically carried out by email or instant messaging, and often directs users to provide the sensitive information at a website  monitored by the criminals, although phone contact has been used as well.



Carding -
Carding is a term used by criminals for a process they use to validate stolen credit card numbers. The criminals submit the credit card number and the cardholders’ personal data on a website that has real-time transaction processing. Typically, small monetary purchases are made in order to not attract the attention of a merchant and to preserve the credit limit on the card. Once validated, the card number and related details will be sold to or exchanged with other criminals who will use the information to make larger purchases.  All of those methods work, but pale in comparison to the biggest threat.  Ready for the BIG one....?





Malware A new PandaLabs Report says worldwide computer malware infections grew 15% in ONE MONTH and now stands at 60%. WOW! 



As if that is not bad enough, they report that U.S. computers are infected
with the most dangerous malware strain... Banking Trojans.  Those are the ones that steal online banking credentials...including log-in details, credit and debit card numbers and one-time passwords. 



Until last Thursday, arguments abounded about which online banking Trojan was the most dangerous...was it Clampi, Zeus...or maybe Conficker although everyone is in agreement that all three are present a clear and unprecedented danger.  Then, last Thursday, a new "next generation" malware was discovered.  It's called URLZone and it steals your cash and covers it up by rewriting the bank statements.  Nice eh? 



Fortunately, the engineers at HomeATM saw that the
browser was nothing more than an information highway for the bad guys to..."browse" for financial transactions information and designed a device that keeps that information OFF the browser by encrypting it "inside the box."  (our device allows the user to "swipe" their card, and capture the information stored on the magnetic stripe thus constituting a what Visa and MasterCard define as a "card present" transaction.  By creating a "card present" environment we are eliminating the Card NOT Present environment.)

Today, the bad guys have figured out that malware is the best way to go.   it does all the work for them...silently waiting until a financial institution is visited and capturing...Primary Account Numbers, Expiration Dates, 3 Digit CVV codes, online banking credentials, such as username and passwords...even "one time passwords."

Why are they "browsing" for that information?  Well besides the simple answer...(They Can) it's because once they procure them they make a whole lotta cash. 



How do we stop them?  There's only one way.  Hint: It's not anti-virus programs which are fooled up to 77% of the time).

The obvious way is to transform the Internet from a "card not present" environment into a "card present" one.  By capturing the data on the magnetic stripe or the information located on the integrated chip on a smart card) and instantaneously encrypting it, we can prevent the data from entering the dangerous space known as web browsers. 

If there is no data traveling through the browser, then what good does mining it do?

Take a look at the Malware growth graphic (above left ...click to enlarge)  In 2003, 04, 05 and 06, there was less than 800,000 malware programs.  Now there are over 30,0000.  Again, 60% of all PC's worldwide are infected.  So, there is only one way to beat back the bad guys and that is to morph the net into a card present environment by "swiping vs.  typing."



By capturing and encrypting the Track 1 and Track 2 data, and keeping it it's encrypted form until it reaches it's destination (an HSM) we keep the cardholder data (and banking log-in credentials) safe from the bad guys...










Reblog this post [with Zemanta]

Disqus for ePayment News