The Bankwatch

This post amazed me, and when I followed some of the suggestions, I was successful.

It is essential that Banks, and credit card companies follow through with enhancements such as “Verified by Visa “.

But more so, this article points to the need for online vigilance for card numbers that are available online. This will result in the usual, ‘is it Visa’s job our [the Bank's] job’, but the need is so clear, surely that can be sorted out.

It would be simple for companies like Visa, MasterCard, and Discover to take a list of the most common 8-digit prefixes, query for them every day on Google, and de-activate any new credit card numbers that were found that way. (American Express cards are apparently not vulnerable to this trick, because when their 15-digit card numbers are written with spaces, they are usually written in the format “3xxx xxxxxx xxxxx”, and Googling for the first 10 digits as “3xxx xxxxxx” didn’t yield anything in my random test of ten AmEx numbers. But this is still their problem too, since the searches that turn up “treasure troves” of card numbers usually include AmEx numbers as well.) A Perl programmer could write a script in one afternoon that could run through all the known 8-digit prefixes, parse the search results, and pick out any URLs that weren’t listed as matches the day before. From there, the search results would have to be reviewed by a human, in order to spot any situations where one credit card number was exposed at one URL, and a slight variation on the same URL (such as varying an order ID number) would expose other credit card numbers as well, which was the case with several of the hits that I found.

Simple, but time-consuming with so many different 8-digit prefixes — but every minute of effort expended on tracking down and canceling leaked credit card numbers, would save time and grief later by preventing the numbers from being used by criminals. If it would save them time in the long run and help prevent fraud, then why don’t they do this?

The opening sentence in this quote sums up the weakest link approach that criminals follow. Nonetheless, it appears that chip and pin is reducing card fraud in the UK so far.

But rather than reducing fraud in total, identity fraudsters have simply shifted their activity to areas that Chip and PIN does not protect.

The first signs came in the cheque fraud figures which showed a rise of 50% in the first six months of 2004, compared with the same period in the previous year. But the cost of cheque fraud is dwarfed by continuing card fraud. “It would be nice if they could pack up their bags and go home, but they are unlikely to and, unfortunately, they will go to another area that is vulnerable,” said Sandra Quinn, an Apacs spokesman. She correctly forecast that card fraud would reach £500m in 2004 (actual figure £504.8M). “We are hoping for containment,” said Ms Quinn. And in 2005, overall card fraud fell back to just under £440M, an early success for the Chip and PIN rollout.

Source: The Retail Bulletin – The complete retail news resource

 Nice touch from Barclays with a ‘green’, environmentally friendly debit card.

Barclays customers are set to go green with the launch of the UK’s first carbon neutral debit card. This new card, which is entirely blue including the edge, is being rolled out to the bank’s 11 million debit card users as their current ones expire.

Barclays has worked closely with Axalto, its card manufacturer on this innovative card. Axalto, advised by The Carbon Neutral Company, has undertaken to finance projects that work to reduce carbon emissions in the developing world, effectively balancing out the harmful emissions of the card’s manufacturing process by preventing the release of the same amount of greenhouse gases somewhere else.

Source: Barclays launches ‘carbon netural’ card – AllPayNews: Payment and fraud news, blog, jobs and discussions

For all the push to contactless cards, this release from Visa, noted by Aneace,  confirms the viability of small payments with no signature is not dependent on contactless.

Last week, Visa reported that its volume on purchases less than $25 in small ticket segments totaled $27.3 billion in the first six months of the year, an increase of 17 percent over the same period in 2005. Those transactions were performed almost entirely using traditional magnetic stripe cards, not contactless cards.

Source: Aneace’s Blog: Visa’s No Signature Required program is working … how will contactless compete?

This service is apparently particularly relevant for 18- 25 year olds, or GenY (not sure where Gen P as noted comes from)

Visa’s survey results also revealed that Generation “P” or Plastic, referring to consumers ages 18-25, is leading the trend of increased use of payment cards for everyday purchases. Sixty percent of Generation “P” prefers payment cards for purchases less than $25, particularly in new and emerging segments such as digital content, vending machines, public transportation, parking and newspapers.

As Banks move to chip, adding on contactless makes more sense in that its faster than chip, and easier for the consumer.  However in the US where there is no chip strategy, the relevance of contactless is certainly lessened considering the costs involved.

tags: chip+cards+contactless, visa+no+signature, MasterCard+qps

 Dave makes a good case here for Banks to lever their investment in chip to support new revenue. 

“So if the bank sends me a simple USB smart card reader so that I can log on with my chip and PIN card, that’s convenient.

But the bank could then store either more key pairs, or more certificates, on the smart card and charge other organisation’s (e.g., the government, retailers) for using them. This makes solving the phishing and fraud problem a line of business rather than a cost and, surely, that’s a way to get something done.   

…  the bank might be able to sell several certificates to the same person and it might also be able to sell chip and PIN cards to people for them to use purely for log on and not for payment at all.

Now that’s what I call a disruptive technology!”

Source: “Digital Identity: That whole trust thing – Mozilla Firefox (Build 2006072814)”

The challenge would be in the software management, which isn’t Bank’s core competence.  If that aspect could be outsourced, there might just be a model here.

tags: chip+cards, business+models

Aneace is dead on with his argument that the payment experience needs to be enhanced with customer focussed benefits tied to the transaction, to make the purchase experience more compelling. 

Aneace’s Blog: Cool payment technology that makes contactless much more attractive for merchants

I have no idea why a merchant would want to accept basic, “old way to pay” contactless cards that are not of much benefit, unless someone pays him to upgrade his POS terminals (which is what has been happening for the most part) and if interchange fees are dramatically cut. Giving merchants a simple way to target their existing promotions using behaviour data stored in the chip suddenly changes the game.

Merchants immediately get much more value out of payment cards, with no additional investment or effort. The contactless value proposition for merchants suddenly becomes real, and no longer has to rely essentially on free terminal upgrades and slashed interchange fees.

However the problem lies in bank reality.  I wish “old way to pay contactless” was the problem.  The hard reality is that many banks are implementing old style dip chips, and those will be quickly obsolete.

Technorati Tags: chip+card

Aneace correctly points out a consequential trend in card fraud, that is going to impact travellers plans. Chip card implementation is complex, and the fact that cards will be combo, chip and mag stripe merely increases the complexity.

Aneace’s Blog: The pains of travelling and paying in a world moving to EMV

The explosion in ATM/debit card fraud shows how fraud can move to the US from other parts of the world, like the UK, where card issuers are adopting the more secure EMV chip card standard. Some US banks have responded by putting a temporary hold on all ATM transactions in the UK, leaving some customers stranded. Cardholders are advised to alert their bank when they plan to travel, and to carry multiple cards for multiple accounts and extra travellers’ cheques, just in case. Wow. Blast to the past. Back to the good old days of travellers’ cheques and envelopes filled with cash.

Already we are seeing consumer trends such as:

• carry four separate cards with $5K limit, versus 1 card of $20K
• keep one card with less than 1K limit for internet purchases
• request bank maintain cards separately from other accounts
• hold credit card with another bank, that keeps the card separate from main accounts

Future trends:

• chip card with no mag stripe
• maintain low limit mag stripe card for travel, or non home bank, domestic use

Relevance to Bankwatch:
Card use is not simple nor are behaviours understood.  Chip will reduce some fraud generally, but introduce a high level of complexity in consumers minds that drives aberrant card behaviour.

I went over my posts for the last 6 months, where I had included a "relevance to bankwatch" and these five strategic questions leapt right out of the page. So I think I will start to look at those going forward.

Relevance to Bankwatch

1. How are payments evolving, and what is the risk to banks competitive position ?
2. What is social computing impact on Banks ?
3. How will online banking look in 2020 ?
4. How will the branch look in 2020 ?
5. Is chip and PIN viable security ?

More to come on the sub-questions behind these, later.Tags:

1. Payments
2. Social computing
3. Online Banking
4. Branch
5. Chip card

Technorati Tags: social+computing, payments, online+banking, chip+card, branch

This simple story and the refutes from the UK Banks serves to valaidate the need to implement a suite of fraud systems, from software based pattern recognition, through to chip cards. This story is a clear example of why Banks need to implement PassMark/ Digital Envoy type solutions to provide customer recognition in support of chip, and not rely solely on chip for online authentication.

Update:   Dave Birch provided an update in the comment, that I support, regarding online authentication:

"This is incorrect. If you use even an SDA card for online authentication (eg, using token authentication) then the authenticating host will spot the clone. "
Bank chiefs defend Chip and Pin security | 24dash.com – Bill Payments

The experts, who spoke to the Daily Mail newspaper, claimed the problem could have been avoided if banks had opted for the more expensive Dynamic Data Authentication (DDA) system in cards, which is used abroad, rather than the cheaper Static Data Authentication (SDA) which is widely used in the UK.A card terminal can tell if a cloned DDA card is being used even if it is offline, but it can only tell if an SDA one is being used if it is online.

But payment body Apacs, which represents the banking industry, said that while it was true that most banks used SDA technology, they were not reliant on the technology in the chip to spot a fraudulent card.

Apacs spokeswoman Jemma Jones said: "The system is set up to spot cloned cards.

"80% of transactions in this country are online, so there is a high chance it would get caught out."

She said that even if someone had managed to clone a chip and pin card, they would still need to have the cardholder's pin to use it.

Technorati Tags: chip+card, chip+pin

The concept of providing portable card readers feels temporary to me. This move by three industry players in Japan, spells the future for the rest of us.

Finextra: Intel teams with Microsoft, BitWallet to promote FeliCa contactless technology

Intel is teaming with both Microsoft and Bitwallet – which provides the EDY contactless payment system – to triple the number of personal computers equipped with FeliCa-reading functions and double the number of Internet services compatible with the technology.

This will put not just a card reader on your home PC, but a contactless one. This truly makes ecommerce and online banking more secure and remain convenient. It bypasses the old style chip cards too.

Technorati Tags: felica, chip+cards, sony