Tuesday, 2 September 2008

The UK’s credit card crisis

Posted by Nick Kochan

In the week that the Royal Bank of Scotland and NatWest have accepted that a computer sold on eBay has exposed the data of one million customers to possible abuse, a spokesman for the Government’s new National Strategic Fraud Authority, set to be launched on 1 October, says credit card and banking fraud will be a prime target.

Spokesman Adam Morris says the Agency is in discussions with representatives of UK banks and payment companies about the UK’s deteriorating position as a haven for credit card fraud. Morris says, ‘There are many agencies targeting fraud, but the Fraud Review found they were not always working together. We are targeting the symptoms of fraud and aim to bring banks and other stakeholders together.’

UK credit card fraud is at record levels due to abuse of the internet, says the banking industry body, APACS. Annual plastic card losses in 2007 amounted to £535.2m. This compares with £428m in 2006.

The majority of this -- £290.5m -- was incurred by those buying goods on the internet. ‘Card-not-present’ fraud increased by almost £80m on the previous year. As money has been poured into chip-and-pin to deal with lost and stolen cards -- down from £68.5m in 2006 to £56.2m in 2007 -- counterfeit theft and internet abuse of cards has risen sharply.

Metropolitan and City Police forces, fighting card fraud through the Dedicated Cheque and Plastic Crime Unit (a joint public/public sector agency), face an uphill struggle, say industry observers.

Thieves keep several steps ahead of the industry and the police, says Amir Orad, executive vice president of Actimize, the banking consultancy."Credit card fraud is growing and changing its form to respond to the growing efforts of those who seek to curb it. The crooks are a long way ahead of the institutions cracking down on it."

Leaky credit card systems in retailers presented thieves with their latest juicy target. A group of 11 worked together to break into the systems of US retailer TJX Companies. TJX owns the popular cut-price UK retailer TJ Maxx and the company has admitted that some of the 41 million credit card numbers hacked from retailers belonged to UK and Irish customers.

The 11 were allegedly engaged in ‘war-driving’, the concept of data-theft via wireless networks. The thieves had apparently gone cruising through different areas with a laptop looking for accessible wireless signals. They then installed ‘sniffer’ programs that captured credit and debit card numbers as they moved though the retailers processing networks. The information was stored on the thieves’ processors in Latvia and Ukraine.

The US Attorney General, Michael Mukasey, said, "They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves."

Organised gangs perpetrate credit card fraud, says Paul Ravenscroft, a spokesman for Visa."Law enforcement tells us that some of the perpetrators of large scale payment card fraud are gangs that utilise the skills of technically sophisticated individuals. As we introduce new fraud countermeasures such criminals will migrate their attacks to other parts of the system."

The godfather in a credit card gang is the guy who understands the technology, says Kevin O’Leary, the chief executive officer at Norkom, a Dublin-based consultancy. "At the top is a group of technicians who provide the intellectual property of how to get at the data that you are going to need to perpetrate a fraud. They must understand how the point of sale server computer architecture works.

"People who commit the technical aspect of the crime need to be several degrees removed from the people who perpetrate the crime at the end of the chain. They do not think of themselves as criminals in the true sense." Smart con men occupy the gang’s second tier. O’Leary says that they go into the grocery store to install the rogue equipment and need to be brazen. "They risk criminal prosecution, if they are found and apprehended."

Street level functionaries "exchange data with other gangs and recruit hundreds of people to use fake cards to walk up to cash machines and make withdrawals. These are people at the bottom of the food chain." O’Leary warns companies to beware of insiders who obtain techniques from their employers to defraud them.

Banks do not sufficiently understand this threat, says David Porter, head of security and risk at Detica, the security consultancy. "Insider fraud has been under-addressed by the bank security community.

"Not all credit card fraud is perpetrated by external bogeyman. There are some highly effective technologies for spotting the unusual outlier in a community of employees who may be embezzling money or confidential data. Organisations need to tackle this problem area rather than sweep it under the carpet."
Banks and retailers need to completely review anti-fraud policies in the light of the burgeoning credit card fraud, says David Hobson, the managing director of Global Secure Systems. "Methods to counter data leakage are slowly coming together. Many banks still do this piecemeal. They are considering a single part of the issue rather than the whole issue."

O’Leary says banks have been slow to act. "Fixed-point solutions like credit card scoring and credit card detection technology on credit card transactions only work up to a point. They give you a fairly limited intelligence to understand what’s going on. Banks need to join all these things up and look at them in a unified fashion."

Fraudsters leave tracks across an organisation says Orad." Patterns of banking activity, like cheques, ATM machines and online banking are used to catch credit card fraud in particular and enterprise fraud in general."

Credit card payment companies like Visa and MasterCard have brought in new technology to attack credit card fraud. Customers tap in extra pieces of secure data, in addition to the PIN, when making a credit card purchase at a retailer.

APACS spokesman Mark Bowerman attacks retailers for failing to install the system to allow the customer to make the check. "Take-up has been slow but is now increasing. The vast majority of people need to use it and the vast majority of merchants need to use it. It is a competitive issue. It is up to them whether they decide to implement it in their business."

Merchants are the weak point in the credit card chain, says Hobson. "Credit card details are lost at merchants where there is not the same understanding of risk. They are actually custodians of the customer’s data. If a merchant is processing millions or billions of pounds says it doesn’t want to bring in the new secure systems, will any credit card company really refuse their business? Unlikely, as they take a business decision to take a risk!"

Anti-fraud technology based on Chip and PIN is lagging criminal techniques, says Porter. ‘There's been a lot of focus on Chip-and-PIN, but this is only half the solution since it's a preventative measure. We also need advances in the way we detect criminals who inevitably overcome these preventative measures.

"Banks and credit card processors have invested in automated detection systems based on behavioural modeling: learn how a fraudster does his tricks and then go looking for similar patterns. Fraudsters are getting wise to this method of detection. These legacy detection systems are unable to identify fragmented schemes where each entity or activity alone is too small to appear "on the radar".

Fraudsters are pouring resources into attacking credit card data. They have set their sights on opening up and benefiting from leaky systems and security glitches. Banks are in the firing line, but customers need to demand tighter controls at every link in the credit card chain if fraud is to be reduced, and costs to the user of the credit card on the high street reduced.

No comments: