Tuesday, 14 October 2008

Chip and PIN is failing banking customers

Posted by Anita Hawser

With banks around the world distracted by the global credit crunch, plunging share prices and government bail-outs, this can be a time when fraudsters up the ante hoping that banks will be too distracted to notice the rising incidence of fraud.

According to risk management software provider, Actimize,
the number of mass data breaches, particularly those involving ATM and debit fraud, has accelerated, and a at time when banks' balance sheets look compromised, the reputational and direct costs of replacing lost or compromised cards, is an unwelcome additional cost for any bank to have to deal with.

Just as banks need to restore confidence in one another so interbank lending can resume, so too do they need to restore customer's confidence in debit and credit cards. But in a heightened threat landscape where the threat level is becoming increasingly sophisticated and insidious, banks appear to be on the back foot.

Fighting card fraud is not just about compromised ATMs or phishing emails anymore, as recent incidents have borne out. For example, according to Actimize, in Ireland recently fraudsters posing as bank workers, replaced credit card readers in a number of retail stores with fake readers that captured the data on 10,000 credit and debit cards.

In Calgary, Canada, local businesses were
defrauded of approximately CAN $2 million by fraudsters that broke into company databases and inflated the value of pre-paid debit cards. They then withdrew money at ATMs with "cloned" cards.

Authentication specialists,
GrIDsure, highlight a recent incident where MasterCard users were the victims of sophisticated Chip and PIN fraud involving up to 40 stores across Britain including Asda, Tesco and Sainsbury’s. It has called for affirmative action to avoid "further embarrassment" for the UK banking industry.

"While Chip and PIN scams are becoming more and more frequent, it seems that nobody is willing to address the issue head on," says Jonathan Craymer, chairman of GrIDsure. "It is blatantly obvious that Chip and PIN’s reliance on a fixed PIN number is leaving the system vulnerable to attack through sophisticated scams such as this recent one involving MasterCard customers. I wonder how many more people will fall victim to scams like this before the industry stands up and takes action."
Recent incidents highlight the vulnerabilities of Chip and PIN, which were introduced to try and prevent fraud, but Craymer seems to be saying that the industry needs to improve the security of the Chip and PIN system with the introduction of one-time PINs.

UK banks have sent smart card readers that generate one-time PINs to online banking customers, however, Craymer says it is time to find a solution that effectively addresses transaction authentication, not just on the UK high street, but also online and abroad. “Chip and PIN was introduced to put a stop to high street fraud, but as fraudsters begin to find their way around the system we have seen total card fraud losses increase by 14% in the first half of this year alone.”

No comments: