PCarroll

A post relating to this item from Finextra:

10 October, 2011 Over 100 indicted in huge New York ID theft ring takedown New York authorities have indicted 111 people - including bank tellers - accused of participating in an identity theft scam that saw counterfeit credit cards used to steal more than $13 million.

Group: Innovation in Financial Services

What's really mind-boggling about the NY card-skimming fraud

10 Oct, 2011 13:27

News that 111 people were arrested last week in New York in a US$13 million card fraud scam was a useful reminder of just how easy it still is to skim credit card details in the US. NYPD Commissioner Raymond Kelly was quoted as saying: “Thieves have an amazing knowledge of how to use technology . . . The schemes and the imagination that is developing these days are days are really mind-boggling.'

In fact there was nothing sophisticated about this crime, just “traditional” skimming of customers’ credit card details which could be used either to manufacture false credit cards or for online purchases. This is a lot easier in the US where credit card companies don’t use the microchips common in European cards, but those chips don’t prevent, for example, the use of stolen credit card details for online purchases.

As I have argued before, the financial industry’s main focus should be on preventing fraudsters from using stolen data. Technology can already show that an individual (in fact his/her mobile phone) is not in the US when his/her credit card is being used at a POS in New York. Technology can do so in total respect of privacy laws, through anonymous correlation, and in a way that is totally invisible to the customer before such withdrawals and purchases are authorised. Technology can also support additional strong transaction authentication and verification methods, namely through an automated call to that phone can immediately confirm that fact, and – if the card holder rejects the transaction – alert the issuing bank to block the card.

And if the fraudsters have gone to the lengths of swapping the sim card or automatically forwarding calls to the customer’s mobile number on to a number of their own, that can also be detected. The level of authentication can be tailored to the transaction type and size, and can even include voice biometrics for added security if the card issuer wants to use it.

The key lies in real-time detection, prevention and immediate resolution enabled by the empowered customer. The security technology industry has a job to do in encouraging customers to question just how it is possible in 2011 for a skimming scam like the one uncovered in New York to be so profitable on such a scale. That really is a mind-boggling thought.

Comments

Added: 11 October, 2011 - 08:08 | Christopher Mc Carthy - SunGard - Zurich

"Technology can already show that an individual (in fact his/her mobile phone) is not in the US when his/her credit card is being used at a POS in New York."

Erm, Not sure I want a card processor (or anyone really) having real-time access to my movements via mobile phone location records.

0 thumb ups! (Log in to thumb up)

Added: 11 October, 2011 - 10:07 | Pat Carroll - ValidSoft - London

As I explained in an earlier blog on EU Data Privacy, using mobile telephony to improve security for multiple aspects of banking can offer consumers around the world huge gains in terms of improved security and customer service. But those consumers – as well as banks, retailers, mobile telephony companies, regulators and governments – need to feel absolutely confident about the protection of individuals’ privacy, if these exciting opportunities are going to be realised.

And that is why security companies should go through the complex process of applying for a Privacy Seal from EuroPriSe.

European data privacy laws are arguably the most stringent in the world. That should be great news for companies that meet them when those companies come to offer their services around the world.

0 thumb ups! (Log in to thumb up)

Added: 11 October, 2011 - 11:17 | Nick Collin - Collin Consulting Ltd - London

The lesson to be learned is quite clear - the US must migrate to EMV chip.

0 thumb ups! (Log in to thumb up)

Added: 11 October, 2011 - 13:16 | Christopher Mc Carthy - SunGard - Zurich

"European data privacy laws are arguably the most stringent in the world."

Perhaps, but they're not worth much if the politicians then decide to share it in places where the data is less well protected:

http://en.wikipedia.org/wiki/Passenger_Name_Record#Regulation_of_PNR_transfers_between_the_USA_and_the_European_Union

0 thumb ups! (Log in to thumb up)

Added: 11 October, 2011 - 14:30 | Pat Carroll - ValidSoft - London

The bank, or card processer always knows where you are (at an ATM or POS) – our technology simply confirms this, or in the event that we refute it we never say where the person is, so the bank only works with the information it already has.

0 thumb ups! (Log in to thumb up)

Added: 11 October, 2011 - 14:47 | Christopher Mc Carthy - SunGard - Zurich

So your company tells a card processor if the transaction is more likely to be good or bad?

I imagine the criteria you base your decision on are secret, but one thing that would help you immensely would be to know if the card holder's mobile phone agrees with the card on current location?

Again, I want as few people as possible to have access to information on my movements. Not sure how many other peopel are like me (probably more in the UK now following the phone hacking scandal!).

I could however see a system being build, with some safeguards, doing as you suggest. But as you wrote, that is a new trust relationship and would also require a change in the law (I'm thinking in terms of the UK).

Already some cards have other safegaurds - such as requiring a user to contact the issuer or go online and tell the issuer that they are going abroad (good idea, as long as the client knows about this beforehand - a friend of mine didn't, went to HK and found himsefl in trouble - luckily he had just enough cash to call the issue to get the card unblocked). And issuers have been known to call card owners mid shiopping to query 'unusual' purchases (but then we get ot the question of how does the card issue and the holder mutually authenticate each other?).

0 thumb ups! (Log in to thumb up)

Added: 12 October, 2011 - 13:04 | Pat Carroll - ValidSoft - London

Don’t want to breach the rules of engagement of the blog site by going into commercial detail. Briefly we sit as an additional layer of security alongside existing risk engines – the technology already is in place. We check the proximity of the origination of the transaction to the cardholder through the global mobile network. If in proximity then we simply “confirm” what the bank already knows. If we “refute” we never declare where the phone is. Bank has much better quality information to base its decision on whether to accept or decline the transaction. On the privacy front we are fully compliant with UK Data Protection & Data Privacy laws, as we are from an EU Data Privacy regulation perspective also.

0 thumb ups! (Log in to thumb up)

Comment on this blog Report abuse Recommend this blog post

Facebook

LinkedIn Digg Send story

Next blog from Pat Carroll Katie Price's plight highlights fraud dangers

Next from the Innovation in Financial Services group is from Bo Harald What we would do differently today