I’m in agreement with RBS’s Kevin Brown when he argues that while cybercrime is sharply on the rise, security measures are failing to keep up - the recent news of the $45 million stolen from prepaid cards is testament to this. Payment innovation continues to develop at a rapid pace, particularly in all forms of mobile payments, and the use of smart-phones for banking and payments is growing at a rate of nearly 53% per year (World Payments Report 2012 -http://www.capgemini.com/worldpaymentsreport).
This underlines once more the need for efficient, real-time detection, prevention and resolution, which protects both the customer and banking organisation from both fraudulent transactions. As banking moves further into the mobile channel the need for a secure - and yet seamless - means of verifying and authenticating transactions becomes paramount, for fraud will certainly draw on the vulnerabilities of this new, converged channel. If analyst predictions on the growth of mobile payments are to be realized, banks and mobile payment providers need to take a holistic approach to security and think about including it ‘by design’, rather than as a point solution. Telecommunications-based solutions – and specifically a custom built mobile-based solution – are key to combating this growing threat.
29 May 2013 11:54 Read comment
It’s worrying to see the latest news from APWG that there are now around 30,000 samples of mobile malware known to be in existence. Particularly more so when you consider that nearly 1 in 2 consumers fail to protect their mobile phones with even the lowest level of security – a password*. When you consider these statistics with the high level of personal data we store on our Smartphones one can start understand the high level of personal risk.
Cybercrime is sharply on the rise and security measures aren’t necessarily keeping up, leading us to ask, ‘who’s responsibility is it to secure transactions on Smartphones – the bank, the payment provider, the app provider, the telco or the individual?’ The fact is that collaboration is needed between all interested and affected parties. They need to work together to consider how security can be implemented in a holistic and seamless manner. It’s something which will take time, but consumer power can help here as a powerful catalyst for change.
*Stats taken from GSO May 2013
24 May 2013 13:23 Read comment
Great to see the likes of Microsoft acting as enablers for the next steps in mobile wallets.
From my point of view, 2012 has been the year of the mobile wallet and 2013 will see some actual merchant adoption of the many wallets that have already been announced, no doubt with many more to come before the inevitable consolidation will occur. Picking the winners and losers, though, is far harder in what is fast becoming a saturated market. Merchant adoption is of course key. 2013 will also be the year of mobile payments. I personally believe that 2013 will herald a faster transition to mobile payments than analysts are currently predicting. Traditional transaction methods remain woefully inadequate to meet the needs of both the world’s large under-banked population and those who are demanding even greater convenience from their banks. Mobile opens up a host of possibilities to address both needs.
However, throughout 2012 the mobile payments industry has been preoccupied with the race for market share and no single technical standard has emerged. As long as there remains opportunity to be had and competition remains high, I think we’ll see this trend continue. I wouldn’t be surprised if along the way some of the fundamentals fail to be addressed (we have already seen one high-profile case in the UK in 2012) and we see a significant fraud attack that puts users at risk, causing significant reputational damage for this new channel.
That’s why, as we move into 2013, we’re fully in support of activities that will help shaping the future of mobile wallets.
18 Mar 2013 15:39 Read comment
EMV is based on reading the chip in the card. King is right to point out to the limitations of EMV for a CNP environment. A card can indeed be fitted with an OTP generator (they already exist) and would the satisfy the 2FA requirements, clearly a step forward albeit with an associated cost. It is worth remembering that this is still only authentication and as such cannot guarantee the integrity of the transaction. Recently the European Central Bank issued a set of recommendations around securing electronic payments, especially the online channel. Like King, the ECB points to the fact that CNP is an environment that is complex and is the target from fraudsters from many channels. In 2013 we should not only expect such attacks to escalate in terms of frequency and significance, but for traditional defence technologies to provide little resistance. In my view, the winning solution will need to be suitable for use with tablets and smart-phones as they become increasingly popular forms of transacting online.
25 Feb 2013 11:09 Read comment
It is interesting to see the card fraud statistics released by Europol this week, but even more interesting, and alarming, to read their recommendations. By their own calculations, card fraud on EU issued cards is running at around 1.5 billion euros a year. Of this, 600 million euro is attributed to card-present (CP) fraud, the vast majority of which is perpetrated outside of the EU in non EMV-compliant countries.
None of this will come as a shock to anyone involved in card issuing or card-fraud prevention. What should come as a shock, however, is Europol’s recommended solution, namely that all EU issuing banks should geo-block EU issued EMV cards, meaning they will not work in non EMV countries without the mag stripe being explicitly reactivated.
As blunt instruments go, they don’t come much blunter. What is not being taken into account within this report is the fact that EU issuing banks already lose large amounts of interchange fee revenue, incur substantial processing overheads and routinely upset their travelling customers through aggressive cross-border decline policies. Those using practices such as “travel flags” still incur administrative costs, still annoy their customers (I have personally spent over 40 minutes in a phone queue), are no guarantee that the card will not be blocked and can also be exploited by the fraudsters themselves. There is a cost to banks and their customers today from excessive cross-border declines which does not feature in the aforementioned 600m euro.
The solution is surely less cross-border declines, not more. This does not mean, however, ignoring the fraud problem. The technology exists today to tackle this problem from both perspectives; fraud prevention and false-positive (decline) reduction. Importantly, the technology does not require the EU banking industry to break the fundamental tenant of universal acceptance or to incur ever more overheads which will, eventually, be passed onto the consumer.
Rather than banks spending more at the back end on investigations and card re-activations, we should be looking to reduce both cross-border fraud and excessive declines at source.
10 Jan 2013 13:07 Read comment
The recent news that the UK government body, the Technology Strategy Board has set aside some £1.5m for m-commerce and fraud prevention projects, is a significant and positive step in the right direction for the industry.
So far, we have seen a variety of companies racing to gain market share in the mobile market in many different forms, but some unfortunately at the expense of customer security. This new initiative helps to bring the focus of mobile security to the heart of the m-commerce debate. Lack of trust has always been the Achilles Heel in the take-up of e-commerce: m-commerce will be no different.
Security measures needn’t be onerous or complicated for the customer to use, and yet can be very strong. A real-time, multi-layer approach, incorporating visible and invisible security layers can be achieved today – allowing total risk discrimination at the transaction level and with “low-or-no” customer friction.
23 Nov 2012 14:48 Read comment
“When Anuj Nayar of PayPal says that mobile wallets don’t solve any customer pain points by themselves and that ‘your mobile phone just won’t cut it’, I think he’s missing the point completely
“Around two third of the world’s population don’t have a credit card or bank account and the potential for mobile to fill that gap is huge. According to the recent World Payments Report (here), the number of m-payments users worldwide surpassed 141 million in 2011. That’s a 38.2% increase from 2010. But, again according to the report, still only 2.1% of all mobile users making payments via mobile, so the potential for additional growth is huge.
“The future is also rosy for mobile wallets because of the high percentage of low value payments that are still made by cash, rather than card. Apps and wallets are here to stay and there’s huge potential for those low value transactions to be moved to mobile. That’s exactly what’s happening in emerging economies; you just need to look at the success that mobile payment infrastructure providers such as Utiba are having.
“Plus, mobile telecommunications is already cloud based, so it’s easy to enhance the shopping experience by feeding on geo-location and transactional data. After all, paying over mobile is all about consumer experience. The big question for me is how to balance customer convenience and trust, as security is the one thing that engenders trust and increasingly expected by consumers. It quickly becomes a differentiating factor if it’s thought to be lacking.”
17 Oct 2012 12:25 Read comment
@ Alexander. I agree with you. The decision by Natwest to suspend its Get Cash app, whilst being a wise one, has cast an unwarranted bad light on mobile based transacting. Since this first came to light there has been speculation as to the cause of the fraud losses, ranging from mobile operating systems, mobile hacking and zero-day exploits. The truth, I suspect, is rather more mundane. The fraudsters were able to download the app and register it with the victim’s debit card details because there was no strong authentication at the point of registration, simply knowledge based information which we all know can be gleaned by fraudsters in a number of ways, such as phishing.
Ironically, the customers who had actually downloaded and registered the app were safe from the fraud; it was those that hadn’t who were at risk. This episode therefore had nothing to do with the medium being a smart-phone but everything to do with the process employed in deploying and activating the app. There is no real difference between this and Internet banking losses through the reliance on PINs and Passwords alone.
In this and other instances that will surely follow, we need to look at the end-to-end process rather than casting a shadow over mobile banking.
Note: my comment is also posted under the NatWest report at https://www.finextra.com/news/fullstory.aspx?newsitemid=24147
10 Oct 2012 11:52 Read comment
The decision by Natwest to suspend its Get Cash app, whilst being a wise one, has cast an unwarranted bad light on mobile based transacting. Since this first came to light there has been speculation as to the cause of the fraud losses, ranging from mobile operating systems, mobile hacking and zero-day exploits. The truth, I suspect, is rather more mundane. The fraudsters were able to download the app and register it with the victim’s debit card details because there was no strong authentication at the point of registration, simply knowledge based information which we all know can be gleaned by fraudsters in a number of ways, such as phishing.
10 Oct 2012 10:59 Read comment
@John: Thank you for sharing your views John. Voice biometrics is these days a proven security technology to provide strong authentication with very sophisticated capabilities. A very strong authentication can be achieved where voice biometrics is implemented as part of a layered security approach. There are different approaches that can incorporate Voice Biometrics such as: text dependent; text independent and conversational. You could, for example, be asked to repeat a random “one-off” PIN. This would accomplish three individual checks:
Yet all as simple and intuitive as a voice call.
20 Jun 2012 17:16 Read comment
Disruption in Retail Banking
Information Security
Innovation in Financial Services
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.