This week saw the release of fraud figures for 2008 with the results for online banking rising by an astonishing 132 per cent.
There was a total of £609.9 million collected by fraudsters during 2008, with a total of £52.5 million from online banking. The National Fraud Strategy now estimates that card fraud costs every person in the country £10 per year, and online banking fraud 87 pence per year.
APACS, the UK trade association for payments and for those institutions that deliver payment services to customers, released the figures. It claimed that the two main areas of fraud were on transactions not protected by chip and PIN: specifically internet, phone and mail order fraud; and fraud abroad - committed by criminals using stolen UK card details in countries yet to upgrade to chip and PIN - which has nearly doubled in two years.
Surely chip and PIN is the most secure method, hence its inception? Not according to Nick Drew, executive director e-money operations at ClickandBuy, who claimed: “The latest APACS findings are exactly what the industry predicted prior to the launch of chip and PIN. The added security offered by chip and PIN would inevitably have the fraudsters turning to other, potentially less secure methods of credit card payments – namely online.
“The reduced level of card fraud in the UK is certainly down to chip and PIN but also due to the gradual roll out of 3D secure which provides an additional layer of security for online credit and debit transactions but until this technology is embraced globally, card abuse abroad is unlikely to decline.”
It seems unfair to blame the payment industry for failing to make efforts to counter these problems, though APACS claims that ‘tackling this fraud is a priority' and the creation of the police e-crime unit shows that there is a level of activity.
Also, APACS claims that the industry is continuing to encourage cardholder and retailer take-up of the MasterCard SecureCode and Verified by Visa format of two-factor authentication for online payments.
However Michael Robertson, managing director at Commerce Media, claimed that there is a lack of two-factor authentication being implemented by financial organisations
Robertson said: “These can be relatively cheap to implement, especially given the potential revenue lost to fraud, and don't necessarily require user education. For example, using a combination of a static user name/password and a real-time password, which is only valid for a limited period, via an independent medium such as a mobile phone, enables both parties to be confident that the communication is not corrupted.
“Simple and convenient to use, instant deployment and cost effective – so why are such solutions not being implemented? Hopefully these figures will encourage more e-businesses to investigate the options fully and understand that anti-fraud solutions don't need to be complicated or expensive.”
As recently as yesterday, the Visa chief enterprise risk officer Ellen Richey claimed that payment card data fraud rates remain low and called for investment, collaboration and innovation to keep the electronic payment system secure in the future.
Although Visa's own survey revealed that 59 per cent of US adults had decided not to make an online purchase at a particular website because they did not trust that site. So do companies need to ensure that their websites not only practice PCI DSS compliance, but convince users by appearance that they are secure?
David Dix, electronic payments expert at Cryptomathic, said: “With so much time and resources invested in online and card-not-present fraud over recent years, financial organisations will need to start focusing much more attention on identity theft, from educating customers to updating the ways in which bank accounts can be opened.
“This will no doubt come at a cost of increased customer inconvenience. But the responsibility is not just with the banks. The increasing rise in identity theft clearly indicates that the importance of shredding personal documents and disposing of this information securely has yet to be taken seriously. Our reluctance to adopt such measures will need to be overcome if we are to halt this worrying trend.”
APACS claims that despite such a huge rise in online banking fraud, and as phishing incidents continue to increase, it is continuing ‘to remind customers to ensure that they have their computer's firewall switched on and anti-virus software installed and kept up-to-date'.
Although if it were the case of ensuring that anti-virus protection is not only up to date, but active too, then could we guarantee a fall in the levels of online payment crime? The answer is probably no, and if there is a solution it lays at the feet of the public with them being more responsible when paying online, and with the industry in promoting PCI DSS standards and ensuring these are enforced.
If this can be achieved, then it will be a point won for the general public. However as the scammers remain one step ahead, there is always a new lesson to be learned for the rest of us.