Out-Law / Your Daily Need-To-Know

OPINION: Card fraudsters have had it rough lately. Their UK revenues are down 13%, according to APACS, the payment association. In particular, in-store takings with counterfeit and stolen cards have taken a battering from chip and PIN. Analysts may point to R&D letdowns, including a failure to keep pace with the migration from magnetic strips. Faked signatures still work with the "can't remember my PIN" claim, but only until Valentine's Day. Then things turn ugly. From 14th February, shops will refuse requests to sign – and fraudsters know that stealing a PIN is harder than faking an autograph.

Fraudsters should not lose hope. Fraud in card-not-present (CNP) transactions – where neither card nor cardholder is present at the point of sale – enjoyed a 29% rise, and Valentine's Day will surely accelerate that trend. Internet merchants contribute most to the CNP fraud sector; but phone and mail-order fraud are starting to look much more attractive.

APACS confirmed that CNP fraud jumped from £70 million in the first six months of 2004 to almost £91 million in the same period of 2005. The internet part of CNP fraud rose 5% – from £55 million to £58 million. But non-internet CNP fraud soared, from £15 million to almost £33 million, a rise of 116%.

The trend can be explained: predators prey on the weak. Defend them and the target will change.

Online fraud is popular but getting harder. Until now, the fraudster's only concern has been his long-term impact on merchant confidence. The fraud trade depends upon the survival of merchants. Suppose you steal a credit card's details and buy a £500 camera. The cardholder complains and pays nothing (he's well protected by law). If the fraud took place in a shop using chip and PIN, the merchant is protected. If the sale was online, the bank hits the merchant with a chargeback of £500 – and remember that he's already dispatched a camera that cost him, say, £400. But online merchant confidence is being addressed, with systems called Verified by Visa and MasterCard SecureCode, collectively known as 3-D Secure.

Buy that camera at a 3-D Secure site and fraud liability shifts from merchant to bank. The problem for thieves is that 3-D Secure puts an extra step in the e-commerce process, requesting a password as well as the card details. Fraudsters need that password and won't find it written on the card.

Launched in 2001, the roll-out of 3-D Secure has been very slow – thanks in part to the distraction of implementing chip and PIN. But sources suggest that by October 2006 all major credit card issuers in the UK will be on board. Merchants should sign up now: liability shifts right away, whether or not their customers have 3-D Secure cards. Few cardholders are signed up now, which means that most stolen cards still work even at 3-D Secure sites – of which there are relatively few.

Insiders say that more merchants will sign up soon, and a 3-D Secure upgrade will make them even tougher targets. APACS is set to unveil a standard for devices that people will use at home. Insert a chip and PIN card in the reader when prompted while making a purchase and the device will generate a unique 12-digit number. Enter that at a website and there is a high-security substitute for static, customer-chosen passwords. Fraudster R&D has a massive challenge.

So what does that leave? Well, debit card fraud is currently exposed. But that is also migrating to 3-D Secure. Perhaps off-line CNP fraud is the future, as APACS figures suggest (although APACS itself warns that the meteoric rise could be an anomaly). Nobody is certain how telephone payments will be secured. The portable card reader is a suggestion but not yet a plan. For postal payments, the fraud opportunity is greater: the card reader solution appeals to APACS for its real time verification of a unique code – not a code generated a day or more previously. So while the fraudster's routes to market are diminishing, indecision about non-internet CNP security will keep opportunities alive. Let's just hope these merchants don't go out of business.

This opinion piece has been reproduced from Rob McCallough's Rough Diamond column in Issue 13 of OUT-LAW Magazine. Register with OUT-LAW or amend your profile to get a free subscription.