• HOME
• NEWS
• SERVICES
  • Fraud Screening
  • Early Warning
  • GateKeeper
  • SuperSearch
  • Fraud Analyst Support
  • CNP Forum
• WHY YOU NEED US
• INFORMATION
  • Fraud Screening Advice
  • Bank Initiatives
  • FAQs
  • PCI DSS
  • Downloads
• ABOUT US
  • People
  • Investors
  • Partners
  • Vacancies
  • Sponsorship
• CONTACT US
  • Map and travel details

BANK INITIATIVES to address CNP fraud

Banking initiatives such as Chip and PIN are shutting the door on fraud in the high street, initiating a significant migration to CNP fraud. Attempts by the banks to address CNP fraud, such as 3D-Secure, are welcome but retailers must be sure of the benefits to them. 3D-Secure does not always provide a guarantee of payment. The banks are doing as much as they can but in fact the retailer is in the best position to determine whether a transaction is genuine or fraud?

AVS - Address Verification Service

This was designed to provide an automated address check at the time of authorisation. Visa figures in 2003 suggested that 75% of authorisations resulted in a positive match…of the remainder, 10% were fraudulent. Therefore 22.5% of transactions would fail AVS yet would be genuine!

Conclusion: AVS works reasonably well, but is easy to compromise. Useful as a part of an overall fraud prevention strategy, but no use as a decision tool in its own right.

CV2 - Card Verification 2 (Card Security Code)

3 numbers printed on the back of the card, designed to verify that the person that knows these numbers is the cardholder. This provides a useful indicator to whether or not the customer has had sight of the card. If CV2 fails then it is reasonable to reject the transaction, however if CV2 passes, payment is not guaranteed.

The banking community has rather over-played the benefit of CV2 to merchants. It is a useful check (probably as good as anything) but unless complemented with other checks, it too can be easily compromised.

How CV2 will be compromised:

Example 1: Cards compromised by post are a common occurrence. We have to verify that we have received etc.

Fraudsters now only need to see the card, record the relevant details and re-seal the envelope in order to compromise valuable details (card number, expiry date and CV2). The numbers will be used in a couple of weeks time, after the genuine cardholder has confirmed receipt.

Example 2: Skimming devices are used regularly to compromise electronic detail from the magnetic strip of cards. CV2 can be skimmed too – simply by using a business card reader (available for less than £50 in every high-street). Accomplices in petrol stations, shops and restaurants all over the world will use these devices.

Conclusion: CV2 is an excellent check. Its positive effect is now beginning to diminish as it is adopted more widely by retailers. Fraudsters are now beginning to seek to compromise CV2 too. Very useful as a part of an overall fraud prevention strategy, but of limited benefit as a decision tool in its own right.

3D SECURE - Verified By VISA, SecureCode by Mastercard

A password that is exchanged, by the cardholder with their card-issuing bank, at the time of the transaction. The transactions may then be authorised by the retailer with the potential for the liability to shift to the bank.

3D-secure relies upon the integrity of the password being maintained, and a threat to this is the number # of times that users need to use passwords when trading on the Internet:

• Username and password to log onto computer
• Username and password to log onto ISP for Internet access
• Username and password for internet banking
• Username and password to log onto many e-commerce sites (without one you cannot trade)
• Card number and 3D-Secure password to do business at the bank's risk…this will make the banks nervous, despite the technology working well at face value.
• Many users have one or two passwords which are used for everything…hence increasing the chance of compromise

Conclusions: VbV will work well particularly when combined with CV2 and AVS. The liability shift has caught the headlines rather as it has the effect of giving retailers everything they want…at face value. In effect it brings about new challenges and the issue is likely to will move from being a financial one to a marketing one. Will it be harder for customers to do business online?

3D-Secure requires a high level of adoption by cardholders to be successful. The trouble being that those customers that do not register for whatever reason may be treated as potential fraudsters. That may be acceptable from a bank's perspective but it certainly is not from a retailer's. Use 3D-Secure but be prepared to authorise the transaction using merchant risk ECI indicator.

Any retailer trading in CNP channels must take responsibility and implement systems designed to help them manage their risk by understanding exactly who they are dealing with. A first step is to stop considering it a payment issue and start regarding it as: Shoplifting with home delivery!

Last year UK retailers spent an estimated £100 million pounds delivering stolen goods to fraudsters!

DYNAMIC PASSCODE Authentication

Similar to 3D Secure but requiring a ‘gismo’ (looks like a small calculator) which can use a chip and PIN card to generate a one-time- use passcode.

This will work, provided that all online shoppers have a gismo – no exceptions. The trouble is that some people will not have a gismo with them. Some overseas customers will not know what this is, and some customers may find yet another security device rather difficult or offputting. What is certain is that fraudsters will not use them, unless of course they have obtained a stolen card with compromised PIN. This is really good technically, but practically it cannot work. What about proof of delivery? It doesn’t work well if goods are not received.

Dynamic passcode authentication needs fraud screening to detect the frauds that it cannot. Screening used with either 3D Secure or dynamic passcode authentication is the correct approach to use.

Retailers are in the best possible position to implement a suite of processes, most of which need not be visible to any customer, which will provide a very high level of protection against attempted CNP fraud.