The Problem with Fraud

There is a misconception about the challenges we are facing in payments. Whilst it is well recognised that there is a significant global fraud problem across the payments landscape, payment fraud is not equally distributed. Payment card fraud has migrated to the internet.

Not long after squashing the millennium bug, the UK sailed away into the uncharted waters of Chip and PIN. Whilst it was certainly and exciting time in the evolution of payments – for some of us at least – the adoption of EMV went a long way towards solving the growing problem of face-to-face plastic card fraud. As a result of chips and PINs, plastic card fraud in the UK plummeted and this effect was subsequently replicated abroad. Payments on the internet at that time, compared to current transaction volumes, were few and far between. The cost of internet fraud was very low and therefore not considered worthy of any particular attention.

The problem was, and is, that the 16-digit PAN and the 3-digit CVC (when it is used) is not fit for the transaction processing world of the 21st Century.

Underlying payment fraud problems relate primarily to the weakness of the e-commerce payments transaction structure, and whilst many of the so-called clever, alternative solutions may indeed look clever and alternative at the front-end, they generally rely on the same old “card on file” processes at the back-end. Ultimately, this is all smoke and mirrors … tweaking the front-end does not make the underlying problem go away!

Card payments and card technologies are not going anywhere, anytime soon, so the problem needs to be addressed. The solution to rising card fraud needs to focus on the card fraud problem directly, and not simply obscure it by introducing alternative payment options to the consumer and the merchant.

In the late 20th Century, the growing card fraud challenges in the bricks and mortar world were limited by the introduction of EMV, and it works everywhere – nearly! In the 21st Century the same growing fraud
challenges in the digital world could be resolved using that same tried and tested approach.

It’s time to introduce the power of EMV into the world of e-commerce. The technology exists to support this and history has shown that it works.

I have a plan!

Banking Bells and Whistles

Do consumers of banking services want bells and whistles?  Do the Millennials and Generation Z want feature-rich banking services, or do they just want to move money from one place to another, quickly and conveniently?  The propositions adopted by the early challenger banks fit the bill perfectly, they provide a convenient means of receiving and storing salaries and other payments, and then a set of easy options for passing it on in the form of card payments, faster payments, direct debit payments and Paym.  

This isn’t to say that as people get older, their interaction with the financial world doesn’t become more complex, but loans and mortgages and investments and insurance and so on, all exist outside of the basic necessity of the money in – money out requirement.

The bolt-on bells and whistles do not add any value to our basic need to send and receive value.  People of all ages operate current accounts, and they do so to allow them to fulfil that basic need.  In a society with essentially free banking, where all banks offer the same fundamental service, there is no real incentive to move from on organisation to another.

People don’t go shopping to enjoy the payment experience, but there are loads of payment “professionals” out there who think they do.  Oh dear!

People don’t open bank accounts to enjoy the magic of faster payments.

The challenger banks responded to an opportunity: niche mobile-only services that were not restricted by vast legacy systems that could offer basic banking services at low cost.  The services were simple, and their take-up has so far been promising, but now we are adding the bells and whistles.  Why?

Bells and whistles give bankers the opportunity to excite other bankers and show them how clever they are, thereby justifying their existence.  Most consumers never asked for bells and whistles and the vast majority of consumers won’t use them. 

Consumers don’t necessarily want bells and whistles, but they do want services that don’t go wrong and that are available all the time.  Perhaps we should pay more attention to that.

The end of the LINK TSG

Just heard that the LINK TSG is no more.  

I was never sure why the Competition and Markets Authority (CMA) allowed the UK’s shared ATM network to be sold to Mastercard.  To me, it looked very much like Mastercard was being allowed to gain significant advantage over its rival card schemes.  How can the CMA look at the relative situations of Visa and Mastercard in the transaction processing world and not conclude that there was a significant difference?  

It’s not like it was just the LINK ATM network.  They were given control over the account to account transfer services in the UK too: key financial infrastructure services that, in my opinion, should be managed centrally for the benefit of all.  

If it is correct that the LINK TSG is being wound up, then it is clear that the management and control of the shared network is being transferred from the members to the “owner”.  The implication is that the service provided to the members will then be that which the “owner” wants to deliver, rather than that requested by the members.  

If we follow the bunny of conspiracy down the rabbit hole of destiny, as our eyes become accustomed to the darkness, will we see a future where the LINK ATM network has been mothballed, and all LINK ATM transactions are processed through the Mastercard network?  

How can LINK commit to delivering ATM services in areas where ATM profitability is low, if LINK is not going to exist? 

Is the loss of the LINK TSG the first step in losing LINK ATMs?  

Bank Fraud is Taxing

Banking lobby UK Finance is proposing a universal tax on bank transfers to build a fund that could be used by banks to compensate victims of account transfer fraud.

One wonders what is driving such an approach.

If the victims were defrauded out of cash in their wallets – by scams of a similar nature – it would certainly not fall to the banks to provide a refund.  Handing over current account login details may not be the same as handing over a wallet-full of cash, but the interactions between fraudster and victim that lead up to the deed are.  It is the social engineering processes that precede the fraudulent activity that we should be focussing on, not the act of transfer itself.

Is this really a problem for the banks?

If this is not a direct banking problem, the problem lies in the gullibility and therefore the vulnerability of bank customers.  However, the problem is exacerbated by the speed at which bank balances can be expropriated and transferred.

The development of real-time banking services has fueled the development of fraud vectors focussed on social engineering mechanisms.  

A victims fund finaced by a payment tax is not the answer.  The answer must lie in modifications to the ecosystem to reduce the opportunities for fraud, but this has a cost.  

There are solutions but fraud prevention has never been a headline grabber.

Card fraud lowest for 13 years

And the good news is that card fraud losses at terminals in the EU are at their lowest level since 2005.  It looks like much of it is down to EMV, which limits the effectiveness of card skimming strategies, although the excitable clever people are telling us that it’s down to geo-blocking, fraud monitoring and fraud detection.  I am not sure how true this is as I would think that these techniques are more suited to preventing fraud on non-EMV transactions.  

Since the ability to clone and create a usable EMV card is non-existent, the opportunities for fraud using EMV cards are seriously limited.  It is well established that there can be no duplicate EMV cards.  If this is the case, then an EMV card must either be in the hands of its rightful owner, or it must be lost or stolen.  If it is in the hands of its rightful owner, then there is no fraud, and if it is lost or stolen, there is essentially a four hour window of opportunity for any would-be criminal.  Adding geo-blocking, fraud monitoring and fraud detection is not going to identify lost and stolen EMV chip cards.      

Geo-blocking, fraud monitoring and fraud detection are more suited to payment ecosystems that rely more on mag stripe, and can be effective in the e-commerce world.  The reduction in fraud that we have seen over the years is due primarily to the introduction of EMV – in the UK – back in the early part of this century.  It is now spreading out and we are reaping the benefits.  If you want to see how much benefit we are reaping, look at the card fraud levels in the US.  

The impact of reducing the opportunity for fraud in one sector is to increase  its presence in others.  We are inevitably going to be seeing a growing number of social engineering attacks, as the vulnerability of people is now greater than the vulnerability of the card payment systems.  We need to be looking at finding ways of preventing the growing financial losses associated with current accounts.

Introducing the Payment Monkey

The Payment Monkey is now online, more or less, and the first blog post has been added.  At this point, I should say that much of the content has been generated by an infinite number of monkeys banging away on quite a lot of typewriters.  Spare monkeys not assigned to the less than infinite supply of typewriters are employed to proof read and sanity check, and because of this, most of the random noise has been eliminated.

Hi. I’m the Payment Monkey

Updates will be published as and when the Payment Monkey is inspired by activity in the transaction processing and card payment world.

The site is open for comments, hopefully for some lively debate, the Payment Monkey will respond.