Latest news concerning the debit and credit card and banking industry.
OCTOBER 2006 - DEBIT CARD SPENDING EXCEEDS SPENDING BY CASH
Apacs report that debit card spending in retail outlets has for the first time exceeded that spent by cash. Debit card spending is reported to be at 37 per cent (£89 billion) of the total £240 billion spent, against cash at 34 per cent (£81 billion). The total amount spent on all cards (i.e. credit and debit cards) first overtook cash spending in December 2004.
SEPTEMBER 2006 - Payment Card Industry - Data Security Standards
The payment card industry has released version 1.1 of the PCI-DSS standard. For web facing developments new best practices have been introduced which recommend an application level firewall in front of the application, or a code inspection via an organisation specialising in application security. For more information please refer to the following page - Payment Card Industry (PCI) Data Security Standard.
MARCH 2006 - 2005 FRAUD FIGURES
Total card fraud losses have reduced by 13% in 2005 (£439.4 Million ) compared to 2004 (£504.8 Million) )according to figures release by APACS, the UK Payments association.
The fall is attributed to the introduction of chip and pin which has resulted in a reduction of almost £60 Million in combined counterfeit and lost and stolen card fraud losses and in mail non-receipt fraud. The only area of card fraud to have risen has been cardholder not present fraud consisting of internet, phone and mail order transactions. However the rate of increase in fraud for this area has fallen for the first time since 2003. This is attributed in part to the the increased use by retailers in utilising Address Verification Systems and Card Security Code checking. Identity theft fraud where fraudsters obtain cards by fraudulent applications or take over an existing account also fell to £30 Million. Identity theft in relation to credit and debit card fraud remains a very small proportion of overall fraud in the UK at just under 7%.
Highlights from the APACS fraud figures for 2005 are as follows:
- Total card fraud decreased by 13% to £439 Million
- Fraud from cloned / skimmed cards decreased by 25% to £96 Million
- Mail non-receipt fraud decreased by 45% to £40 Million
- Fraud at cash machines decreased by 12% to £65 Million
- Card identity fraud fell 17%
NOVEMBER 2005 - ONLINE BANK FRAUD INCREASES
This month APACS have reported that online banking fraud stood at £14.5 million in the first half of this year, a rise of 260 per cent.. The increase is being attributed in the main to criminals using phishing techniques to trick customers into revealing bank account information.
You are warned that this type of attack is expected to increase in the run-up to Christmas with online shopping becoming more of a target. Be wary of any email receipts from organisations you have not bought from offering a web link from which to cancel your transaction. If you have to enter your card details in order to cancel it is likely to be a phishing attack trying to trick you into revealing your card details which can then be used fraudulently. Likewise be on guard for any 'fake' shopping sites with too good to be true offers that again are just after your card details.
OCTOBER 2005 - CARD FRAUD FALLS
Card fraud related to lost, stolen and counterfeit cards has fallen in the first 6 months of 2005 compared to the same period in 2004. Card fraud in these areas has reduced by nearly a third from £126.6 million to £89.9 million, a reduction of £36 million pounds. The reduction is attributed to the introduction of chip and pin technologies to the UK over the past 18 months.
SEPTEMBER 2005 - RISK MANAGEMENT PROFILING FOR CARD ISSUERS
The forthcoming Common Payment Application (CPA) Specification from EMVCo offers a Common Core Definitions (CCD) compliant application acceptable to JCB, MasterCard International and Visa International for branding and acceptance. A major feature of CPA is the offering of enhanced card risk management controls, allowing issuers to apply different risk management profiles according to the attributes of transactions.International transactions, low value payment transactions and transactions involving high risk merchants can be treated differently by the issuer and the card, based on new profile capabilities.The CPA Specification ultimately offers long term benefits to issuers by simplifying issuer host processing for all branded cards and has the potential to lead to a reduction in card costs for issuers. Beyond publication of the CPA Specification, EMVCo will retain responsibility for maintaining the specification. In support of this,the Card Approval Working Group and Security Evaluation Working Group will begin developing and operating an infrastructure for CPA functional and application security testing in 2006.
AUGUST 2005 - CREDIT CARD VOUCHERS FOR ONLINE PURCHASES
A new credit card voucher from Permanent TSB is hoping to address security concerns of using credit cards online and additionally help people who do not possess a credit card by enabling them to book or purchase goods or services online. Similar to a mobile phone top-up voucher, the voucher has a unique credit card number and a set credit limit. The vouchers can only be used for customer not present transactions and can be disposed of once they've been used, reducing the security risk to the customer.
The new credit card voucher was tested in Dublin in recent months and is expected to be launched in the UK and Europe in the next year. Further information on this at electricnews.net
AUGUST 2005 - LOST PASSWORD SECURITY FLAW ON SOME ONLINE ECOMMERCE MERCHANTS
A password security issue at dabs.com over the way it and many other online ecommerce retailers deal with forgotten passwords has been unwittingly uncovered. An individual started receiving emails concerning an order he had placed with Dabs but had never placed an order. He accessed dabs.com and entered his email address - he did not have a password but there was a 'Forgotten Password' box. he selected this and entered his email address (the registered email address) a few moments later he received the password for his account by email. Remember to always double check your email address when entering this on any online shopping or bank related website that contains sensitive personal and financial information. If you get it wrong communications could go to someone else and they may be able to gain access to your account and data as happened in this scenario. If you are an eCommerce merchant you should be wary of this and put email verification procedures in place as well as further validation before sending out passwords - for example a prompt for additional information that only the account holder would know. Further information on this at The Register.
MARCH 2005 - 2004 FRAUD FIGURES
With the introduction of chip and pin happening in late 2004 the criminal community appears to have seized on their chance to make big earnings in the last year before chip and pin is due to reverse the rising trend of cardholder present fraud.
One of the most concerning aspects is the rise in "mail non-receipt fraud" whereby new cards are intercepted by criminals before their intended recipient receives them. This fraud figure, according to APACS, rose 62% in 2004 to £73 Million. Rich pickings indeed and fairly straigtforward to augment as in 2004 it is estimated that up to 100,000 new chip and pin cards were sent out each day. Even more disconcerting is that some of this could have been avoided by the banks demanding some security checks before the cards were activated. Cards for existing customers with at least Barclays, Royal Bank of Scotland and HSBC were sent out out pre-activated meaning the cards were able to be used immediately by the recipient. LloydsTSB did insist on activation of cards requiring the card user ring a call centre to answer some security questions before the card could be used. Obviously this does cost money to implement.
Highlights from the APACS fraud figures for 2004 are as follows:
- Total card fraud increased by 20% to £504 Million
- Fraud from cloned / skimed cards increased by 17% to £130 Million
- Fraud at cash machines increased by 81% to £75 Million
- Card identity fraud up 22%
DECEMBER 2004 - WOMEN ARE LESS SECURITY CONSCIOUS THEN MEN WHEN CHOOSING THEIR PIN
A poll of over 500 men and women, undertaken by internet security testing specialist, NTA Monitor, shows that when choosing PIN numbers, 20% more women than men are concerned with how easily they can remember their PIN numbers, rather than how secure they are. Further information on this from NTA Monitor...