IMGCAP(1)]
For the first time last year, card-not-present fraud in the United Kingdom outstripped all other types of card fraud combined, according to UK payments association APACS.
Prime targets of that fraud are travel agencies and tour operators, both of which do a large share of their business on the Web.
But relatively few such organizations have installed MasterCard SecureCode or Verified by Visa, both of which are designed to cut fraud losses from online booking and other e-commerce transactions paid for with cards, says Mike Monk, head of finance for the Association of British Travel Agents and a member of APACS's card-not-present fraud committee.
"It is disappointing," Monk tells Cards&Payments. "Members are focused on sales and running their business. The issue of fraud potential is low down on their list."
Despite spending more than £1 billion (US$1.8 billion) on rolling out chip-and-PIN cards and terminals to secure the physical point of sale, UK banks are finding fraud is back with a vengeance, soaring to a record £535.2 million last year, thanks largely to card-not-present losses.
And despite the beefed up Internet security from the international card companies and a raft of security products from vendors, card-not-present fraud climbed 37% last year, its highest increase in seven years.
British banks are not the only ones getting hit.
In France, for example, card-not-present fraud topped 85 million euros (US$125.3 million) last year, most of it committed on the Internet. Card-not-present Internet fraud reached at least 53.8 million euros in 2007, up 60% from 33.7 million euros the previous year, according to France's central bank (
But that was dwarfed by Internet, telephone and mail-order fraud in the UK, which topped £290 million (US$532.2 million) (
The UK is Europe's undisputed card-not-present fraud capital for a number of reasons, not the least of which is the enthusiasm of the British for shopping online.
A report updated last year by U.S.-based Forrester Research Inc. estimates the United Kingdom's online retail sales in 2006 hit 42.1 billion euros (US$55.5 million), nearly twice that of the next-highest country, Germany, where online retail sales were expected to total just under 23 billion euros.
Though sales in physical stores in the UK fell by nearly 4% in June because of the credit crunch–its steepest monthly drop in more than 20 years, according to the Office for National Statistics–Web shopping was at record levels during the first six months of 2008. UK-based Internet merchant group IMRG estimates British Web merchants rang up £26.5 billion in sales during the first half of this year, up 30% to 40% from the same period a year earlier. Growth slowed somewhat in July but still topped £4.8 billion, its highest monthly total, according to IMRG.
Nation Of Web Shoppers
Indeed, comparison-shopping site uSwitch.com predicted recently that UK online-shopping sales would overtake sales at physical stores in Britain by 2026.
And over the long term, growth rates of online sales have far surpassed those of card-not-present fraud. E-retailers rang up sales of £34 billion in 2007, almost 10 times more than the £3.5 billion in sales in 2000, according to APACS. That compares with a four-fold increase in card-not-present fraud, including telephone and mail-order transactions, during the period.
The disparity may be why the bank and merchant response has been tepid compared with the measures the payments industry has taken to tackle domestic card fraud in physical stores and at ATMs.
Experts credit the £l-billion-plus rollout of banking smart cards and terminals complying with the EMV standard–called chip-and-PIN in the UK–with decreasing fraud from counterfeit and lost and stolen cards to new lows. The cost included expensive consumer-education programs.
But observers are blaming chip-and-PIN with making card-not-present fraud worse because it has caused fraudsters to target the weaker defenses of card security on the Internet.
Banks began rolling out chip-and-PIN in the UK in October 2003, and counterfeit fraud on domestic point-of-sale transactions, the kind chip-and PIN is designed to reduce, plunged by more than two-thirds, to £31.1 million last year from £105.9 million in 2004. During the same period, card-not-present fraud nearly doubled. Britain's banks continue to place magnetic stripes on cards for use outside of the UK, and fraud on ATM and face-to-face retail transactions in countries unequipped to read the chips on the cards also has increased sharply.
The soaring e-commerce sales and fears of turning shoppers off on the checkout page helps explain why merchants and banks, while concerned about rising card-not-present fraud, do not seem to consider it a crisis.
Interest Lacking
Web merchants are not exactly flocking to sign up for the 3D Secure systems originally developed by Visa and adopted by MasterCard and other card schemes. 3D Secure requires merchants to install server software that sends transactions to issuers for authorization. A window pops up from the issuer requiring the cardholder to type in a password or–in more-secure implementations–a one-time passcode. If the cardholder has not registered for the service, he might be asked to do so for the purchase, a multistep process.
3D Secure systems are "having a limited effect so far," says Tom Harkins, the former No. 2 executive at MasterCard for risk management and security. "Take-up is sparse."
Web merchants are worried that adding even one step to the checkout process–the already-registered cardholder entering his password–could cause their customers to abandon transactions.
"A merchant never wants to lose a sale," says Harkins, who left MasterCard in 2005 and is chief strategy officer at U.S.-based antifraud vendor Secure Identity Systems. "I've had hundreds of merchants tell me that over the years."
Merchants have been cool to 3D Secure despite the card networks' liability shift that enables merchants to avoid charge-backs on Web transactions gone bad if they adopt the system, although they have to keep other standard fraud controls in place.
But with consumers abandoning roughly 50% of Web sales before completing them at checkout, Web merchants do not want to do anything that could foul up the purchase, says Andrew McClelland, director of projects and marketing for Web-merchant group IMRG.
"The retailers spend a lot of time making sure the shopping basket (experience) is as quick and smooth as possible," he says.
A Few Digits
3D Secure aside, perhaps the main tool the card schemes have given banks and Web merchants to combat card-not-present fraud are three- or four-digit card-security codes or values that seek to demonstrate purchasers are in possession of the actual card for the account they are using to pay. The codes are printed on cards and are not stored on the card's mag stripe, so fraudsters cannot electronically capture them with skimming devices that steal mag-stripe data.
Though the codes used for card-not-present transactions–called Card Validation Code 2 by MasterCard, Card Verification Value 2 by Visa and Card Identification Digits for American Express–have cut losses, the problem is fraudsters could secure them at the same time they steal card numbers, such as when a card leaves the possession of the cardholder at a restaurant, says Harkins. Cardholders also have been known to unwittingly give them up to phishers. And fraudsters could sign up for a new account after stealing someone's identity to receive a new physical card with the code printed on it.
Other common countermeasure are address-verification systems, which merchants in such countries as the United States and the United Kingdom use. However, those systems sometimes are ineffective. They use the home street number and postal code from the mailing address on card accounts, which shoppers type into Web sites. But fraudsters often have these addresses, along with account information. And the systems cannot verify the addresses on some foreign cards, say critics.
Deployment Low
3D Secure is meant to bolster card and address-verification systems, and its backers say it is making progress.
SecureCode, which MasterCard launched in 2002, is making its biggest inroads in Europe. Of the 270,000 merchants enrolled as of the end of last year, 209,000, or 77%, were European Web merchants, says Brian Morris, a business development manager for MasterCard Europe. Some 17.2 million MasterCard and Maestro cardholders were registered for SecureCode in Europe, two-thirds of the SecureCode worldwide total.
And use of the system is growing, Morris says. Some 32% of e-commerce transactions in Europe go through merchants equipped to handle SecureCode. In June, 45% of cardholders involved in transactions with these merchants used a SecureCode password compared with 25% who did so a year earlier, says Morris. So roughly 15% of e-commerce transactions using Maestro- or MasterCard-branded cards are full SecureCode transactions.
"What we're pleased about is growth and jump from last year," he says. "We don't feel that merchant reluctance is as strong as it was a year or two ago."
Still, it means consumers did not secure roughly 85% of e-commerce on MasterCard or Maestro accounts as of June, despite the fact MasterCard has required all Web merchants accepting Maestro cards to implement SecureCode.
Some 75,000 merchants in Europe signed up for Verified by Visa as of early August, as did 30 million cardholders who registered across the continent, a spokesperson for Visa Europe says. But it was unclear how many Verified by Visa transactions cardholders and merchants are conducting.
Neither MasterCard nor Visa would release a breakdown of figures for their 3D-Secure schemes in the UK. But Morris says more and more merchants are onboard, including such major UK-based airlines as British Airways, EasyJet and BMI.
About 25 million British cardholders are signed up for either Verified by Visa or SecureCode, compared with 10 million a year ago, says an APACS spokesperson. But that compares with the more than 100 million cards British banks have on issue.
And the APACS spokesperson could not say how many British merchants support 3D Secure or just how much these schemes–or the card and address-verification systems–were making a dent in diminishing card-not-present fraud.
"It's difficult to quantify," he says. "It's how big would these losses be if we didn't have anything in place? It's a bit of a tricky one to answer."
Risk Management
With card-not-present fraud last year recording its largest yearly rise since 2000, there are plenty more security gaps to fill. More merchants and banks are turning to vendors' proprietary risk-management systems. The systems detect potentially fraudulent transactions so merchants can do additional identity checks.
And some experts suggest a second factor of authentication is needed for the 3D-Secure schemes.
Cardholders would insert their chip-and-PIN cards into handheld readers to generate one-time passcodes they would then enter into the pop-up screens from their issuing banks before completing Web purchases. This could be in addition to a static passwords.
The second factor of authentication could block identity thieves who have stolen cardholder details from registering for the 3D Secure service themselves in the name of the legitimate cardholder.
Some issuers in the UK and other European countries already require customers to use the handheld readers with smart cards for home banking. Major banks in the Netherlands have extended that to buying online with Dutch Web merchants through the iDEAL scheme, which directs consumers to their Internet-banking sites to make purchases.
Visa and MasterCard designed the 3D Secure systems to support these handheld readers as an option. Merchants that already support 3D Secure easily can add the second factor of authentication, say the card networks. They need to install little or no extra software to their back-end systems.
MasterCard's Morris says some banks in Germany, Croatia and Slovenia already have begun moving from securing Internet banking with the handheld readers to enabling consumers to purchase online with the same readers, although these projects remain small.
Malcolm French, senior fraud consultant for UK-based bank and mortgage lender Nationwide Building Society, says he believes the handheld readers combined with 3D Secure and chip-and-PIN may help plug the hole in e-commerce security.
Nationwide deploys about 1 million readers for e-banking. He does not believe the extra steps of customers inserting their cards into readers, punching their PINs into the devices and then typing the resulting passcode into the Web-shopping sites will hurt sales.
"Customers already have the devices, and they're already using Verified by Visa," he says. "They're familiar with both technologies. They've accepted both of them."
But while APACS and the British banks have seriously considered securing card-not-present transactions with the handheld readers, they have yet to conduct the trial they originally planned to hold last year.
Though Barclays Bank has distributed nearly 1.5 million of the handheld devices to its home-banking customers over the past year, it has "no concrete plans" to extend that to Web shopping, a bank spokesperson says.
"It's a lot of technology that needs to be introduced," she says. "If you're talking about doing it with a retailer, you've got another body in the mix there."
For such a device to work, all major banks would have to roll out the readers, and only a few others, (including Nationwide and the Royal Bank of Scotland) have done so, she adds.
The readers, though not very expensive, could run five times the cost of cards, says David Worthington, head of consulting for UK-based Aconite, which counsels banks on the move to EMV. He doubts all banks are ready to spend the money yet. The readers cost roughly $10 apiece, say observers.
"The fraud wasn't quite that bad yet to pay for every one of their cardholders to have these readers, when all the merchants haven't upgraded their sites," Worthington says. "It's like the original EMV rollout. Eventually [fraud] will be so bad, people will do it."
But getting merchants to buy in may be even more difficult than getting them to support a simpler implementation of 3D Secure. "The last thing you want is for customers not to be able to find their widget (reader) to put in their code at the last minute," says IMRG's McClelland.
Visa Europe in June announced pilots of a card with a built-in PIN pad and tiny screen in a standard-size debit or credit card. Cardholders would enter their regular PIN for the cards into the pad when they want to transact business online, and the card would create a code the cardholders would enter. As with the handheld readers, an encryption key on the card creates the code.
Visa's PIN Card, produced by Australia-based Emue Technologies Pty. Ltd., avoids the need for readers, although the card itself probably would cost just about as much as the handheld devices, say observers. Visa declined to speculate on the cards' cost if a bank rolls it out.
Hired Guns
Of course, a number of vendors are seeking to capitalize on the growing fraud and are offering sophisticated screening or detection systems.
For example, UK-based The 3rd Man Ltd., which claims the true card-not-present fraud losses are twice as bad as the APACS figures indicate, is promoting a product that enables banks and retailers to share anonymously data provided by suspected fraudsters on rejected or charged back card-not-present transactions.
Another vendor, 192.com Business Services, also of the UK, offers a product that uses information from public and commercial databases and shared data among payments players to do instant identity checks on cardholders planning to make Web purchases. The system would alert Web merchants to the possibility of fraud and gives them the option of kicking out the transaction for review.
David Pope, 192.com Business Services marketing director, contends that for every fraud reported, another eight attempted frauds get through, either unreported or ignored by police.
That may be overstating things, and Pope, naturally, is keen to sell his service. But the fraud statistics do not lie. And those figures suggest banks and Web merchants will be on the hook for more and more losses for many years to come. CP
