Chip and PIN success drives criminals online

Firms must be wary of attempts to mine customer card data from back-end systems, say experts

Chip and PIN celebrated its first anniversary today but fraud experts have warned that the success of the high street initiative could be driving more criminals to commit online fraud and mine retailers' back-end systems for personal data.

According to payments association Apacs, chip and PIN has successfully reduced fraud on the high street – total card losses fell in 2005 by £65 million, the first decrease in 10 years, and the organisation predicts it will fall again when figures are released next month.

But although total card fraud was down by five percent in the first six months of 2006, card-not-present fraud, including online, increased by the same amount, and online banking fraud rose by 55 percent year-on-year.

To combat the threat of online fraud APACS is looking to coordinate the roll-out of two-factor authenticators, likely to be done initially by financial institutions for their customers, later this year. These will combine chip and PIN with Verified by Visa and MasterCard SecureCode technology to secure the payment process.

"The difference is that after accepting your PIN, the card reader generates a one-time passcode that will be useless for future transactions if a criminal intercepts it," said an Apacs spokesman.

He added that it could potentially encourage the take-up of the V by V initiative, which has so far seen poor take-up by retailers, despite absolving them from financial responsibility in the case of online fraud. "The banks will be the ones to send the devices out but whether it's something the retailers join in on in terms of distribution [remains to be seen]," he said.

But Ian White of data security specialist Cybertrust argued that although retailers should support mechanisms like Verified by Visa, the cost for rolling out two-factor devices could be prohibitive, and such as scheme would be unlike ly to get buy-in from all retailers.

"I'm not sure how much mileage there is in putting a twofactor authentication system iun the home; you can't have a one-size-fits-all [approach] if you're dealing with e-commerce," he explained.

CA's Steven Cox warned that firms cannot take their eyes of the ball, despite these increasing security measures and international PCI data security standards, which mandate that any firm handling payment card data must ensure it is secured.

"Fraudsters still want to make their money somehow and CNP fraud may be slowing but it's still going up," he added. "The merchants are getting a grip on the PCI standard now but few companies own all their IT systems; there are always third parties involved who are not always educated as to their responsibilities."