What's Happening?

Layers are key to curbing online credit card theft



The saying ‘crime doesn’t pay’ is unfortunately entirely inaccurate. The criminal underworld is big business, and credit card theft is a very profitable branch. Now that the cards themselves have become more secure in response to the threat, criminal elements have found new ways of stealing card information. Online credit card theft is booming, driven in part by risky consumer behaviour and in part by vulnerabilities in payment gateways. Banks are the ones feeling the heat, however and they are the ones that are ultimately responsible for stopping it. A multi-layered approach that includes Information and Data security, consumer and merchant education and intelligent analytics is the key.

The ever-evolving threat

The most common form of credit card fraud used to involve skimming the details from the physical card and then either using these details or selling them to the highest bidder on the dark web. The chip and pin card evolved to prevent this from happening. While the outcome of stolen card information remains the same, criminals have had to find new ways to get hold of the information, and a lot of that theft now happens online.              

Online and mobile gaming has become a playground for criminals, as consumers are less than cautious when it comes to making in-game purchases. This includes playing (and sharing payment information) over unsecured networks, which opens them up to theft. There are a plethora of fake apps available on the open internet, which seems to be legitimate but have been designed with the sole purpose of obtaining payment card information

Social engineering has also evolved thanks to people’s willingness to share personal information on social media channels. This makes it far easier for criminals to impersonate someone and potentially obtain their card details.

Securing cards in a virtual world

The one factor that all of these methods have in common is that they all rely on a virtual world. In the ‘real’ world all payments are validated by a physical touchpoint that has built-in security measures, but this isn’t possible when cards are being used for online payments. Multi-factor authentication and access management (through mobile devices provides access through face recognition and biometrics) thus becomes critical in processing these types of payments. Card issuers have developed authentication channels like MasterCard’s 3D Secure and Verified by Visa, which links into banks’ back end systems to help validate transactions. Banking apps are also now linked to specific mobile devices and interact with these authentication channels to add further layers such as biometrics.

These methods add in the missing layer of physical touch to online transactions. The trouble is, no matter how secure a system is, human error can always find a way of creating vulnerability. Many small online retailers do not have effective e-commerce applications in place. Credit card issuers are beginning to insist on mandatory compliance with Payment Card Industry (PCI) Data Security Standards (DSS) to counter this. Banks need to enforce this and prevent online retailers from processing card payments if their site is not secure or compliant. 

The other challenge is that people often use free, public, unsecured Wi-Fi connections to bank and transact, which leaves their details open for theft. They also share personal information through non-secure channels, including social media and even email, and respond to phishing emails that are engineered to steal card information. Banks need to become more involved in helping to educate consumers as to safe practices when transacting online in order to prevent this type of behaviour.

Intelligence is key

The more layers of security in place the better, and intelligent analytics is one of the best layers of defence around. This can be used to flag abnormalities that could indicate fraudulent transactions before they are even submitted, for example, if the incorrect information is input multiple times. If the location of the transaction does not match the country of the card holder, then this can also be flagged and paused for further verification. If a plane ticket is purchased on a card and the ticket holder does not match the card holder, this can also be flagged. The key is to have validation mechanisms in place using intelligence and analytics to prevent fraudulent transactions from even being processed.

Card security is everyone’s responsibility

Customers need to be responsible with their card information and merchants need to have all possible security measures in place. The reality though is that the buck stops with the bank, and they are the ones who take the financial hit from fraudulent transactions. Multi-factor authentication and access management is essential for protecting all parties involved, and analytics lies at the heart of anti-fraud technologies. Intelligence is essential to preventing rampant online card fraud.