Introduction:

Secure online banking and credit card security are critical factors for rebuilding America’s economy. Unfortunately, the U.S. is lagging behind in both fields. This article tries to give an overview of measures taken by the U. S. government, the current situation regarding credit/debit card fraud, inadequate online banking security, and best practices.

FFIEC Guidance October, 2005: Secure Internet Banking

October 2005: In an attempt to raise the bar on e-banking security, theFederal Financial Institutions Examination Council (FFIEC) published an open advisory letter to the U.S. banking sector. The agency told banks that simple password/PIN identification schemes were no longer good enough to protect either their customers, or their assets. Instead, the FFIEC recommended that they adopt strong or multi-factor authentication for online transactions. The agency advised that banks were expected to achieve compliance with the guidance no later than year-end 2006.

The solution, according to the FFIEC, was as simple as multi-factor authentication. But there are various strengths of such authentication techniques. The advisory made no endorsements or recommendations about which kind of authentication practices to select. It recommended that each bank perform its own security assessment to determine what level of security and specific security solutions were appropriate for each of their applications. Accordingly, the final decision for security remains entirely up to the individual bank. (1)

Strong authentication

A strong authentication system would consider three different factors:

• Something you know, such as a password or PIN
• Something you have, such as a smart card, token, an authentication software on your smart phone
• Something you are, such as a fingerprint or iris scan

Any authentication system combining at least two of the above mentioned factors is considered to be two-factor or “strong” authentication.

How banks reacted

VASCO noticed quickly that a number of banks were indeed implementing the necessary security requirements, whereas others chose more “symbolic” solutions.

“While many banks are making the right decision by opting for the proven strong authentication solutions of longstanding security companies such as VASCO, others are deciding on a “meets minimum” approach.” (2)

FFIEC’s supplementary recommendations for a more secure Internet banking environment

The FFIEC’s much anticipated (3) update of its2005 guidance was published in July 2011. (4)  While the new guidelines are a step in the right direction, they are not nearly good enough.

Payment fraud in the U.S.

Mag-stripe credit cards: “Old Technology”

In many countries, mag-stripe credit cards have been superseded by the roll-out of EMV-CAP (Europay-MasterCard (News - Alert)-Visa, Chip Authentication Protocol) smart cards which began in 2005. This new standard requires the purchaser to enter a PIN at the point of purchase, dramatically reducing fraud for debit and credit card transactions. EMV-CAP has been particularly successful in Europe with hundreds of millions of cards distributed to date. Canadian banks have also recently joined the EMV-CAP scheme and are actively distributing them to their customers. Meanwhile, the U.S. still relies on mag-stripe credit cards.

Lack of reliable statistics

There are no reliable statistics for U.S. payment fraud. The figures used by the industry, are mostly based on surveys, extrapolations and estimates. This doesn’t make it easy to properly assess the problem.

According to Aite Group report (5), U.S. payment card fraud in 2008 was over $4.3 billion. Of this amount, 33 PERCENT originated from lost or stolen credit cards, 32 percent card-not-present (online) fraud and 31 percent counterfeit card fraud. The remaining four percent was categorized as “other” card fraud. U.S. payment card fraud accounts for about 64 percent of the world total.

The Smart Card Alliance (6), estimates total U.S. card fraud losses in 2007 at $ 1.7 billion.

Mercator Advisory Group (7) reports that fraud losses in the U.S. are probably a lot higher, and may be as high as $16 billion.

The true cost of fraud, however, exceeds the actual dollar amount of losses. Financial services companies incur damage to their reputations, higher overall operating costs for increased vigilance, reduced productivity, and higher staff expenditures. They also bear the cost of reissuing cards after a fraud incident. (8)

How can this situation be changed?

The first possible measure is simple but effective: stop using mag-stripe credit cards and replace them with smart cards. This will do away with the bulk of the counterfeit fraud, such as skimming and copying of credit cards. In addition, card-not-present fraud will be significantly more difficult too. The chip on the smart card can act as a platform for strong authentication technology, allowing end-users to use one-time passwords and, in some cases, electronic signatures to protect their online purchases and assets.

Another very easy and cost-effective measure could be that we learn from our peers.

In parts of Asia and Europe, smart card enabled credit cards have been the standard for over half a decade. Also, banks have been early adopters of user authentication and electronic signatures, bringing the online banking fraud to an absolute minimum.

Banking and credit card security: Singapore leads the way 

The role of the MAS

The driving force behind Singapore’s internet security policy is the Monetary Authority of Singapore, or MAS.

“Singapore is the only country in the world which presents its banking industry statistics for payment fraud, ATM and internet banking fraud at a seminar conducted by the financial regulator each year,” states Mr. Tony Chew, Director Technology Risk Supervision at the MAS.

According to Chew, the cooperation between government agencies and the industry is a key factor in the battle against online fraud. “As a regulator, MAS collects statistics and shares them with the industry in the interest of combating fraud and making our financial system safer and stronger by advancing best practices in technology risk management, data security, system integrity, resiliency, recoverability and methods.”

MAS Guidance of November 2005: two-factor authentication in banks

Supported by reliable facts and figures, it was obvious for the Singaporean regulator that action had to be taken in the field of banking and credit card security. On November 25, 2005, the MAS sent a directive to all banks regarding secure Internet banking (9).                                                   

In the Circular, the MAS states the following: “Given the surge in security incidents involving the capture or misappropriation of customer PINs by cyber hackers, criminals and terrorists, there are serious doubts about the security of single-factor PINs. To further enhance internet banking security, MAS expects banks to implement two-factor authentication at login for all types of internet banking systems by December 2006. Banks should also consider requiring the repeated use of the second authentication factor by the customer for high risk transactions or for changes to sensitive customer data during a login session.”

The results

The effect of the November 2005 initiative by the MAS was astonishing. All banks quickly began deploying two-factor authentication solutions. In 2010, 2.6 million hardware tokens and 1.4 million SMS phone tokens were used regularly by internet banking customers and payment card holders for online transactions. That year, internet banking fraud losses were zero.

According to Tony Chew, there is more to come in striving for even greater security in online banking and payments. “We are aware of the numerous means of attacks on single-password and weak two-factor authentication systems. It is important that our two-factor authentication infrastructure in Singapore is robust enough to foil such attacks.”

Chew continues: “We have also advised the financial institutions in Singapore to start replacing basic OTP (one-time password) tokens with * transaction signing, two-factor authentication tokens in order to counter **Man-in-the-Browser/Man-in-the-Middle attacks more effectively.”

Conclusion:

In many aspects, the U.S. has been a leading example for other countries in the field of payments and e-commerce. However, we have the opportunity to learn much from other countries. By example, it is clear that Singapore is a beacon in the fight against online banking and payment card fraud. The exemplary cooperation between the business sector and government authorities in Singapore has led to its attainment of one of the lowest online banking and payment card fraud rates in the world. The payment card fraud rate in Singapore is consistently between one and three basis points.

Strong and unambiguous guidelines from the government can help the banking industry guard against fraudsters.

Last, knowledge is power. The U.S. financial industry needs reliable facts and figures to assess the security state of its payments and e-banking industry. Guesstimates and survey projections are not good enough. The U. S. government should be a resource for such reliable statistics.

 Acknowledgements:

We would like to thank Mr. Chew for his valuable insights.

References:

(1)   Hunt, T. Kendall (December 2005), Bid Farewell to Your Mother’s Maiden Name, VASCO, Page 1-2

(2)   Hunt, T. Kendall, Valcke, Jan and Bown, Clifford (February 20, 2007), Earnings Conference Call Script,   VASCO, Page 3-4

(3) Kitten, Tracy (February 22, 2011), First Look: New Authentication Guidance, bankinfosecurity.com

(4) VASCO Data Security, Press release: VASCO questions FFIEC’s supplementary recommendations for a more secure Internet banking environment (July 12, 2011)

(5) Aite Group report on card fraud, 2010

(6 & 8) Smart Card Alliance (October 2009), Fraud in the U.S. Payments Industry: Fraud Mitigation and Prevention Measures in Use and chip Card Technology Impact on Fraud, Page 6

(7)Paterson, Ken, Mercator Advisory Group (October 2008), Credit Card Issuer Fraud Management: From Technology Inside to People Inside

 (9) Monetary Authority of Singapore (25 November 2005), Two-Factor Authentication for Internet Banking, Circular No. SRD TR 02/2005

Definitions:

*Transaction signing: is the process of calculating a keyed hash value to generate a unique string which can be used to verify both the authenticity and integrity of an online transaction.

**Man-in-the-Middle attack: is a form of active “eavesdropping” in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

**Man-in-the-Browser attack: isa form of Internet threat related to Man-in-the-Middle (MitM), is a Trojan that infects a web browser and has the ability to modify pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application.