Mike Davies: Online Identity and Trust in EMEA

Interesting article on "The Register" about a new way around an existing security measure in place to prevent online shopping fraud (http://www.theregister.co.uk/2008/06/11/plastic_fraud/).

To summarise, when you shop online (or place a mail or telephone order) this is known as a Card Not Present transaction, in other words the card is not physically present at the merchant when the transaction takes place.

This means that the clever stuff in your card which authenticates it to the electronic Point of Sale machine can't actually work, hence if a fraudster gets all the numbers on your credit card they can commit fraud.

A number of years ago, the financial industry (led by Visa and MasterCard) introduced a couple of measures to stop Fraudsters just stealing the credit card details of others. One is CVV2 (the three digit Security Code on the back of the card), the other AVS or Address Verifcation Service looks at the numbers in the address the card is registered to and compares that to the mailing address for the goods. If they are different it is more likely to be a fraudulent transaction (i.e. a Fraudster using stolen credit card details to order and send goods to another address).

The Fraudsters worked out that the AVS only checks the numbers in an address and so have got around this by looking for addresses they can send the fraudulent goods to which have the same numbers in as the real address (i.e a house number of 12 and a post code of W4 2QR would be the same as a housenumber of 12 and post code of E4 2RT).

Obviously this is not a perfect "workaround" for the fraudster but the article mentions a number of occasions where this has worked.

Solving the Card Not Present fraud problem is a major priority for banks and vendors alike and I hope to post something soon about how VeriSign plans to stop this type of fraud....sorry to be cryptic, we have a solution we are very sure will stop this and most other types of CNP fraud, but until we have done our due dilligence am unable to say more...

Posted by Mike Davies at 2:04 PM | Permalink | Comments (0)

As a marketer and a security professional, I think I am well placed to make a comment on an area I think this blog will repeatedly come back to.

Segmentation.

Now in marketing terms segmentation refers to finding similarities between members of your existing or targeted market and tailoring the offering to them to ensure you attract and retain the highest number of profitable customers possible.

It seems that the fraudsters have been doing the same:

http://www.theregister.co.uk/2008/05/28/id_fraud_trends/

Now no-one will be surprised to see this of course, especially if you are a security professional.

In fact you probably do "Segmentation" in a way when you assess the risk of fraud for particular systems or customer groups, tailoring the security to where the need is.

So I would suggest if you are a security professional reading this to think about two things.

1) Who within my customer base NEEDS the most security when they are accessing their account?

2) Who within my customer base WANTS more security when they are accessing their account?

As the recent survey from Abbey (Part of Santander banking group) in the UK that said 67% of their customers don't want added security, what about the other 33% that do WANT it? They will be more loyal customers if you are giving them additional benefit.

What percentage of those 100% are high net worth individuals who NEED additional security?

Posted by Mike Davies at 10:35 AM | Permalink | Comments (0)