Posted by Keegan Johnson on Wed, Sep 01, 2010
In this 3-part series, I examine what 3D Secure is and why it was developed, discuss its successes and failures from the perspectives of merchants, consumers, banks and security experts and how it's been adopted in different geographies, and finally conclude with an evaluation of how well it addresses the problem it set out to solve and whether better approaches might exist. I invite your questions and comments regarding your personal 3D Secure experiences.
Introduction: Part 1 of 3
Our European readers are likely very familiar with 3D Secure in some form, but here on the other side of the Atlantic, not so much. So, first some background.
3D Secure is the generic name given to a protocol originally designed by Visa that is promoted as offering an added layer of security through user authentication to prevent payment card fraud. Visa offered the scheme to other card associations who have implemented it under their own branding. 
The 3 branded versions are Verified by Visa (VbV), MasterCard SecureCode, and JCB International's (Japan Credit Bureau) J/Secure.
Poorly implemented and marketed (there is lots of market confusion about what it is, even in Europe where it has high penetration and most online shoppers have encountered it at least a few times), you may hear any of these 4 terms bandied about. Know that they are all basically the same thing. If you want to dig in to more detail, this Wikipedia article covers the basics.
Why Use 3D Secure?
MasterCard offers this business case on their website:
- 70% of online shoppers are very concerned about security and fraud issues
- 26% would purchase more frequently online if there were more security protection from a card
- 44% of those likely to use SecureCode would be likely to buy more online
- 66% of online consumers who do not make purchases online cite security concerns as the main reason
As this series of articles will discuss, if security, consumer protection, and increased sales are the real issues, we'd all be better off not using 3D Secure technology, because it isn't secure, doesn't offer any additional protection to the consumer beyond the "zero liability" for fraud that is already guaranteed, and often causes sales to drop because consumers don't understand it, don't trust it and don't like the inconvenience.
The Sales Pitch Versus the Reality
Most merchants who chose to adopt 3D Secure do so because it shifts liability for card-not-present fraud to the card issuer on 3D Secure-authorized transactions. Without this economic incentive, it's unlikely 3D Secure would have gained significant market traction.
In some industries with high risk profiles and large dollar sales (e.g. airlines), and where there are limited choices and demand is relatively inelastic (if I want to travel from Toronto to Atlanta, for example, I have only 2 practical choices, unless I'm prepared to take the time to drive), this liability shift and reduced fraud cost outweighs lost sales and what consumers think about the inconvenience.
As a result, purchasing tickets is one of the most likely places consumers are likely to encounter 3D Secure in the US. In most other business categories, there is simply too much competition for retailers to risk offending, inconveniencing or confusing customers.
It's Different in Europe
Adoption in Europe has been much broader than in North America. We speculate that part of the reason for this is that the US e-commerce market was much more established when 3D Secure was introduced, with many more merchants and much more competition within categories. Thus merchants are less willing to do anything that might introduce a perceived inconvenience or a reason for consumers to go elsewhere.
In the UK, the MasterCard Maestro brand which is one of the most widely used cards, basically issued an ultimatum that if merchants wanted to accept their payment cards online, they would need to use 3D Secure. This single spur to adopt has dramatically changed the game there, making ability to accept online payments a critical factor in adoption, although it hasn't completely mitigated concerns about security, lost sales or consumer fear of fraud.
As a result of this enforced implementation, adoption in the UK market for instance, has risen from below 20% to around 80% of UK merchants in just 3-4 years, although there are some notable holdouts. Amazon, the world's largest online retailer (by far), refuses to use 3D Secure, citing consumer inconvenience. Amazon also has very sophisticated fraud systems in place already, so stands to lose more in sales and customer goodwill than it would gain in fraud savings.
Summary
In summary, 3D Secure has had a spotty record since it was introduced by VISA nearly 10 years ago in 2001. In the last few years, it has become much more successful in Europe than in North America where it is still an oddity. It has helped lower fraud a little bit, particularly in the UK market (but not the Total Cost of Fraud - a concept which we'll touch on in future articles that helps explain lack of market traction), but at the expense of consumer angst and lower sales for many merchants.
In the next article, I'll detail the complaints about 3D Secure and why merchants and consumers generally don't like it, and the cost burden it imposes on card issuers.
Posted by Keegan Johnson on Wed, Aug 25, 2010
KISS (Keep it Small, Stupid) Proves an Effective Fraud Strategy
The NY Times reported this weekend on an unusual case of credit card fraud filed by the FTC in a Chicago federal court involving more than 1 million cardholder accounts and over 100 fake merchant accounts over a period of at least 4 years. It’s a sign of how much the internet and automation have changed the fraud game, enabling massive scams by employing the KISS (Keep It Small, Stupid) Principle.
The suit claims that more than $10 million was stolen by placing just a single fraudulent charge for less than $10 on more than 1 million different credit and debit cards. Card-not-present transactions (i.e. online sales) were recorded by 16 shell companies operating under more than 100 different merchant IDs. The fake companies, set up with bogus websites and phone numbers to look real when they applied for merchant accounts, were created using stolen identities, and the money was quickly moved out of the US to bank accounts in several different east European countries.
The interesting vulnerability exposed is how easy it is to fly under the radar if you make everything plausible and seemingly random, and don’t do anything to stand out. Criminals carefully set up fake companies with familiar sounding names so that nothing would stand out on the cardholder statements. By only attacking each card once, and for a small amount, it’s a safe bet that the majority of consumers didn’t even notice. The one dumb error was posting a number of transactions for as little as 20 cents. According to the FTC, there were more complaints about the 20-cent charges than the 9 dollar ones because they appeared odd – again, it’s about plausibility.
There were incredibly few complaints of any sort though, because it took nearly a million transactions before the FTC had enough complaints registered to start an investigation. The lesson: KISS.
You can read the full stories here:
My main point for this article was to focus on a throwaway comment from Gartner analyst, Avivah Litan. She is quoted:
“If a credit card is physically swiped in the transaction, the bank that issued the card is on the hook for fraudulent charges. If it is a phone or Internet purchase — called a card-not-present transaction — the bank that hosted the merchant account that received the ill-gotten charges must make restitution.”
And the writer of the article draws the conclusion that because the acquiring bank is on the hook for the fraudulent charges, that the issuer has “little motivation to be greatly concerned about online fraud”.
Really? The acquirer is indeed stuck with many charges of between 20 cents and 9 dollars, since none of the merchant accounts were legitimate, but is there really no cost to issuers in this case?
On the contrary, our analysis shows that it costs the card issuing bank an average of $15 per transaction in labor and paper trail costs (getting consumers to file affidavits, issuing chargebacks, etc), plus fees assessed by the card scheme for each chargeback. More, in fact, than the maximum $10 charge that the acquirer had to eat.
Across more than 1 million fraudulent transactions in this single case, that’s over $15 million – not exactly chicken feed, and certainly not “little motivation” to seek a solution.
The takeaway is this: CNP fraud is a pernicious problem, and it affects, inconveniences and costs everyone involved. Merchants for sure, but also issuers and cardholders.
The $15 in overhead costs may not compare to a $500 loss taken by a merchant of electronics goods, for example, but the issuers are getting hurt on each and every fraud. Consider that if a bank the size of JPMorgan Chase could eliminate these costs, that would represent by our guesstimates a savings of $1.5 – 2.5 million annually – a savings that is pure profit to the bottom line. I’d argue that that’s plenty of motivation for any issuer, and it is an achievable target with more industry collaboration.
And, that would be good for everybody.
Posted by Andre Edelbrock on Tue, Aug 17, 2010
The French police have apprehended a Russian carder reputed to be among the largest sources of stolen credit card dumps for extradition to face charges in the US. We applaud this transnational cooperation to nail those who trade in your credit data to defraud merchants (especially online) everywhere. This is a key link in the chain that creates cnp fraud.
We know that biting off the head of the serpent will ultimately create a number of smaller snakes who go elsewhere to perpetrate their crimes, but today we can celebrate that one has been caught, and is likely to do some big time.
If you have any doubts about how reprehensible these guys are, have a look at this advertising video that Vladislav Anatolievich Horohin, aka BadB, posted online to promote his services.
Thanks to Wired magazine for uncovering this gem.
Related articles
Posted by Andre Edelbrock on Wed, Jan 27, 2010
Last week, the BBC reported that bank anti-fraud systems are blocking donations to Haitian relief following the earthquake that has brought the small, impoverished country literally to its knees.
Although it is a well-known technique of fraudsters to use stolen cards at charitable sites to make "micro-donations" to test whether a card is still active and usable, using an indiscriminate block to refuse legitimate donations in a time of extreme need is surely an immoral and insensitive use of technology, and a severe unintended consequence of a security measure taken to protect the banks' own interests. I'm sure they did not mean to stop money from getting to the relief effort, but the reality is, we can do a lot better.
Anti-fraud solutions for card-not-present fraud are infinitely more sophisticated than this today. It's relatively easy to identify risk both statistically and behaviorally (preferably in combination), and in extreme situations override rules can be programmed quickly. It might be an extra expense for the bank to contact the card customer and do a live fraud check, but especially in this case where the world is trying to reach out with an empathetic hand, that's exactly what they need to do, because automatic transaction blocks to the Red Cross are going to leave banks with yet another big raspberry on their collective faces.
So, let's call for some common sense. It's bad enough when a sledgehammer rule costs you a bit of profit by falsely rejecting a legitimate customer; it's devastating when it could cost lives and prevent help from getting to where it's needed.
Please, if you haven't contributed yet, consider making a donation to Haitian relief. This link connects you directly to the Red Cross, and lists several legitimate charities that are participating in the direct immediate support that is desperately needed.
http://www.redcross.ca/article.asp?id=000043&tid=016
Posted by Andre Edelbrock on Fri, Sep 04, 2009
Vacation is supposed to be a time when you finally relax and break away from the demanding pressures of work-a-day life. But with the economy down, and many worried about doing enough to keep their jobs, the increase in computing mobility means that larger than ever numbers of people are taking work with them when they head for the beach. Be honest -- you took your laptop or Blackberry with you, and if nothing else, checked for email while you were away this summer, didn't you?
So maybe you weren't working as you sipped pina coladas on the beach and surfed not on the water, but on your PC. Maybe you were "just shopping", or watching the latest viral videos on YouTube.
So guess what? Ever on top of new trends, fraudsters have spotted a big new vulnerability to capitalize on. Adding another coined phrase to our fraud glossary, Fox News reports, “vacation hacking” is a new avenue for criminals to steal from those who rely on free wifi or unsecured networks while away from the office to get their internet fix.
Beach fraud
Ok, so you aren't one of those clueless tourists walking around with a sign on your back saying "Hack Me". You're a businessperson who's been around the block a few times, you've got AV software and a firewall -- not so easily taken. Really? Have you ever logged on at the airport, trying to squeeze in just a couple more emails before departure?
So-called "white-hat" hackers recently surveyed a number of large airports, discovering what they said was an alarming amount of hacker generated connections. Hackers are now identifying these airport wifi access points as their new hotspots and enticing busy road warriors unaware that they are at risk, to sign on to a hacker’s portal, not just willingly handing over their credit card info, but also leaving their laptop at risk and their information unprotected.
Data breaches, phishing, botnets, spam, fake portals, unsecured networks -- all can be used to steal personal information for fraudulent gain. But what can you do to stop it?
Is there any escape? Is any protection good enough?
Everyone will always tell you ways to make your environment more secure, and build a better barrier to keep the bad from getting in. But that doesn't help much when the bad gets in, nor does it deal with the root of the problem. Just ask Heartland Payment Systems, who thought they had a totally secured PCI DSS compliant environment.
Only part of the problem is lack of security. Another critical part of the problem is the value of what gets stolen. We must re-double efforts to make the stolen data worth less, if not worthless. Make it harder to use. Fully thwart attempts to convert data to cash. Increase the penalties and prosecution efforts such that the perpetrator of the biggest data breach in history faces more than a couple slaps on the wrist and a cushy job as informant for the secret service.
Become more aware of what makes us vulnerable, and stop depending on technical solutions that no one understands and which often increase complacency and therefore the probability of loss.
Simple solution: address the problem at its source
The solution as I see it is two-fold:
- Educate users about risk, and what to look out for -- what makes something suspicious and why you shouldn't hand over a social security number when someone calls asking for it, for example
- Stop financial fraud at source, by getting banks, card issuers, card processors, anti-fraud vendors and the targeted merchants all working together to provide a backstop when security fails
Simple right?
Take the poll
Let us know what you think. More security? Better fraud detection? Stiffer penalties? Simplicity? Less technology? Collaboration? Smarter users? What is going to help us gain control of things?
Take our poll, and after you hit the button, you'll see a graph of the compiled results. And, if your answer isn't on the list, give us your solution in the comments below.
Aren't you glad that summer vacation is almost over and you're back to work?
Posted by Andre Edelbrock on Wed, Sep 02, 2009
Quiet congratulations to the authorities' for finally catching up with their man - Albert Gonzalez - and getting indictments handed down by the grand jury in two of the largest deliberate data breaches in history at Heartland Payment Systems and Hannaford Bros.
Gonzalez, going by the alias Segvec, was also indicted in breaches at 7-11 and 2 other unnamed national retailers, as investigations continue into whether he might have been the linchpin in a number of other systems intrusions. In a path of financial havoc rivalling the damages of Hurricane Katrina and Bernie Madoff combined, we wonder how many more shoes there are to drop, as Gonzalez is already being held on charges stemming from the TJX breach in 2007, the previous largest breach on record before Heartland came to light.
Low Key Celebrations
Perhaps a sigh of relief is in order, but not too much more in the way of celebration. Loud hurrahs and back-slapping would be inappropriate, lest we be lulled into complacency, and thinking this means the internet is safe again.
In fact, if you didn't feel a little uneasy about the inequality of armaments between the criminals and those defending against them, remember that Gonzalez pulled off his elaborate heist literally while authorities were watching. His crew deployed the worms that siphoned data from Heartland and others, while he was acting as an informant, after he had already been caught acting as an administrator for a prominent carding site called Shadowcrew.
End of the Beginning?
So, unlike many, we do not believe this heralds the beginning of the end for big time cybercrime -- rather just the opposite: it signals the end of the beginning. It will only get worse from here. How do we know?
Gonzalez is not the world's only smart hacker, and although authorities say there are few in his skill range, we believe there are many who are even smarter and who will learn from his mistakes. There are plenty of his kind working in crime hotspots all over the world. Not only are they well-trained, they are among the world's best mathematicians and scientists, often living in a climate where criminal behavior is tolerated, even respected -- where it is regarded as a legitimate tax-paying business, and even directly supported in some cases by the state.
Birth of a Hacker Hero
Gonzalez has shown the next generation of hackers how to win, and how to win big. Nevermind the arrogance and hubris which pushed him to take dumb chances that allowed him to be caught. He wrote the blueprint for others to follow.
His brazen finger-in-the-eye crime makes him a hacker hero, energizing the whole hacker community to go him one better. His primary misstep was getting too cocky, repeatedly going back to the same well as he perpetrated the biggest credit card scams in history under the noses of the Secret Service. If he had not already been known to law enforcement, and acting as an informer, is it possible he may have escaped detection entirely? Had he been a little less greedy, or a little less in-your-face with his tactics and scale of assault, might we still be looking for him for years to come?
Copycats Will Multiply
The hacker community is well-connected and well organized. Despite getting caught, Gonzalez's work is still impressive, and many will emulate his tactics. They will learn from both his success and his failure. The next big-time hacker, will be a little less full of bravado, and a little more cautious. They will evolve their M.O. a little more frequently, and run just below the radar.
So, while some see the catching of Gonzalez as a major blow to the fraudsters, I view it differently. Segvec is a harbinger of the increasing sophistication of attack on the horizon, and portends accelerating and increasingly deceptive attempts to commit CNP fraud against retailers to convert stolen data to cash.
Are you ready for what's coming?
Posted by Andre Edelbrock on Thu, Mar 05, 2009
A new article on Finextra highlights the rampant growth in financial fraud with research from Gartner Group stating that 7.5% of Americans were hit in 2008.
Much of this growth is due to the explosion in data breaches, in scope, scale and number. See my blog entry there exploring how data breaches show up weeks or months later as increases in online credit card fraud, and what we should do about it.
Posted by Paul Paetz on Sun, Feb 15, 2009
CEO of TigerDirect Advocates for Social Approach to Solve Vexing Customer-Not-Present Fraud ProblemGilbert Fiorentino is a co-founder of TigerDirect, a top 10 consumer electronics and computer equipment etailer (#6 on the Hitwise list), but despite the size they’ve grown to, credit card fraud still irks Gilbert in a very personal way, as though the cybercriminals TigerDirect confronts every day were stealing the cash right from his wallet. You get the feeling listening to him that he’d gladly confront them in a dark alley.
He says the reason retailers are losing the battle against cyberfraud is that the criminals are working together, selling stolen card numbers and sharing their code scripts and “best practices” for committing fraud, while the merchants work alone. Gilbert contends that if every single merchant joined together to share what they know, online fraud could be completely eliminated, and even enthusiastically encourages (even wishes for) his competitors to join the Global Fraud Fighting Community.
He tells his story in the attached video.
Posted by Andre Edelbrock on Mon, Nov 17, 2008
The problem is that the ‘we’ is often the bad guys.
For example - criminals around the world are benefiting from being better organized and using the Internet to work together. In the UK, banking losses due to fraud soared to £301.7m in the first half of 2008 compared to £263.6m in the same period last year, according to the latest figures from UK banking association APACS. Card-not-present fraud (a category that includes e-commerce fraud as well as phone and mail order scams) rose 18% to reach £161.9m in that same period.
So with the good guys losing the battle of the organized to the bad guys, you and I as consumers and businessmen pay a price…literally as the APACS numbers show.
But all good things must come to an end. Banks and businesses have had enough. The power shift, in favor of the good guys, has begun, as in the same way the criminals have leveraged the power of organizing and the Internet, businesses and banks around the world are now working together to fight fraud head-on.
Watch the following video clip of Gilbert Fiorentino, CEO of TigerDirect, to see just how mad online retailers are getting, and what they're prepared to do about it.
Click this link if you can't see the embedded video above.
Watch what happens when hundreds organize…boom…new rules indeed.
Click here to read Seth Godin’s post on this.