September 14, 2015 by Leave a Comment
This is the next – I have a terrible feeling its not the last though – of seeing the cards world through the eyes of a consumer. The story so far is contained in three previous posts, with the last reporting that my card details were skimmed (we assume) in the US. This post however looks at the experience at home. As a consumer, we often get warnings from our banks about phishing attacks – we will never do this, our emails will look like this, etc. Then consider what a daily average inbox looks like – full of identical emails from fraudsters, often better written, and better laid out. Furthermore, banks only focus on emails and outbound calls. I’m possibly wrong, but I’m fairly sure never had the same warnings about text messages, tweets etc. Consider then these channels and how many spam messages you get on a daily basis. (It’s probably ok though, as all the PPI claims I’m told I have should more than compensate me for all the recent accidents I’m alleged to have been in!) Saturday afternoon I received this text: Note that it comes from a mobile number, and texts from my card provider have their details in the text. I deleted it, assuming it was spam, and that if I replied I’d be signed up to some premium rate text service…again. Something made me pause, so I rang my card company, using the number that I already had. And I was right to do so, as it was from them. Thats why I’ve blurred the full number – this is an active line that they are using, but don’t advertise They seemed surprised that I was querying the method, yet when I asked how many people responded to texts, they seemed less certain (to be fair, it was a call center operator!). As a consumer, I appreciate the attempt to make it as seamless and easy as possible. Yet it contradicts the advice we’re given. It would be very simple to text people randomly and ask them personal detail to confirm who they are or to log into a man-in-the-middle website. It feels a little chicken and egg. Consumers need educating. Explaining that the layers of security are providing them protection. At the same time, banks need to think about how consumers will – or should – view their messaging. Given the nature of the message, and the reputational issues, I wonder whether it’s time for the banks collectively to find a solution. Detecting fraud and managing it could be a competitive differentiator – or it could prove far more powerful to do collectively. Across providers, across channels, across products. Best practice across the industry surely has got to benefit everyone long term?
September 7, 2015 by Leave a Comment
…but something far more valuable. So for this post to make sense, you ought to read my last 2 posts, about my experience of using my credit card in the US. The first talked about the customer experience, and how varied it was. Some of the quirks were allegedly to improve security, yet offered no perceivable additional security. When asked, the retailers I spoke to saw EMV as offering no better security and a worse customer experience. The second was noting that many of the threads around card fraud led to the US – either cards being skimmed there, or card details from around the world ending up in the US, where just the mag stripe is required. Saturday morning I got a call on my mobile. I’ll write another post later about this and how banks tell you to be careful about highly professional looking phishing scams… and then contact you in ways that look like amateur phishing scams! The point of the call was… to say my cards details have being skimmed as they assumed I hadn’t spent a lot of money in person at an art shop in India. Actually, given I had been using my PIN in a terminal 5 miles from house, in a shop I go in most Saturdays about 20mins before that transaction, I was rather shocked by the fact that they’d authorised it anyway even it was highly unlikely it was me. And guess what? “have you had to swipe your card recently? That’s probably where they got the details” Yes, reader – in almost all certainly, stolen whilst I was in the US. If only they had full EMV, then this almost certainly wouldn’t have happened.
August 27, 2015 by Leave a Comment
In my last post, I talked about the experience of using my credit card in the US, and how just inconsistent it feels. Some of it was undoubtedly tied to security – using photo ID or entering zip codes – though I’m far from convinced that they provided any security at all. In some conversations we’ve had, there has been a feeling that US fraud is actually manageable at an industry level – a belief that they are in line or better than in many other countries. Yet the recent figures from Nilson seem to paint a very different picture. Whilst accounting for 21.4% or $6.187 trillion of total volume last year, the US accounted for 48.2% or $7.86 billion of gross losses worldwide on plastic cards. Zil has – and will! – discuss the implementation of EMV at length with anyone, so I won’t discuss that here. What struck me was how ineffective the checks were currently. As a consumer (rather than a payments geek) it struck me:
- Asking for zip code as authorisation seems pointless – if I’ve stolen a purse or wallet with cards in, I’m likely to have either the zip code already or have enough info to find it within seconds on the internet
- Asking for a signature, yet not even checking it seems odd. Perhaps I have an honest face or perhaps the risk didn’t warrant the effort
- Photo ID, at least for non-US, seems pointless. How many people can spot fake ID, or know what a, say, Latvian national ID card looks like?
November 26, 2014 by 1 Comment
Usually, during the Autumn season, I make a few trips to the United States for conferences and client visits. This year was no exception and I have recently come back from two trips to Las Vegas and San Antonio. EMV migration in the US was high on the agenda during both visits and I came back with two takeaways: 1) the US market is finally serious about EMV and preparations are going full steam ahead and 2) I am glad it is happening. All the data breaches at retailers, from Target to K-Mart Sears, have spooked the market and stirred it into action. Some of the major challenges, such as reconciling EMV with Durbin/ Reg II, have been resolved – on November 4, Vantiv announced it became the first US acquirer to successfully complete a debit EMV chip transaction compliant with Durbin. Most of the issuers are in the planning stages and beyond, even with debit. On September 30, Bank of America became the first major US bank to announce that all new debit cards with be EMV, while existing cards would be replaced at expiry. I am planning to soon publish a report on the US EMV migration, which will discuss what is happening in the market now and will address a number of questions we frequently get from clients, including some of the more advanced EMV topics, such as scripting, PIN management and multi-functional cards. In this blog I just wanted to share a personal story. Until the cards and terminals migrate, the fear of fraud at the US retailers is palpable, to the point where it is starting to impact consumer experience. During my brief shopping break I wanted to pay with my UK-issued chip card. As the amount was over $75, I was asked for a customer ID. I offered my UK driver’s license, which the cashier started diligently copying by hand onto the printed receipt. As it was a foreign license, he wasn’t sure which was what, so had to call his supervisor to check what exactly he should be copying. When he was done, I thought that would be the end of it, but unfortunately, I was mistaken. The cashier then took my card, placed the receipt on top it and started rubbing it with a pen to get the imprint of the embossed details on the card! Apparently, he had to do it because the amount was actually over $150… I could scarcely believe this was taking place in the 21st century… On a separate note, I must admit, 10 years of EMV in the UK made me deeply suspicious whenever at a restaurant I have to hand in my card and the waiter just runs away with it. In Europe, the waiter brings a handheld terminal to the table, I enter my PIN and the card never leaves my sight. I am not saying that this is an everyday experience for all US consumers these days. Perhaps I happened to go to a retailer with particularly strict anti-fraud policies, or they recognised a foreign card and wanted to take extra precautions, or I was simply unlucky. But I did not enjoy the experience. This is also not a smug boast how “we have it better here in Europe.” I actually think that the US is a hotbed of innovation and creative solutions emerging from the US such as Apple Pay are pointing to the future of what lies ahead for many of us. However, EMV will help with the “here and now.” Of course, there will be a learning curve for the US consumers as they get used to new chip cards, and there will be teething challenges during the migration, but it will be worth it for the market as a whole. And as a regular visitor, I just can’t wait for the US to migrate to EMV.
March 26, 2014 by 3 Comments
Yesterday I came home to a strange voicemail from ING Direct Canada. I decided to phone back right away because I noted the following 3 things about the message:
- The toll free number provided was nowhere to be found on the bank’s web site
- The message left was with regards to “my profile and information”
- The reference number left on the voicemail was my online banking user ID
- You can have great data, but it’s useless if you don’t master things like privacy and security
- Customers should always be directed to call back a primary telephone number that can be easily validated. Banks are so cautious about email communication with clients – they should be just as cautious with telephone communication
- Under no circumstances should a user ID ever be divulged. It’s a key piece of an authenticated login. It of course takes a couple of other pieces to login but that’s not the point – why give away any pieces of the puzzle? Furthermore, if a bank or customer were to suffer a breach, a fraudster could attempt to gain access to other account credentials by leaving a convincing voicemail containing a user ID (that obviously did not happen here).
January 24, 2012 by 2 Comments
I’ve always had mixed feelings regarding handing over my ID to a merchant when paying by credit card. On one hand it’s great that the merchant is attempting to protect its business and you from fraud. On the other hand you are handing over your personal information to a complete stranger. I was shopping last week with my wife at a Coach store in Florida. We made a small purchase and the sales agent asked for my ID for the credit card transaction. I handed over my credit card and ID and started chatting with my wife. I then noticed that the salesperson was studying my ID and appeared to be typing my information into her computer. I promptly asked what she was doing and she answered that she was typing my address and info into her computer so that I could be added to the Coach mailing list. She never asked for my consent and needless to say I was not happy. The salesperson thought she could simply take the liberty of capturing my personal information. I found this especially curious since this happened on the same day as the Zappos data breach that exposed the personal information of 24 million customers. I subsequently spoke to a manager about the salesperson’s actions and was told that their policy is to check IDs but ask for consent regarding the capture of your personal information. I told the manager what happened and she replied, “Oh, she probably did this on a habit.” Talk about bad habits, and ones that can certainly get you into trouble! In some instances, asking for personal information may violate store policy, credit card merchant agreements and even state law. This past February, a ruling in the state of California determined that merchants cannot even legally ask for your zip code when making a purchase by credit card. Merchants must start to weigh the pros and cons of capturing personal information at the point of sale. Sure, it can help gather data and help with marketing, but on the other hand it can open the merchant and the consumer up to all sorts of vulnerabilities. In the online world things are obviously different. Shoppers must provide (and are therefore consenting to provide) a billing address, and that can be captured. And the vulnerabilities are being exploited. Just yesterday, Coach’s website was hacked by a group called UGNazi. This group hacks organizations that support SOPA. To my knowledge no information was leaked, only the website was defaced. I’m still thinking about how to deal with Coach’s mishandling of my transaction. I am definitely going to file a complaint with Coach senior management. Other options include complaints to the Federal Trade Commission, and to the Florida Attorney General. I’m curious to hear your thoughts, please discuss!
July 5, 2011 by 2 Comments
Last week the FFIEC issued the long awaited Supplement to Authentication in an Internet Banking Environment. I read through the 12 page report (it’s actually 8 pages with a 4 page appendix), and kept reminding myself that I should try to look at this in a cup half full manner. Yes, I can be a cup half empty kind of a guy, however I must say that this document doesn’t say much that most banks don’t already know. The wording is vague, open to interpretation, and unclear. It’s a great read for someone who is new to the space that wants to get a high level overview of some of the challenges banks are facing. I know that banks are going to be placing a lot of energy into analyzing this document, and making sure they can follow the so-called guidance. The first problem is the title – Supplement to AUTHENTICATION. Authentication is was definitely a big deal back in 2005 when the first iteration of this document was released. At this stage of the game, it really doesn’t mean much. Sure, all banks should have it, and yes they should pay attention to new solutions that can enhance authentication. Today, with current threats and attacks, authentication is about as useful as a security guard that is placed in front of a bank building. The guard can scare people off, and provide the appearance of security. If criminals or terrorists want in, we all know that the guard is nothing more than a useless sentry. So sure, let’s keep on forcing customers to use the familiar image/phrase/challenge question routine for online banking. But let’s accept the fact that multifactor authentication, even using hard tokens, is pretty useless. The document keeps referring to layered security – that’s a good thing. But how long have we been hearing that for? Great that its down on paper given that it’s so critical. It’s the most important step a financial institution can take but a lot more detail and guidance is required here. There was quite a buzz regarding the fact that the document doesn’t discuss mobile banking security. That ties back to the vagueness of the document. Personally, that doesn’t bother me as much. The info in this doc has to be consumed with the understanding that consumers and businesses are using a range of electronic devices – PCs, mobile phones, tablets, etc. Yes, there are going to be security issues that are device category specific. It would have been nice to see things laid out a little more clearly, or at least recognition of this trend. On page 3, the document goes over high risk transactions. The overly structured section misses a key point – as features migrate out of the branch for cheaper self service alternatives (think consumer wire transfers online) the risks increase. Financial institutions need to plan for these changes now and understand that the online channel is already handling higher risk consumer transactions. In my opinion, the most important section of this document should have been customer awareness and education. It takes up approximately half a page. Banks do a very poor job of educating customers, and there are tons of examples to prove it. Since the consumer is the weakest link in the equation, this clearly requires a lot more attention. Can I be a curmudgeon? Absolutely. Is it warranted in this case (objectively speaking of course)? Without a doubt.
July 13, 2010 by Leave a Comment
Last week I attended “The Future of Cards and Payments” conference in London. Over two days, various speakers shared their perspectives on how they see the cards and payments market developing, particularly in the UK. Here is a selection of facts, which I picked up during the presentations and found especially interesting:
- The crisis hasn’t changed the UK consumers’ behaviour that much. According to a study by Visa Europe, 56% of respondents in 2010 agreed with the statement “I save money so I have some protection in the future”, compared to 57% in 2008 and 24% are “open to borrowing to buy what I want today” (vs 23% in 2008). Having said that, more people are aware of their finances with 63% vs 45% two years ago “watching every penny they spend to avoid getting into debt”.
- Cash is not going away. In the same Visa survey, 35% of people surveyed in 2010 stated that they “prefer to pay in cash for everything I buy”, which is down from 54% in 2002, but up from 18% in 2008.
- Only ~50% of business accounts in the UK have a card
- Identity fraud is up by 32% in 2009
- Cheques are due to be phased out in the UK by 2018. However, it will only be done if by 2016 there are real alternatives in place, they are available to the users, well known and are being used. Heavy cheque users include charities (get 70% of their income via cheques) and elderly (may need another paper-based alternative, e.g. giro credit) among others.
- UK market has ~4m prepaid cards.
- Also, UK is on track to have 12m contactless cards in use by December 2011. Focus needs to shift now to acceptance.
- Adoption of SEPA Direct Debit is partly an issue of interchange. 70% of euro-based DD transactions in the EU don’t have interchange, but the others do. The European Commission is firmly against having interchange for DD, but accept that a transition period may be required and there might be a case for it when dealing with rejected transactions.
- To limit fraud, some online merchants and their PSPs are beginning to tailor availability of payment methods based on the consumer’s postcode, e.g. credit cards would be OK if you live in a premium address in Chelsea or Kensington, but only a prepaid electronic voucher (e.g. ukash) would be offered if you happen to shop from a council estate in Peckham.
- And if you live with 20 other strangers in a room with no doors or windows in Asia or Africa and have no bank account, storing money is as important to you as being able to make payments.
March 17, 2010 by 2 Comments
I just returned from the Digital Insight National Client Conference in San Antonio. I was invited to speak on social media for banking, and I also took some time to attend several of the sessions. One of the sessions I attended was a panel discussion with a group of four commercial businesses. These middle market firms discussed various cash management and online banking issues and described how they run their businesses. Eventually the discussion turned to security and the moderator asked the firms about their security best practices. Each firm described their setup and one of the businesses described a fraudulent incident where a keystroke logger was installed on a computer used for online banking. Three out of the four panelists were unaware of the rash of business online banking fraud that has hit the market (see my blog entries on this here and here). I asked the panel if their financial institution had contacted them recently to make them aware of some of the risks, or if their financial institution had implemented new policies or solutions that they would be required to adopt. The answer of all four businesses – a flat out no. Their banks had not contacted them recently about anything related to security. Needless to say I was not entirely surprised, but I was frustrated by the situation. Business banking is very much about relationships. Banks should be investing in these relationships and at the very least should be providing educational tools and support to their customers. Given what is going on in the market, security education isn’t an option but a strict requirement. Even with the various warnings and advisories that have come out it appears that banks aren’t doing enough to proactively educate their customers. There is a lot at stake and just this week several agencies have issued an ACH and wire fraud advisory. I agree with most of the points of the advisory. However, there is nothing mentioned regarding security education in the section called, “Actions for Financial Institutions.” Additionally, the recommended best practice for businesses is to use a dedicated computer for online banking. This is completely unrealistic and counterproductive. Before you know it we will all need to have separate computers to login to facebook, another to send email – you get the pictures. This scare tactic also has the potential to reduce business online banking adoption. Proactive and ongoing security education, smart practices (e.g. setting dual approval, limits) coupled with multiple layers of security solutions can solve a good chunk of this problem.