The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. For a decade now, Lockstep has been monitoring these figures, plotting the trend data and analysing what the industry is doing - and not doing - about Card Not Present fraud. Here is our summary for the financial year 2015 stats.
Card Not Present (CNP) fraud has grown over 25 percent year-on-year from FY2014, and now represents 84 percent of all fraud on Australian cards.
APCA evidently has an uneasy relationship with any of the industry's technological responses to CNP fraud, like the controversial 3D Secure, and tokenization. Neither get a mention in the latest payment fraud media release (PDF). Instead APCA puts the stress on shopper behaviour, describing the continuing worsening in fraud as "a timely reminder to Australians to remain vigilant when shopping online". Sadly, this ignores that fact that card data used for organised criminal CNP fraud comes from mass breaches of databases, not from websites. There is nothing that shoppers can do when using their cards online to stop them being stolen, because they're much more likely to get stolen from backend systems over which the shoppers have no control.
You can be as careful as you like online - you can even avoid Internet shopping entirely - and still have your card data stolen from a regular store and used in CNP attacks online.
APCA says in its media release: "Financial institutions and law enforcement have been working together to target skimming at ATMs and in taxis and this, together with the industry’s progressive roll-out of chip-reading at ATMs, is starting to reflect in the fraud data". That's true. Fraud by skimming and carding was halved by the smartcard rollout, and has remained low and steady in absolute terms for three years. But APCA errs when it goes on with "Cardholders can help these efforts by always protecting their PINs and treating their cards like cash". Safeguarding your physical card and PIN does nothing to prevent the mass breaches of card data held in backend databases.
A proper fix to replay attack is easily within reach, which would re-use the same cryptography that solves skimming and carding, and would restore a seamless payment experience for card holders. Apple for one has grasped the nettle, and is using its Secure Element-based Apple Pay method (established now for card present NFC payments) for Card Not Present transactions, in the app.
See also my 2012 paper Calling for a Uniform Approach to Card Fraud Offline and On" (PDF).
Abstract
The credit card payments system is a paragon of standardisation. No other industry has such a strong history of driving and adopting uniform technologies, infrastructure and business processes. No matter where you keep a bank account, you can use a globally branded credit card to go shopping in almost every corner of the world. The universal Four Party settlement model, and a long-standing card standard that works the same with ATMs and merchant terminals everywhere underpin seamless convenience. So with this determination to facilitate trustworthy and supremely convenient spending in every corner of the earth, it's astonishing that the industry is still yet to standardise Internet payments. We settled on the EMV standard for in-store transactions, but online we use a wide range of confusing and largely ineffective security measures. As a result, Card Not Present (CNP) fraud is growing unchecked.
This article argues that all card payments should be properly secured using standardised hardware. In particular, CNP transactions should use the very same EMV chip and cryptography as do card present payments.
With all the innovation in payments leveraging cryptographic Secure Elements in mobile phones, perhaps at last we will see CNP payments modernise for web and mobile shopping.