Nice try

In the UK, where we have had chip and PIN for a few years now, we see card fraud falling. No, wait, I mean rising…

The number of frauds against plastic card accounts (e.g. credit or store cards) rose by 19% in first half of 2013 compared with the last six months of 2012. Frauds targeting loan products (personal unsecured loans and payday loans) also increased markedly over the same period.

[From Plastic card account fraud (e.g. credit or store cards) rose by 19% in first half of 2013]

It's not as if card fraud is the only kind of identity-based fraud that is on the increase either. Criminals are becoming steadily more sophisticated in their attempts to get control of accounts of all kinds. Here's the anatomy of this kind of scam.

The woman was targeted by a phishing email purporting to be from her bank. The email directed her to a web page, a replica of her bank's website. The fraudsters were sent her banking details after she entered them on the fake website. Her stolen details were then sold for £3,200 to another criminal network, who used a third fraudster to call the bank posing as the victim and have contact details associated with the account changed. Her [£1m] savings were stolen via online transfers to numerous accounts, including several controlled by other individuals.

[From Police arrest phishing gang]

A million quid payoff for a £3,200 investment in someone's bank log in details. No wonder "spear phishing" to get the credentials of wealthy customers is on the up. The costs of all of this fraud are not only the direct losses but all of the money that is wasted elsewhere in the economy dealing with it. Just as a proper assessment of the cost of card fraud should include the cost of PCI compliance, so the cost of identity fraud should include the wasted time, money and resources it triggers. This is probably best illustrated by a sequence of events in my own household recently. I'd logged in to my online banking portal to do something or other, and this message from my bank came up:

An increasing number of people have been falling for a persuasive phone scam known as 'vishing'. Be on alert so you can protect yourself against it. Fraudsters have been calling people and posing as someone from a bank's fraud investigation team, the police, a telephone or internet service provider, a utility company, etc. The scammers then try to get credit or debit card details, internet banking security codes, bank account details or other personal information.

A useful reminder about the dangers of this fast-growing category of crime. And it came just a day or two after I got letter from my bank talking about new and improved security for my account. Unfortunately, in order to take advantage of this new and improved security I have to call the telephone banking service, and since I never use the telephone banking services I have no idea what the passcode is. I don't know why they can't authenticate me using the same dongle that I use for Internet banking but whatever. So I can't say what the amazing new security is, only that there is some.

Anyway, while I was logged in, my mobile phone rang. I wasn't going to answer it, because it was an 0800 number, and I assume that 0800 numbers are double-glazing salesmen ("this isn't a sales call, we're conducting a survey of homeowners in your area"). Generally speaking, I don't answer my mobile unless the number shows as recognised. I figure if it's anything important, the caller will either leave a message or text me. But because I had been reading something about savings account interest rates on my portal, my brain was temporarily scrambled and I picked up the call. Here's how it went…

Me: Hello.

Suspected fraudster: Hello, this is [card issuer]. Can you answer a couple of security questions please?

Me: Who are you?

Suspected fraudster: This is [card issuer]. We need to talk to you about your account.

Me: Wait a moment.

I opened up another browser window and logged in to the issuer, pulling up the last few transactions.

Me: OK, I'm looking at my account right now. If you tell me the value of any one of my last ten transactions, I will answer your security questions.

Suspected fraudster: I can't do that.

Me: Why not?

Suspected fraudster: Data protection.

Me: OK, give me a number to call you back then.

Suspected fraudster: I can't do that, this is a call centre. But I will give you another number to call. Please call 0800 XXX XXXX.

Me: What is that number for?

Suspected fraudster: I can't tell you because it will divulge the nature of the call.

Me: Nice try. Bye.

At this point I hung up. Then, out of natural curiosity I googled 0800 XXX XXXX to see if it showed up on one of those fraud reporting web sites. It turned out to be the number for the fraud department of my card issuer. So I called it and was informed that there had been a transaction using a clone of my card at a supermarket in Michigan while I was in Copenhagen. As result, they were cancelling my card and a new one is on its way. I was going to call back and ask me if they could send me one with no stripe on it and automatically decline all further stripe or non-3DS transactions on that card, but had run out of energy at that point.

Now, on the one hand, you might say well done for spotting the suspicious transaction and calling me up. Since it is a card I use in the USA, they can't yet block all stripe transactions since, although I suppose they could block stripe transactions that occur in the US less than six hours after a PIN transaction in Europe. But my issuer has an excellent iPhone app that I use, so here are two suggestions for a better system.

1. Let me use my iPhone app to turn the card on and off, and
2. When you spot a suspicious transaction, message me via the app. Someone who steals the phone won't know the app PIN so they wouldn't be able to read the message.

If we had a real identity infrastructure, then the phone would have a key pair in tamper-resistant memory (either on the SIM, or in a Secure Element or within a Trusted Execution Environment) and the card issuer would send a message encoded using the public key, safe in the knowledge that it could only be decoded in the handset with the corresponding private key. Now that Apple has the Secure Enclave in the iPhone 5S, I'm sure it will only be a matter of time before I will be phone up my bank and mutual authenticate through that (using their public key, my private key and my fingerprint). Why doesn't mobile wallet infrastructure focus on obvious and important critical shared services such as these? This is the sort of question I will be asking at the GSMA Mobile Money Conference in New York on 14th-17th October 2013. Look forward to seeing you there.

But in case you aren't planning to make it to New York, we also have another splendid Consult Hyperion blog competition, also involving mobile wallets, for a free place at an event a bit closer to [our] home, Pay360 in London on October 2nd.

We are currently carrying out consumer research in the US about consumer attitudes to mobile wallets. We will select the winner from the commenters who correctly predict the type of organisation US consumers most trust to issue mobile wallets. The choices are banks, Google, telcos, retailers and 'no-one, I'd never use such an abomination'. Usual terms and conditions apply (no Chyp employees or contractors, prize awarded at our discretion, look left and right before you cross the road etc etc).

However, even if you don't win, my colleague Raymond Lee and I will be facilitating workshops at Pay360, which promises to be highly interactive and a bit more fun than the average conference so we do recommend that you attend.