PIN Debit Payments Blog
Aite Group asks the following questions:
1. Fraud is one of the main concerns of financial institutions today, but how should they go about preventing it? (Editor's Note: I say "eliminate" what causes fraud)
2. What technology or training should they put in place? (Editor's Note: HomeATM's PCI 2.x Certified 3DES DUKPT encryption enabled Internet Point of Sale Device. Don't need training. People already know how to "swipe" their card and "enter" their PIN. They've been doing it for years!)
3. What are some of the fraud schemes they need to guard against? (Editor's Note: Phishing, Keylogging, Counterfeit Cards, Cloned Bank Websites, DNS Hijacking, even Malware to an extent)
I ask one. Why in the heck are we "typing" our credit/debit card numbers into a box on a website?
It's obvious that "typing" is what has "empowered" the fraudsters. Fraudster's focus on "what is typed" " (username/password's and PAN's) and "THAT" is what they are "swiping!" There is only "ONE" way to prevent them from swiping what we are typing.
STOP (Eliminate) "TYPING!"...& empower consumers to do their own "swiping."
Does this not make 100% complete sense to everybody reading this?
(if not, please leave a comment)
Again, I say stop trying to "prevent" it. It makes more sense to "eliminate" it. The most common fraud schemes used by the bad guys can be immediately eliminated by "eliminating" typing and replace it with "swiping." So what threats would swiping eliminate?
Phishing: Phishing is the act of luring consumers into "typing" their username/password or credit/debit card number into a box on a website which looks genuine. There is no way to prevent that if you don't eliminate the act of "typing" to begin with. If financial institution customers were mandated to access their online banking accounts the same way they access their money at ATM's (swipe and enter PIN) phishing would be eliminated.
Keylogging: If consumers stopped "typing" (key stroking) then what good is "keylogging"? Hint: It isn't.
Counterfeit Cards: If consumers had to "swipe their card" and "enter their PIN" (two factor authentication) then the counterfeit cards being used by fraudsters would be useless. (where the fraudster doesn't have the PIN) Most counterfeit cards are enabled to be used online because all the user needs to do is "type" in the Primary Account Number (PAN) If they had to "swipe" the card and "enter the PIN" to conduct an online transaction, financial institutions would virtually eliminate the threat of counterfeit cards.
Cloned Bank Websites: A cloned bank website only works if the user is fooled into "typing" their username/password into the boxes provided by the bank for log-in. If users were instructed to "swipe their card" and "enter their PIN" then the encrypted data would mean nothing to the fraudsters. On the other hand, once they get a hold of your username and password, your bank account would be emptied faster than you can say..."What happened?"
DNS Hijacking: What good would it do to hijack the DNS of a financial institution if consumers no longer "typed" their PAN or Username/Password into boxes? If consumers "swiped" and "entered their PIN" for log-in, and the encrypted packet was never in the clear, they wouldn't be able to see the information. No see...no phish!
Malware: Even the effects of malware would be vastly reduced. The purpose of malware is to infect the users PC so that when they visit financial institution websites, the malware can record pertinent information. Again, if users stopped "typing" in that "pertinent" information, it would become...well..imperinent. Right?
I did not view the video below but I did provide my take on what financial institutions can do to eliminate or vastly reduce fraud. I have a difficult time believing there are human beings on the face of this earth who actually think it is "safer to type" than to swipe. But I know they are out there.
I guess the more pertinent question is"
How did it come to be that they all chose to work in the ePayments Industry?
Want to hear what Aite has to say? "Click below:
About the speaker:
Nick Holland is a senior analyst at Aite Group. To view the video, click the link below:
Related Posts on the PIN Payments Blog:
- It's the Typing Stupid!
- Nothing Phishy About PCI 2.0 Certified "Card Present 2FA" (pindebit.blogspot.com)
- Online Banking's Innate Security Flaws (information-security-resources.com)
- 3DES, DUKPT & E2EE Explained (information-security-resources.com)
- 70% of The Writing is On the Wall (pindebit.blogspot.com)
- New Standard for Encrypting Card Data in the Works - HomeATM Already Done (pindebit.blogspot.com)
- BofA Targeted by Malicious Code Phishing Attack (pindebit.blogspot.com)