Thursday, August 20, 2009

Attempted Card Not Present Fraud in China up 60%


Change Is Afoot for China’s Payment Market

London / Beijing —August 19, 2009 Retail Decisions (ReD), a card issuer and a world leader in fraud prevention and payment processing, today announced – in conjunction with Chinabank Payment (CBP), a leading payment service provider and a prepaid card issuer – that attempted card- not-present (CNP) fraud for China’s airline sector increased from 5% to 8% representing a 60% increase over the last six months.

According to a recent Analysys International report, China’s online payment market will reach 538 billion Yuan (US$78.7 billion) in 2009, an increase of 128% compared with 2008. Analysys International predicts that China’s online payment market will reach 1.67 trillion Yuan (US$244 billion) in 2012. With increasing volumes, Chinese merchants can expect card-not-present (CNP) fraud to increase dramatically in the coming years.

Editor's Note: I hate sounding like a broken record, but if you want to reduce "CNP fraud, eliminate the CNP environment. 

Provide consumers with a way to"swipe" their card for online shopping.  Problem solved.  When they "swipe" their card, it has to be present.  When they type card numbers into a box, we don't know where the heck these jokers got the numbers from.

There are two choices.  Either provide an environment which enables customers to swipe their card information or continue letting the fraudsters do it. 

“The growth in China’s payment market is incredible, however there are significant changes occurring with the government initiatives to shut-down online gambling and adult content sites prior to National Day as well as the impending issuance of the Electronic Payments License.” said Mr. Zhao Guodong, Founder of Chinabank Payment. “The market is becoming tightly regulated and that is why, now more than ever, CBP’s strategic objective of becoming China’s most safe and secure payment service provider is vital. ReD is helping us achieve that objective and together we will continue to have a remarkable effect on payment security in China.” said Mr. Zhao Guodong.

ReD has been working with CBP for more than a year leading up to today’s announcement. CBP deploys one of ReD’s signature products, ReD Shield, the CNP fraud prevention service, which provides a real-time risk assessment to online retailers. Currently CBP has 30 Chinese merchants using this leading edge technology, helping clients to manage international fraud exposure.

“In the Chinese market alone, ReD saves its merchants up to 1 million Yuan (US$146,000) each per month with ReD Shield.” said Carl Clump, Retail Decisions CEO. “CBP has taken the threat of fraud very seriously, implemented ReD Shield and is now reaping the benefits through protecting its merchant base.”

ReD Shield is a fully outsourced, real-time CNP fraud prevention service that significantly reduces fraud while increasing merchants’ revenue. The service combines neural technology with customized, merchant-specific velocity and compound rules coupled with ReD’s expertise, providing a real-time risk assessment recommendation which allows merchants to find the precise balance between preventing fraudulent transactions and maximizing good transactions. Some of ReD’s outstanding Chinese merchants include Air China, CTrip, eLong and China UnionPay Data amongst others.

CBP currently works with 20 banks in China, including Bank of China, Industrial and Commercial Bank of China, China Merchants Bank and Agricultural Bank of China. For the past two years, Bank of China has named the company Partner of the Year. CBP operates as a 3rd Party Payment Provider and is a Prepaid Card issuer. It was one of the first companies to offer online payment services and is consistently viewed as a reliable and secure system. On the prepaid card side, it works with retailers in a range of industries including retail, travel – including airlines and hotels – international trade and online gaming.

For the complete analysis of fraud trends in China contact Retail Decisions.


About Retail Decisions

Retail Decisions (ReD) is a payment card issuer and world leader in card fraud prevention and payment processing. A specialist supplier to the payments industry worldwide, ReD has over 20 years experience in the fraud prevention market. Its blue-chip international clients come from the global telecommunications, retail, travel, petroleum, banking and the broader e-commerce sectors. They include Wal-Mart, Macy's, Bloomingdale's, Sears, Texaco, Shell, Asda, Boots, John Lewis, The Carphone Warehouse, Comet, Travelocity, T-Mobile and Virgin Mobile.

The company has offices in the United States, UK, Mainland Europe, Australia, China and South Africa with representation in India, Japan, and South America. More information about ReD please visit: About Chinabank Payment

Chinabank Payment (CBP) [Ebank Online (Beijing) Technology Co., LTD.] is a leading payment service provider based in Beijing. Founded in 2003, Chinabank Payment has provided secure solutions for online payments for ecommerce enterprises and individuals. Clients include Microsoft China, China Unicom,, Nokia, Hewlett-Packard,, Kingsoft, Digitalchina,, Scitechgroup,, Phoenix TV, Xiamen Airlines, CYTS, Holiland Cake, China-pub, Ticketone, Shanghai Teacher University, Beijing Normal University and CERNET Corp. It works with a range of industries including retail, service and high-tech. CONTACTS:

Carl Clump, Chief Executive Officer Gwyneth Pritchard, Head of Group Marketing
Retail Decisions Ltd Retail Decisions Ltd
Tel: +44 (0) 1483 728700 Tel: +44 (0) 1483 794932
Website: email:

April Yang Tammy Tian, Public Relations
Chinabank Payment Ogilvy
Tel: +86 134 6655 4170 Tel: +86 10 8520 6114
email: email:

Reblog this post [with Zemanta]

Did You See the HomeATM Finovate Startup '09 Live Demo?

Reblog this post [with Zemanta]

HomeATM's Weapon of "Phish Destruction"...

There a lot of banking promotions cropping up designed to "lure" customers over.

Want to lure them over? Use phishing. Did I just say "use phishing" to lure them over? I did.

$100 isn't going to do it. When it comes to innovative marketing ideas, bribing a customer has never been near the top of the list. But...instead of customers being lured away from your bank by becoming a victim of phishing, "lure" them to your bank by using "phishing" as bait. It'll work hook, line and sinker.

Here's what I'm thinking. How about running an innovative promotion in which a bank guarantees their customer is 100% protected from phishing. If you lure them by protecting them from the bad guys (which would also protect the $1000's, not $100, of dollars in their bank account), you would attract more customers than $100 would attract AND, at the same time, enhance your bank's image. It's all about security. Here's proof:

HALF (49%) Would Consider Changing Banks Following Card Fraud...22% "Would" Change Banks!

Editors Note: Wow, if I was a financial institution offering "online banking"that headline would haunt me 24 hours a day until I figured out a wayto either change it or use it to create an opportunity for my onlinebank to flourish.

My first thought would be: "If 50% would consider "changing banks AFTER" they get hit by card fraud/onlinebanking/phishing fraud, how many would consider "changing banks" to"AVOID" getting hit?

And to which competitor would they go?

I'd conclude that if they "left because of insecurity" they would probably "come on board BECAUSE of security."

Soif I wanted to open a portal for dissatisfied online banking customers,I would use a uniquely positioned product to ensure my customerssecurity. I'm thinking Swipe vs. Type here. Then I would think...howmany potential customers could my bank procure by "guaranteeing" onlinesecurity? Research would determine if it was millions or only"Hundreds of Thousands." I think I made my point. If not, I challenge you to continue reading...

Banks have a "serious issue" with phishing and I am suggesting that there is a low-cost solution to completely eliminating this on-going threat.
Eliminate typing and you'll eliminate phishing. First a quick backgrounder...

The nature of this beast known as "phishing" is to lure these onlinebanking folks, with a sophisticated and genuine looking trap whichincludes genuine looking emails which provide links to genuine lookingsites. (a new "type" of bait and switch)

Once there, users are simply instructed to do what they've been programmed to do since day one with online banking. And therein lies the problem...
They are told to "type" in their username and password to log-in.

Problem is, once they "type" in their "username | password" they provide full access to their accounts to the phisheries.

Ifyou haven't figured it out already, (something phishy goin' on here) allow me to point out the majorflaw in this process...

If online banking customers had not beenoriginally programmed to "type" anything into a box the first place, then this type of phishing would not have cropped up in the second place. A simple case of "cause and effect."

Case in point: Imagine if you will, that when ATM's first came out, users were instructed to "make up" a username and password for whichwould have provided full access to ATM's? How smart would that havebeen?

Fortunately the banks were smarter than that and they required that their ATM customers insert their card into a built-in card reader AND enter their PIN. Two factor authentication 101. What you "have" (card) and what you "know" (PIN)

Why should it be any different for online banking log-in?

What has happened since then to make them believe "typing" is safer than "swiping?" Why are they suddenly dissin' the card?

Window of Opportunity

Instead of dissin' the card, I say "DISCARD" the antiquated username and password log-in process and instruct customers "USE THEIR CARD" (what they have) and their PIN (what they know) thereby replicatingthe exact same process these customers use gain access to an ATM.

True2FA. The only difference would be that authentication would be done inthe safety (no skimmers/no cameras) of the online banking customers own home...with a PCI 2.x certified (not compliant..."certified") personal PIN Entry Device. (providing 2FA 3DES E2EE DUKPT Security)

If the online banking community introduced their customers to a simple(not) new log-in process, one whereby they require that theironline banking customers log-in the "same way" they do at ATM' "swiping" with "THEIR CARD, and securely entering "THEIR PIN" they would greatlyenhance the security of their online banking sites.

This two factor secure log-in would eliminate the issues they arehaving with these phishing attacks altogether. A secure 2FA 3DES E2EE DUKPT log-in would also eliminate threats created by cloned bank websites, cloned cards, DNS Hijacking,etc. The data is never in the when it comes to becoming a victim of fraud, your customer is in the clear.

In effect, banks would be arming their online banking customers with aweapon of phish destruction, one that fights cybercrime and "empowers"them as mini-profit centers. Does anyone disagree with the statementthat "Bill Payments, Money Transfers, and secure online transactions"ALL make money for banks? (again, see previous post)

That said, I humbly suggest it's high time to "studythree key issues" more closely.

Let's look at "these issues" one at a time:

    • Bank "ISSUES" the Card,
    • Bank "ISSUES" the PIN,
    • Banks ISSUES a $12 PCI 2.x Certified 2FA 3DES E2EE DUKPT Secure Card/PIN Reader

      $12! Yes (in quantity)...banks could save $88 per customer (compared to Citi's offer above) and PROTECT their customer. Protect them from what? Did you know that the average phishing attack costs the bank and thebank customer $350. Want proof?

      Okay, here it is from Gartner Research:

      According to research firm,Gartner, banks, online payment organizations and other financialinstitutions are bearing most of the financial cost of phishingattacks.

      (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.)
      The average loss was $352 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved. (sounds like the $100 bribe above is lost in the first phishing attack to me)

      "The findings underline the fact that the war against phishing is far from over," said Avivah Litan, analyst at Gartner.
      (Yes, the very same Avivah Litan who says "never" enter your PIN on the Internet unless it's hardware based)

      Want to read more on this subject? Scroll down to the next post. I'll make it here.

      Reblog this post [with Zemanta]

      Card Fraud Expected to Increase in US...Yet We're Still Typing and Hackers are Still Swiping!

      Aug 19, 2009 (Datamonitor via COMTEX) - excerpts in blue

      Card fraud is expected to increase in the US with the country still no nearer to introducing the chip and PIN technology which has proved successful in Europe.

      With fiscal pressures particularly evident in the current economic climate, technology vendors are rushing to pilot alternative solutions to the costly chip and PIN option.

      Editor's Note:  This might sound a little too simple, but an obviously less costly solution to Chip and PIN technology would be the elimination of signature debit.  PIN Debit for every debit transaction.  Simple, easy and not at all costly.  Signature Debit Fraud is more than 10 times higher than PIN Debit fraud.  Besides, it's the preferred form of payment by both consumers and merchants alike. 

      Chip and PIN increases CNP (Card Not Present Fraud) fraud.  Fraud is like water in that it finds the path of least resistance.  If it finds resistance it moves to where there is none.

      Chip and PIN resists fraud at brick and mortar locations, but increases the opportunity for fraud to occur where Chip and PIN is not required...which is in the CNP world.  (i.e. Online Shopping)

      Therefore, let's turn our attention as to how we can increase resistance.  First question I have is why on earth is "signature" debit used for E-Commerce.  What signature are they talking about?  Where do I sign?  Typing your card number into a box does not constitute a signature in my book.

      Signature Debit is "offline debit" and was not designed for "online shopping."  On the other hand PIN Debit is "online debit" and "Online Debit for Online Shopping" sounds like a perfect fit to me.

      It makes more sense to use PIN Debit's encrypted and built-in two factor authentication anyway. 

      So I say simply eliminate the use of "offline debit" for "online shopping"

      Doing so would provide for the elimination of typing credit and/or debit card numbers into a box in a web browser.  Typing is the cause.  Hacking is the effect.  But let's take it a step further.  It's not just about two-factor authentication.  It's about eliminating the CNP environment altogether.

      With HomeATM, when the cardholder swipes their card, (Card Present) the cardholder data is "instantaneously" encrypted "inside our device", and thus provides complete "Zone 1 through Zone 5" true "end to end" encryption.  We now have an environment that is "exponentially" more secure than typing.

      By eliminating "typing" and mandating "swiping" we have eliminated the CNP (path of least resistance) environment and the the threats posed by phishing, cloned bank websites, malware and DNS Hijacking are eliminated as well.  

      It's really not that difficult a concept to comprehend.  I suppose I can make it sound more technical...the formula to secure transactions is: 2FA E2EE 3DES DUKPT 

      (Two-Factor Authentication, End to End Encryption,
      Triple Data Encryption Algorithm
      Derived Unique Key Per Transaction...see, simple!)
      Not?  Here's a primer:
      3DES, DUKPT & E2EE Explained

      The article continues:

      With the recent adoption of chip and PIN technology in Canada and Mexico, following its successful adoption in Europe, fraudsters are expected to increasingly target the US market.  (especially the CNP market)

      A recent survey by Actimize found that around 66% of bankers, card issuers or payment processors anticipate US card fraud levels to increase. As the number of cases of attempted fraud threatens to rise in the US, local banks, card issuers and payment processors will come under increasing pressure to find a solution that reduces their liability. (how about 2FA E2EE 3DES DUKPT?)

      Knowing which technology solution to choose is not a simple decision, (au contraire...there's a very simple solution when it comes to CNP fraud.  Eliminate the CNP environment by providing consumers with a device that allows them to prove "card presence" with the  swipe of a card.) with many factors such as the current infrastructure and IT budget likely to drive the final determination.

      Fraud prevention and detection solutions are expensive
      , and it is hard to say that they guarantee business development. However, a lack of detection/prevention from fraud attempts may lead to even more significant costs within banks.

      Fraud losses comprise not only the actual amount that is stolen, but also labor costs related to investigation and managing fraud cases. 
      These costs can be up to
      five times higher than the stolen amount, and are rarely published by
      banks. As such, identifying a suitable alternative to the costly chip
      and PIN solution is a sound strategic move.

      Editor's Note 2:  Stop with this "fraud prevention and detection" jargon.  It's the wrong mindset.  We should be talking "elimination."  Eliminate typing, Eliminate CNP environment and you done.  Simply admit to the fact that the web is not safe and have consumers utilize the same process used to access "cash" at an ATM.  Swipe their card, enter their PIN. 

      There is only one PCI 2.x certified device in the world specifically designed for E-Commerce, and our Slim version (depicted in all the pictures) can be had for as little as $12 each in quantity. 

      Banks could give it away at a fraction of the cost they are spending to give away Smokey Joe Grills, or other useless (when it comes to securing transactions) promotions.  And it would attract online banking customers like typing attracts hackers!

      Our device would enhance a financial institution's reputation, create a branding strategy and secure more business and more customers for their financial institution.  How?  Here's how...

      Slim is perfect for online banking log-in,
      for a financial institutions internal P2P money transfer application and
      More secure than any current payment mechanism available for online shopping.  Want proof?  Here ya go:

      Aug 14, 2009

      Commissioned by CashEdge in June 2009, the survey polled more than 850 consumers nationwide aged 18 years and older who use online banking capabilities. These respondents described themselves as bank customers (76 percent), credit union ...

      Jul 29, 2009

      So if I wanted to open a portal for dissatisfied online banking customers, I would use a uniquely positioned product to ensure my customers security. I'm thinking Swipe vs. Type here. Then I would many potential customers ...

      Aug 05, 2009

      But HomeATM has gotten the price down to the point that banks could literally give them away...thus empowering their online banking customers to not only log-in securely but pay bills in real-time, send or receive money in real-time and ...

      Aug 17, 2009

      The first step to prevent online banking
      fraud is to secure the log-in process. It's not a difficult concept to
      comprehend. Instead of giving away Smokey Joe's, Toasters, Fans,
      Tupperware, etc. banks need to start giving away something ...


      Reblog this post [with Zemanta]

      What Causes Financial Fraud? (It's the Stupid Typing!)

      Aite Group asks the following questions:

      1. Fraud is one of the main concerns of financial institutions today, but how should they go about preventing it? (Editor's Note: I say "eliminate" what causes fraud)

      2. What technology or training should they put in place? (Editor's Note: HomeATM's PCI 2.x Certified 3DES DUKPT encryption enabled Internet Point of Sale Device. Don't need training. People already know how to "swipe" their card and "enter" their PIN. They've been doing it for years!)

      3. What are some of the fraud schemes they need to guard against? (Editor's Note: Phishing, Keylogging, Counterfeit Cards, Cloned Bank Websites, DNS Hijacking, even Malware to an extent)

      I ask one. Why in the heck are we "typing" our credit/debit card numbers into a box on a website?

      It's obvious that "typing" is what has "empowered" the fraudsters. Fraudster's focus on "what is typed" " (username/password's and PAN's) and "THAT" is what they are "swiping!" There is only "ONE" way to prevent them from swiping what we are typing.

      STOP (Eliminate)
      "TYPING!"...& empower consumers to do their own "swiping."

      Does this not make 100% complete sense to everybody reading this?

      (if not, please leave a comment)

      Again, I say stop trying to "prevent" it. It makes more sense to "eliminate" it. The most common fraud schemes used by the bad guys can be immediately eliminated by "eliminating" typing and replace it with "swiping." So what threats would swiping eliminate?

      Phishing: Phishing is the act of luring consumers into "typing" their username/password or credit/debit card number into a box on a website which looks genuine. There is no way to prevent that if you don't eliminate the act of "typing" to begin with. If financial institution customers were mandated to access their online banking accounts the same way they access their money at ATM's (swipe and enter PIN) phishing would be eliminated.

      Keylogging: If consumers stopped "typing" (key stroking) then what good is "keylogging"? Hint: It isn't.

      Counterfeit Cards:
      If consumers had to "swipe their card" and "enter their PIN" (two factor authentication) then the counterfeit cards being used by fraudsters would be useless. (where the fraudster doesn't have the PIN) Most counterfeit cards are enabled to be used online because all the user needs to do is "type" in the Primary Account Number (PAN) If they had to "swipe" the card and "enter the PIN" to conduct an online transaction, financial institutions would virtually eliminate the threat of counterfeit cards.

      Cloned Bank Websites: A cloned bank website only works if the user is fooled into "typing" their username/password into the boxes provided by the bank for log-in. If users were instructed to "swipe their card" and "enter their PIN" then the encrypted data would mean nothing to the fraudsters. On the other hand, once they get a hold of your username and password, your bank account would be emptied faster than you can say..."What happened?"

      DNS Hijacking:
      What good would it do to hijack the DNS of a financial institution if consumers no longer "typed" their PAN or Username/Password into boxes? If consumers "swiped" and "entered their PIN" for log-in, and the encrypted packet was never in the clear, they wouldn't be able to see the information. No phish!

      Malware: Even the effects of malware would be vastly reduced. The purpose of malware is to infect the users PC so that when they visit financial institution websites, the malware can record pertinent information. Again, if users stopped "typing" in that "pertinent" information, it would become...well..imperinent. Right?

      I did not view the video below but I did provide my take on what financial institutions can do to eliminate or vastly reduce fraud. I have a difficult time believing there are human beings on the face of this earth who actually think it is "safer to type" than to swipe. But I know they are out there.

      I guess the more pertinent question is"

      How did it come to be that they all chose to work in the ePayments Industry?

      Want to hear what Aite has to say? "Click below:

      About the speaker:

      Nick Holland is a senior analyst at Aite Group. To view the video, click the link below:

      Reblog this post [with Zemanta]

      Twitter Being Used by Hackers to Control Botnets

      Popular social networking site Twitter is being used to control botnets, according to Jose Nazario, who is a Senior Security Researcher from Arbor Networks. Botnets are computers infected with malware that allows them to be commandeered by hackers. Nazario says that he stumbled upon one such Twitter account, though it has since been reported and taken down.

      The key challenge of building botnets, for hackers, has always been in how to control them. Years ago, this used to be done via IRC channels, where infected computers would visit in order to receive their commands. These have proven to be relatively easy to track down though.

      By switching to Twitter, hackers are leveraging not only on the server infrastructure of the social networking site, but also the publicly-known APIs used for the posting and viewing of tweets. And compared to earlier methods that saw hackers putting down money to purchase domains for their bots, creating a user account in Twitter costs them nothing.

      Finally, using Twitter also makes it difficult for anti-malware applications to differentiate between a legitimate visit and the behavior of an infected workstation. Talking about the use of Twitter to host a botnet, Nazario said to The Inquirer, "I wouldn't call it rocket science, but it's effective."

      For more on this story:- check out this article at The Inquirer

      Reblog this post [with Zemanta]

      PayPal Named Top 10 "Breakaway Brand"

      From the PayPal Blog:

      PayPal Recognized as Top Breakaway Brand

      Hi everyone, Anuj from the communications team here with a question: What do Special K, Hallmark and PayPal all have in common?  Well…according to a study released last week by AOL DailyFinance and Landor Associates, we are three of the top 10 Breakaway Brands in 2009.

      PayPal was selected along with other brands like Google and Apple as well as National Geographic, Trader Joe’s, Payless, Superbowl and my personal favorite (apart from PayPal of course), Häagen-Dazs. The top 10 were chosen from 2,500 global brands.  The brands were ranked based on both relevance – how appropriate the brand is for consumers and whether they want it in their lives; and differentiation – how strongly a brand stands out and offers something special.

      Here’s what they had to say about PayPal:

      “Once a staple of the digiterati and eBay users, PayPal entered the vernacular over the last three years as more and more people have come to see it simply as an easy way to pay for things and send or receive money online. A merchant’s darling because of its lower-than-credit-card service fees, PayPal is also a favorite with customers without cards or those who are especially concerned about security (the PayPal “P” is a symbol synonymous with safe online transactions). PayPal bolstered its brand by introducing mobile payment options and merchant services such as online invoicing, express checkout, and recurrent billing.”

      We’re honored that PayPal is viewed as a brand that helps create trends, while remaining true to its core brand promise.

      To check out the full list of top Breakaway Brands of 2009, please go here.

      , , ,

      Disqus for ePayment News