By Nancy Zayed and Sam Shawki
It is counterintuitive, but eCommerce fraud is about to go through the roof, especially now that we have new secure technologies like Apple Pay, NFC, tokenization and, more importantly, the EMV chip in credit and debit cards.
Like a great twist in a Chris Nolan movie, the move to chip cards by 2015 creates what experts call a fraud shift: fraud will move from areas with improved security to areas where the system is most vulnerable.
Adding a chip to your card makes it extremely hard to clone it, so fraud at the point-of-sale becomes much harder to achieve. This puts a huge dent in the substantial income of fraudsters and cybercriminals, leaving them no choice but to focus most of their efforts on remote payments fraud. They need to make up for all their losses defrauding mobile payments, eCommerce, and all transactions that Visa and MasterCard label “Card Not Present” (CNP).
How do we know this? It has happened before. When Europe adopted chip cards several years back, eCommerce fraud increased substantially.
This chart from First Data compares U.K. card fraud losses by type between 2000 and 2010. The data clearly shows that lost/stolen or counterfeit cards declined while remote payment or CNP fraud became the source of almost two-thirds of all fraud losses.
Don’t worry, this is still a positive story
Also counterintuitively, being several years behind Europe on chip cards may not a bad thing at all. In fact it may be the best thing that happened to eCommerce in the U.S. since 1995 when I was at Netscape helping build the first commercially successful browser. One of the reasons that eCommerce volume in Europe remains tiny compared to the U.S. is the fraud shift that the U.S. has managed to avoid so far.
Now that we have smart devices and we know how to secure them, this is the right time to start the upgrading process.
What are endpoints?
While many in-network fraud detection systems like Fico’s Falcon (pictured at the top) are great, they are much more effective dealing with transactions at the store, where there is a point-of-sale system that is tamper-proof, certified secure, and more importantly, where the cardholder is in the store looking the store clerk in the eye, ready to show her ID – and there is no one between the payer and the payee to compromise the integrity of the transaction. In this scenario the point-of-sale terminal is a system endpoint and the cardholder is also a secure endpoint (the consumer is present in the store, has an ID to show, and a card to visually verify).
By contrast, in eCommerce an iPhone, a laptop, a Galaxy tablet and soon a connected car or a fridge, replaces those two secure endpoints with only one new endpoint that is naturally less verifiable and more vulnerable, producing a fresh, sweet spot for attackers and creating the weakest link of the payments chain.
Securing the endpoints is not easy
So how do we combat this fraud shift to remote payments? We need to accelerate the development and adoption of secure frameworks that can safely transport sensitive data and transactions across systems, clouds, mobile, and other devices. These frameworks need to be independent of hardware, operating systems or device manufacturers, which means they need to be abstracted in software that can run on all kinds of systems and devices. We need to be able to connect the payer and the payee in bulletproof ways that are near identical to being physically in the store. Additionally, they need to ensure that the data is not tampered with, and that the cardholder’s true identity is verified and attested remotely.
It is crucial for commerce and for the global economy to secure the system where it is most vulnerable. Unfortunately, this is not currently the case. Most of the current efforts seem to be focused in-network, leaving the endpoints – whether it is smartphones, tablets, laptops, and other connected devices – up for grabs to fraudsters and cybercriminals.
Sam Shawki, CEO, and Nancy Zayed, CTO, are founders of MagicCube, a digital commerce security start-up based in Sunnyvale, CA. Nancy is an expert in mobile devices, having spent the last decade working on the OS group at Apple. Sam has led several payment companies throughout his career, and most recently he led the Global Remote Payments Business Unit at Visa Inc. You can find both on Twitter @sshawki and @zayena.