The Goodwill Group
At the front in the fight against CNP fraud

"45 per cent of attempted transactions are fraudulent"


STOP PRESS....................
Barclaycards 'hit by fraudsters'
A bill for £10,000 on a credit card would be a concern for most people - but imagine if that spending was not by the cardholder, but by fraudsters in a single day.

New credit card scam hits auctions
AUCTIONEERS are being warned about a gang of fraudsters targeting sales by using illegally obtained credit card information

Trainee accountant was 'inside man' in £470k
bank scam

A TRAINEE accountant used his position as a credit card controller to become the inside man for a £470,000 fraud at HBOS, a court heard.


Contact Us

Call now and talk to one of our CNP Fraud experts.
TEL: 01243 842395

Email: enquiries thegoodwillgroup.com

FAQs

There has always been confusion as to the security aspects of credit and debit cards. Uncertainty of what all the different codes mean for example. So here we have listed the most common questions that we are asked .

What is AVS?
What is CV2
How CV2 can be compromised
3D SECURE - Verified By VISA, SecureCode by Mastercard, what are they?
DYNAMIC PASSCODE Authentication, What is it

AVS - Address Verification Service

Was designed to provide an automated address check at the time of authorisation. Visa figures in 2003 suggested that 75% of authorisations resulted in a positive match of the remainder, 10% were fraudulent. Therefore 22.5% of transactions would fail AVS yet would be genuine!

AVS works reasonably well, but is easy to compromise. Useful as a part of an overall fraud prevention strategy, but no use as a decision tool in its own right.
CV2 - Card Verification 2 (Card Security Code)

The 3 numbers printed on the back of a credit or Debit card, are designed to verify that the person that knows these numbers is the cardholder. This provides a useful indicator to whether or not the customer has had sight of the card. If CV2 fails then it is reasonable to reject a transaction, however if CV2 passes, payment is not guaranteed.

The banking community has rather over-played the benefit of CV2 to merchants. It is a useful check, but unless complemented with other checks, it too can be easily compromised.

How CV2 can be compromised:

Example 1: Cards compromised by post are a common occurrence.

Fraudsters only need to see the card, record the relevant details and re-seal the envelope in order to compromise valuable details (card number, expiry date and CV2). The numbers then will be used a short time later, after giving the genuine cardholder time to confirm receipt of the new card to the issuer.

Example 2: Skimming devices are used regularly to compromise electronic detail from the magnetic strip of cards. CV2 can be skimmed too simply by using a card reader (available for less than £50) Accomplices in petrol stations, shops and restaurants all over the world have been found using these devices.

CV2 is an excellent check. Its positive effect is now beginning to diminish as it is adopted more widely by retailers. Fraudsters are now beginning to seek to compromise CV2 too. CV2 is very useful as a part of an overall fraud prevention strategy, but of limited benefit as a decision tool in its own right.
3D SECURE - Verified By VISA, SecureCode by Mastercard

A password that is exchanged, by the cardholder with their card-issuing bank, at the time of the transaction. The transactions may then be authorised by the retailer with the potential for the liability to shift to the bank.

3D-secure relies upon the integrity of the password being maintained, and a threat to this is the number of times that users need to use passwords when trading on the Internet:

  • Username and password to log onto computer

  • Username and password to log onto ISP for Internet access

  • Username and password for internet banking

  • Username and password to log onto many e-commerce sites (without one you cannot trade)

  • Card number and 3D-Secure password to do business at the bank's risk this will make the banks nervous, despite the technology working well at face value.

  • Many users have one or two passwords which are used for everything hence increasing the chance of compromise

Conclusions: VbV works well particularly when combined with CV2 and AVS. The liability shift has caught the headlines and rightly so, except the rules are complicated.

3D-Secure requires a high level of adoption by cardholders to be successful. The trouble being that those customers that do not register for whatever reason may be treated as potential fraudsters. That may be acceptable from a bank's perspective but it certainly is not from a retailer's. Use 3D-Secure but be prepared to authorise the transaction using merchant risk ECI indicator.

Any retailer trading in CNP channels must take responsibility and implement systems designed to help them manage their risk by understanding exactly who they are dealing with. A first step is to stop considering it a payment issue and start regarding it as: Shoplifting with home delivery!

Last year UK retailers spent an estimated £100 million pounds delivering stolen goods to fraudsters!
DYNAMIC PASSCODE Authentication

Similar to 3D Secure but requiring a gismo (looks like a small calculator) which can use a chip and PIN card to generate a one-time- use passcode.

This works, provided that all online shoppers have a gismo no exceptions. The trouble is that some people will not have a gismo with them. Some overseas customers will not know what this is, and some customers may find yet another security device rather difficult or offputting. What is certain is that fraudsters will not use them, unless of course they have obtained a stolen card with compromised PIN. This is really good technically, but practically it cannot work. What about proof of delivery? It doesn't work well if goods are not received.

Dynamic passcode authentication needs fraud screening to detect the frauds that it cannot. Screening used with either 3D Secure or dynamic passcode authentication is the correct approach to use.

Retailers are in the best possible position to implement a suite of processes, most of which need not be visible to any customer, which will provide a very high level of protection against attempted cutomer / card not present CNP fraud.
The Goodwill Group is a trading name for Andrew Goodwill Ltd. A CNP Fraud Consultancy Service.