Skip to 0 minutes and 13 seconds In this section, I’d like to talk about the evolving arms race of payment security, how fraud evolves to take advantage of new technologies, and the loopholes which those new technologies provide. As an example, I’m going to use a credit card. So we all know about credit cards. And in 1951, the first paper credit cards appear. So the card was actually printed on cardboard, and it was just printed on the front, card holder details with the card holder signatures. This is reasonably easy to forge. Cardboard is easy to get hold of, and you essentially could just print yourself up a decent looking forgery of a paper credit card.
Skip to 0 minutes and 53 seconds These were reasonably easy to spot though, because there were so few credit cards in circulation, that a forgery was easy to spot. As we go forward to 1959, we get the first plastic cards appearing. So that becomes the familiar plastic card with the card holder’s card number printed on the front. These cards were much harder to forge, because you had to create a plastic copy that looked believable, with the raised printing on it. So much harder technology than just copying cardboard and printing on it. In 1969, we get the first electronic security measure, which is the magnetic stripe printed on the back. A modern card still has it.
Skip to 1 minute and 36 seconds These were quite hard to forge, because the magnetic stripe was actually really difficult to bond to the back of the card, and it actually was quite difficult to produce these copies. The magnetic stripe was added to the card to allow the card to be used in ATMs. And with ATMs came the first incidence of a totally new crime that was created by the technology of the credit card. So with an ATM, you basically put your card in, you put your pin number in.
Skip to 2 minutes and 7 seconds And the new crime was the crime of bump and run, where somebody would shoulder surf your pin number by watching you put it into the ATM, and then distract you by either bumping into you or talking to you. At that point, their accomplice would grab your card from the ATM machine, run off and use the pin number that they just shoulder surfed from you, to go and make an immediate cash withdrawal just around the corner. So essentially, what they’ve done is the introduction of ATMs has created this whole new form of crime. So later on with ATM technology, we see the introduction of the CCTV camera being introduced to the ATM.
Skip to 2 minutes and 50 seconds So that will capture the faces of the people doing this bump and run attack. Unfortunately, with putting the CCTV camera into the ATM, that stopped the bump and run attack, but that then meant that they would still shoulder surf your card, but they’d have to steal the card much further away. And by the time they were stealing the card, you’d put your card back into your wallet and put it into your pocket. At which point you’ve gone from a low violence crime, which was the bump and run where they’d steal the card from the front of the ATM, to them having to mug you, which is a much higher violence crime.
Skip to 3 minutes and 27 seconds So the incidence of crime went down, but the violent crime went up, in reaction to having the CCTV cameras put into the ATMs. In the 1990s, we see magnetic stripe cloning becoming popular. This is because a magnetic stripe clone, magnetic striped readers became freely available and cheap to buy. And what would happen is you’d build a magnetic stripe reader into a false front that would be stuck to the front of an ATM, and also the cards, the plastic cards with a blank magnetic stripe, became freely available. So it was much easier to get your hands on blank card stock to create cloned copies of these magnetic stripes.
Skip to 4 minutes and 11 seconds So the incidence of magnetic stripe cloning rises very steeply in the 1990s and we can see that this is the blue line on the graph. And from the early 90s to the early 2000s, we see that type of crime becoming more and more popular. And to combat that in 2004, the banks introduced chip and pin cards. And chip and pin cards are much, much harder to clone than the magnetic stripe. So this brings down the incidence of card cloning in the UK dramatically. So we can see the blue line dropping away. And this is all due to the new cards being much harder to clone than the magnetic striped cards.
Skip to 4 minutes and 53 seconds Unfortunately, what then happens is we can see 2007, 2008 we get an increase back up on the magnetic stripe cloning. And this green line shows us that essentially, what’s happening is the magnetic stripes are being cloned in the UK and then used in the US to make cash withdrawals or purchases in the US. So this was a loophole that the fraudsters discovered, that they could now still use these magnetic striped clones that they had been using in the UK. They could use them overseas. Between 2004 and 2015, fraud actually hasn’t gone away. Fraud has moved. So we’ve got rid of magnetic stripe cloning. We’ve got rid of chip and pin cards being cloned and used in the UK.
Skip to 5 minutes and 40 seconds So actually, where did that fraud move? And now we’ll show you the red line. And the red line is actually fraud committed online and fraud committed over the telephone. So this is where the card isn’t actually physically present, and they call it card not present fraud. And we can see the red line here shows how card not present fraud has increased from 3% back in 1995 to over 70% now. So this is fraud committed where the card holder and the card are not present. So they’re not scanned, you’re not putting your card into an ATM or into a chip and pin machine. You’re using the card details to make an online purchase or a telephone purchase.
Skip to 6 minutes and 21 seconds And this is where fraud has moved to, because the other avenues have been blocked by technology. So this is now the easiest way for the fraudsters to commit fraud. In this section, we’ve seen that payment security is an arms race. Every time a new technology has come out, the fraud has adapted to take advantage of that technology. Every time a new type of fraud has popped up, then the technology has been adapted and changed to eradicate that type of fraud. So essentially, the fraud adapts to meet the technology, and the technology adapts to meet the fraud. It has become an arms race.
The evolving arms race of payment security
Payment security is an evolving arms race between the criminals who want to take our money and designers of the payment systems who wish to protect it.
In this video Martin explains how fraud adapts to new payment technologies and changes in payment security. He uses the UK credit card fraud statistics over the past 20 years as one example to illustrate how fraud has adapted each time a new payment technology or security feature has been introduced.
Martin refers several times in the video to this graph:
Annual card losses on UK issued cards
Source: Financial Fraud Action UK
You may prefer to have a larger version of the graph to hand as you watch Martin in the video.
New technologies eradicate existing ways of committing fraud, but also introduce other vulnerabilities fraudsters adapt to take advantage of. Chip and PIN made it difficult to use a stolen card, and therefore theft of cards declined. However, criminals identified that online payment became a weak spot, since it cannot use Chip and PIN. Online fraud is now the most prevalent form of payment fraud in the UK.
© Newcastle University