Usability vs security: who pays for fraud?
The payment systems we use are designed to be a balance between usability and security, allowing payments to be made quickly and conveniently whilst protecting both the buyer and the seller from fraud.
This is true of all payment systems, from coins and bank notes to online payments, the security features built into the system should help prevent fraud but should not make the system unusable.
We may have to accept that some money will be lost to fraud. As long as the amount of money lost remains at an ‘acceptable’ level we are happy to enjoy the benefits of a payment system which is convenient and easy to use. If the cost of fraud becomes too high, new security features are introduced to redress the balance.
Let us look at some examples:
Example 1. Bank notes
Bank notes have evolved from white notes with black printing, to today’s notes with see-through panels, holograms, water marks, micro printing and textured printing. The security features on the note have evolved as printing technology became cheaper and more freely available to criminals wanting to create forged notes.
The security features on the bank note must also be usable by everyone, i.e. non-experts should be able to tell a good note from a bad one without specialised equipment such as microscopes or black lights.
This presents a significant challenge; bank notes have become more sophisticated and more expensive to produce. Whilst accepting that the best equipped forgers will still be able to produce small numbers of “passable” counterfeit notes, the Bank of England estimates that approximately 1% of notes in circulation in the UK are counterfeit. Bank of England - What to do if you get a counterfeit note
So who pays for counterfeit banknotes?
In the UK, it is the person who holds the note when it is discovered to be a forgery. You may have accepted the note in good faith as payment or as change, but once it is discovered to be a forgery it is worthless and it is a crime to try and pass it on.
Example 2. Credit and debit cards
In the UK credit and debit cards contain a number of security features, the most significant being the Chip & PIN technology embedded into the card. Chip & PIN prevents the card from being copied (cloned). It also prevents the use of lost/stolen cards at ATMs and Point of Sale terminals.
Cloning of cards is prevented as the Issuing bank encodes a unique cryptographic private key into each Chip and PIN card at time of manufacture. The card uses this cryptographic key to generate a Message Authentication Code (MAC) of the payment data (amount, date, currency) for each payment made using that card. The bank can then validate the authenticity and integrity of the payment data using the MAC and the bank’s copy of the private key. Cloned cards do not have the correct private key and therefore cannot generate a MAC which will pass the bank’s cryptographic test.
Lost and stolen cards are protected by the PIN which is an authorisation code known only to the cardholder. This means that without the PIN any lost or stolen card is effectively useless.
However, these security features do not protect the cards completely, as illustrated by the £567.5 million lost to card fraud in the UK in 2015. The majority of UK fraud losses can be attributed to online payment fraud and magnetic stripe cloning, both of which bypass the security features included in Chip & PIN. Financial Fraud ActionUK - Fraud the Facts 2017
So who pays for credit/debit card fraud?
In the UK the this depends on the circumstance:
Chip & PIN payments and ATM withdrawals. If the PIN was entered into the Point of Sale terminal or ATM then the customer may be held liable for the fraud in cases where the bank believes that the customer has been careless with the security of their PIN.
If the PIN was not entered then the merchant is deemed liable for accepting a payment without the PIN being entered.
Where the payment was a Chip & Signature payment the merchant is held liable if the recorded signature does not match the customer’s signature.
Online payment fraud. The online merchant is at first responsible and must show that their online payment system complies with the regulations. If they are able to show this, then the merchants online payment provider and or bank may be held liable.
Online merchants who repeatedly accept fraudulent payments may also be fined / sanctioned by Visa / MasterCard. Unfortunately for online retailers, they are caught in the trap of usability vs security. 3D Secure payments (eg Verified by Visa or MasterCard Secure Code) are the most secure method of accepting online payment, giving the online merchant much more protection against online fraud and even benefiting from lower transaction fees. However, up to 43% of customers in the USA and China are found to drop out of the purchase when asked to enter their 3D Secure password. So despite 3D Secure being both cheaper and giving much greater protection against online fraud, only 12% of the top 400 retailers are currently implementing 3D Secure.
For further reading on Chip & PIN liability see UK Cards Association Website and Reliability of Chip & PIN Evidence in Banking Disputes by Steven Murdoch.
© Newcastle University