- Email: [email protected]
Fraud on foreign soil drives up card fraud losses in UK
TECHNOLOGY TECHNOLOG Y
www.smartcards-today.com
ISSN 0965-2590 October 2007
emv
Contents
Fraud on foreign soil drives up card fraud losses in UK
F
igures released by APACS, the UK payments association, show that total card fraud losses increased by 26% to £263.6 million in the six months to June 2007 compared with the first half of 2006. This increase has been driven by a 126% rise in fraud on UK-issued cards being used overseas. In contrast, domestic card fraud continues to fall thanks to chip and PIN, with losses at UK retailers down 11% to £37.5 million and losses at UK cash machines down 57% to £17.1 million (see Figure 1 overleaf). Overall card fraud losses in the UK high street have declined dramatically since peaking at £218.8 million in 2004. This is directly attributable to the implementation of chip and PIN in the UK. Losses in 2006 were £72.1 million – a decrease of 67% from 2004. It is clear that the introduction of chip and PIN has made it more difficult for fraudsters to commit card fraud in the UK. However, to combat this, criminals are now committing card fraud overseas on UK-issued cards. In order to do this, they copy the magnetic stripe data on consumer’s cards to create fake cards that they use in countries that have yet to upgrade to chip and PIN. According to APACS, as more countries rollout the technology the opportunities for criminals to use fake magnetic stripe cards overseas will decrease. To help achieve this, the European banking industry has set itself the target of completing its chip card rollout by 2010. Losses from online, phone and mail order shopping fraud also continued to increase yearon-year. APACS noted that this increase has to be seen in the context of increasing numbers of people shopping online and ever-growing numbers of online transactions. According to APACS figures, the number of adults shopping
TODAY
card
online has increased by 157% in the last five years, from 11 million in 2001 to over 28 million last year. By comparison, online, phone and mail order fraud has grown by 122% during the same time period. The fraud to turnover ratio on online card transactions has also decreased – down from 0.7% in 2004 to 0.5% in 2006. Online banking fraud losses fell by 67% from £22.4 million in the first six months of 2006 to just £7.5 million in the same period this year (see Figure 2). This decrease occurred because online banks have successfully implemented a range of measures to detect and prevent fraud, coupled with the fact that there was an unusually high level of online banking fraud in the first few months of 2006. Sandra Quinn, director of communications at APACS, commented: “These figures show how the fraudsters have changed tack. A couple of years ago they were mainly stealing cards and card details for use in UK shops and cash machines, but today, because of chip and PIN, they have been driven overseas – using fake magnetic stripe cards specifically in countries which have yet to upgrade to chip and PIN. During the interim we will continue to use fraud intelligence systems to tackle overseas losses and encourage those countries that are lagging behind on chip and PIN to follow our lead.” Quinn continued: “Consumers should also play their part – for example, cardholders should be aware that the majority of online fraud involves a criminal obtaining card details in the real world that are then used to shop fraudulently online. So we continue to urge people to register with the secure online payment systems – MasterCard SecureCode and Verified by Visa – which help prevent cards being used fraudulently over the internet.” Figures 1 and 2 are on Page 3...
NEWS Fraud on foreign soil drives up card fraud losses in UK 1 Gemalto and FarEasTone partner in Asian 'Pay-Buy mobile' trials
3
First workers apply for TWIC credential
4
Interac makes first Canadian chip debit card transaction
4
LogicaCMG pilots mobile payment system in Dutch supermarket
5
OnePulse from Barclaycard launched in London
5
Gemalto profit decline better than expected
6
Oberthur Card Systems reports momentum
6
Qatar citizens enrol for eID cards
7
Parkeon acquires Wayfarer Group
16
Gemalto suffers strikes
16
BIOMETRIC BYTES Breaking news from the biometrics industry
8
CHIP TALK Taking card manufacturing to a new level 9 FEATURES Anti-fraud technologies: a business essential in the card industry
10
Easy handling and security make NFC a success
12
SURVEY Top of the Form: Contactless and NFC technology
14
REGULARS News Extra
2
News In Brief
3–7
Events Calendar Viewpoint
7 16
ISSN 0965-2590/07 © 2007 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
NEWS ...Continued from Page 1 January to June 2005
January to June 2006
January to June 2007
+/-% (06/07)
Online, phone and mail order (CNP) fraud
£90.6m
£95.3m
£137.0m
+44%
Counterfeit
£45.6m
£52.8m
£72.3m
+37%
Lost/stolen
£44.3m
£36.1m
£30.7m
-15%
Mail non-receipt
£22.8m
£9.8m
£4.9m
-50%
Card ID theft
£16.1m
£15.0m
£18.7m
+24%
UK Retailer (face-to-face)
£73.2m
£42.1m
£37.5m
-11%
UK Cash machine fraud
£28.8m
£39.5m
£17.1m
-57%
UK fraud
£177.6m
£160.8m
£154.8m
-4%
Fraud abroad
£41.8m
£48.1m
£108.8m
+126%
January to June 2005
January to June 2006
January to June 2007
+/-% 06/07)
£14.5m
£22.4m
£7.5m
-67%
312
5,087
7,224
+42%
Type of fraud
Contained within this total:
Figure 1. UK Plastic Card Fraud Losses.
Type of fraud Online banking fraud Phishing incidents
Figure 2. Online Banking Fraud Losses (incl. Phishing incidents).
nfc/mobile payment
Gemalto and Far EasTone partner in Asian ‘Pay–Buy Mobile’ trial
L
eading French smart card manufacturer Gemalto has announced a partnership with Taiwan’s Far EasTone Telecommunications Ltd. to start what it claims is Asia’s first mobile contactless SIM-based NFC (Near Field Communications) trial. The trial, starting in November and rolled out in phases, is part of the GSM Association’s ‘Pay−Buy Mobile’ initiative which seeks to define a common global approach to using NFC technology to link mobile devices with payment and contactless systems. Taiwan’s fast-paced adoption of contactless payment services and appetite for new technologies makes it the perfect place to start the trial, the companies said. Far EasTone subscribers participating in the trial will be able to make mobile contactless purchases at any Far EasTone trial partner merchant
October 2007
with the same ease and convenience as if using an ordinary contactless payment card. Additionally, the trial will also include ‘smart posters’. Taiwan’s hypermarket chain, Far Eastern Geant, for instance, will hang posters embedded with NFC tags at their stores. Shoppers walk by, wave their NFC mobile across the poster and walk away with a coupon downloaded to the SIM for use at the checkout or for later purchases. Subscribers can also view and interact with services provisioned using the mobile’s own web browser. In this way, subscribers see the services on the SIM presented as a web page. “This trial marks a milestone in mobile contactless history and is also a key advancement in services for Taiwan”, said Tan Teck Lee, president of Gemalto Asia. “We are proud to be part of this exciting development with Far EasTone as it sets the stage for the growing popularity of mobile contactless and service provisioning applications.” Jan Nilsson, president of Far EasTone commented: “This launch will mark an advancement of Taiwan’s mobile market where we combine convenience with security. For us, the mobile has become a hub for advanced subscriber services and is the platform of choice to provide subscribers with a new lifestyle. Taiwan is the perfect place to start”. Continued on Page 4...
IN BRIEF • Kaba and CoreStreet have announced a partnership to build advanced, standalone electronic locks. Using CoreStreet’s technology, Kaba will offer one physical access control system (PACS) to comply with Federal Information Processing Standard-201 (FIPS201) and will be introducing another that works with CoreStreet’s patented CardConnected technology. In developing the Kaba E-Plex 5900 electronic locks, users can centrally manage access points anywhere. The locking systems are managed and monitored in physical access control systems and require no wiring or wireless communication networks. The locks communicate with commercially-available physical access control systems by reading and writing digitally signed data (privileges and logs) to and from smart cards. The systems are currently in field testing and are expected to be available early next year. • Gemalto has announced that its implementation of Java Card technology has been Common Criteria certified EAL4 using formal assurances from the EAL7 level, the highest level of certification possible. This is the world’s first Common Criteria certificate of a smart card involving formal assurances from the EAL7 level the company claims, which provides high confidence in open multi-application cards as it ensures that each embedded application is completely and securely isolated from the others and that this security process has been mathematically proven. The certification was performed by the French DCSSI (Central Administration for Information Systems Security – Direction Centrale de la Sécurité des Systèmes d’Information). • Infineon Technologies is to be the sole chip supplier for the patient healthcare card in the US. Siemens, Mount Sinai Medical Center and Elmhurst Hospital Center have formed a health smart card alliance to deploy up to 1.2 million patient health smart cards to link 45 affiliated and related medical facilities in the New York metro area. The patient health smart cards are issued by the medical facilities with the patient’s printed photo. To use the card, the patient inserts the card into a card reader and enters a PIN to unlock the data on the smart card security crypto-controller. The crypto-controller securely stores the demographic data for the patient, including name, gender, contact information, allergies, current medical history and lab results. The smart card initiative uses a Siemens smart card operating system (OS) which is embedded onto the contact-based Infineon smart card controller SLE 66CX680PE.
Card Technology Today
3
www.smartcards-today.com
ISSN 0965-2590 October 2007
emv
Contents
Fraud on foreign soil drives up card fraud losses in UK
F
igures released by APACS, the UK payments association, show that total card fraud losses increased by 26% to £263.6 million in the six months to June 2007 compared with the first half of 2006. This increase has been driven by a 126% rise in fraud on UK-issued cards being used overseas. In contrast, domestic card fraud continues to fall thanks to chip and PIN, with losses at UK retailers down 11% to £37.5 million and losses at UK cash machines down 57% to £17.1 million (see Figure 1 overleaf). Overall card fraud losses in the UK high street have declined dramatically since peaking at £218.8 million in 2004. This is directly attributable to the implementation of chip and PIN in the UK. Losses in 2006 were £72.1 million – a decrease of 67% from 2004. It is clear that the introduction of chip and PIN has made it more difficult for fraudsters to commit card fraud in the UK. However, to combat this, criminals are now committing card fraud overseas on UK-issued cards. In order to do this, they copy the magnetic stripe data on consumer’s cards to create fake cards that they use in countries that have yet to upgrade to chip and PIN. According to APACS, as more countries rollout the technology the opportunities for criminals to use fake magnetic stripe cards overseas will decrease. To help achieve this, the European banking industry has set itself the target of completing its chip card rollout by 2010. Losses from online, phone and mail order shopping fraud also continued to increase yearon-year. APACS noted that this increase has to be seen in the context of increasing numbers of people shopping online and ever-growing numbers of online transactions. According to APACS figures, the number of adults shopping
TODAY
card
online has increased by 157% in the last five years, from 11 million in 2001 to over 28 million last year. By comparison, online, phone and mail order fraud has grown by 122% during the same time period. The fraud to turnover ratio on online card transactions has also decreased – down from 0.7% in 2004 to 0.5% in 2006. Online banking fraud losses fell by 67% from £22.4 million in the first six months of 2006 to just £7.5 million in the same period this year (see Figure 2). This decrease occurred because online banks have successfully implemented a range of measures to detect and prevent fraud, coupled with the fact that there was an unusually high level of online banking fraud in the first few months of 2006. Sandra Quinn, director of communications at APACS, commented: “These figures show how the fraudsters have changed tack. A couple of years ago they were mainly stealing cards and card details for use in UK shops and cash machines, but today, because of chip and PIN, they have been driven overseas – using fake magnetic stripe cards specifically in countries which have yet to upgrade to chip and PIN. During the interim we will continue to use fraud intelligence systems to tackle overseas losses and encourage those countries that are lagging behind on chip and PIN to follow our lead.” Quinn continued: “Consumers should also play their part – for example, cardholders should be aware that the majority of online fraud involves a criminal obtaining card details in the real world that are then used to shop fraudulently online. So we continue to urge people to register with the secure online payment systems – MasterCard SecureCode and Verified by Visa – which help prevent cards being used fraudulently over the internet.” Figures 1 and 2 are on Page 3...
NEWS Fraud on foreign soil drives up card fraud losses in UK 1 Gemalto and FarEasTone partner in Asian 'Pay-Buy mobile' trials
3
First workers apply for TWIC credential
4
Interac makes first Canadian chip debit card transaction
4
LogicaCMG pilots mobile payment system in Dutch supermarket
5
OnePulse from Barclaycard launched in London
5
Gemalto profit decline better than expected
6
Oberthur Card Systems reports momentum
6
Qatar citizens enrol for eID cards
7
Parkeon acquires Wayfarer Group
16
Gemalto suffers strikes
16
BIOMETRIC BYTES Breaking news from the biometrics industry
8
CHIP TALK Taking card manufacturing to a new level 9 FEATURES Anti-fraud technologies: a business essential in the card industry
10
Easy handling and security make NFC a success
12
SURVEY Top of the Form: Contactless and NFC technology
14
REGULARS News Extra
2
News In Brief
3–7
Events Calendar Viewpoint
7 16
ISSN 0965-2590/07 © 2007 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
NEWS ...Continued from Page 1 January to June 2005
January to June 2006
January to June 2007
+/-% (06/07)
Online, phone and mail order (CNP) fraud
£90.6m
£95.3m
£137.0m
+44%
Counterfeit
£45.6m
£52.8m
£72.3m
+37%
Lost/stolen
£44.3m
£36.1m
£30.7m
-15%
Mail non-receipt
£22.8m
£9.8m
£4.9m
-50%
Card ID theft
£16.1m
£15.0m
£18.7m
+24%
UK Retailer (face-to-face)
£73.2m
£42.1m
£37.5m
-11%
UK Cash machine fraud
£28.8m
£39.5m
£17.1m
-57%
UK fraud
£177.6m
£160.8m
£154.8m
-4%
Fraud abroad
£41.8m
£48.1m
£108.8m
+126%
January to June 2005
January to June 2006
January to June 2007
+/-% 06/07)
£14.5m
£22.4m
£7.5m
-67%
312
5,087
7,224
+42%
Type of fraud
Contained within this total:
Figure 1. UK Plastic Card Fraud Losses.
Type of fraud Online banking fraud Phishing incidents
Figure 2. Online Banking Fraud Losses (incl. Phishing incidents).
nfc/mobile payment
Gemalto and Far EasTone partner in Asian ‘Pay–Buy Mobile’ trial
L
eading French smart card manufacturer Gemalto has announced a partnership with Taiwan’s Far EasTone Telecommunications Ltd. to start what it claims is Asia’s first mobile contactless SIM-based NFC (Near Field Communications) trial. The trial, starting in November and rolled out in phases, is part of the GSM Association’s ‘Pay−Buy Mobile’ initiative which seeks to define a common global approach to using NFC technology to link mobile devices with payment and contactless systems. Taiwan’s fast-paced adoption of contactless payment services and appetite for new technologies makes it the perfect place to start the trial, the companies said. Far EasTone subscribers participating in the trial will be able to make mobile contactless purchases at any Far EasTone trial partner merchant
October 2007
with the same ease and convenience as if using an ordinary contactless payment card. Additionally, the trial will also include ‘smart posters’. Taiwan’s hypermarket chain, Far Eastern Geant, for instance, will hang posters embedded with NFC tags at their stores. Shoppers walk by, wave their NFC mobile across the poster and walk away with a coupon downloaded to the SIM for use at the checkout or for later purchases. Subscribers can also view and interact with services provisioned using the mobile’s own web browser. In this way, subscribers see the services on the SIM presented as a web page. “This trial marks a milestone in mobile contactless history and is also a key advancement in services for Taiwan”, said Tan Teck Lee, president of Gemalto Asia. “We are proud to be part of this exciting development with Far EasTone as it sets the stage for the growing popularity of mobile contactless and service provisioning applications.” Jan Nilsson, president of Far EasTone commented: “This launch will mark an advancement of Taiwan’s mobile market where we combine convenience with security. For us, the mobile has become a hub for advanced subscriber services and is the platform of choice to provide subscribers with a new lifestyle. Taiwan is the perfect place to start”. Continued on Page 4...
IN BRIEF • Kaba and CoreStreet have announced a partnership to build advanced, standalone electronic locks. Using CoreStreet’s technology, Kaba will offer one physical access control system (PACS) to comply with Federal Information Processing Standard-201 (FIPS201) and will be introducing another that works with CoreStreet’s patented CardConnected technology. In developing the Kaba E-Plex 5900 electronic locks, users can centrally manage access points anywhere. The locking systems are managed and monitored in physical access control systems and require no wiring or wireless communication networks. The locks communicate with commercially-available physical access control systems by reading and writing digitally signed data (privileges and logs) to and from smart cards. The systems are currently in field testing and are expected to be available early next year. • Gemalto has announced that its implementation of Java Card technology has been Common Criteria certified EAL4 using formal assurances from the EAL7 level, the highest level of certification possible. This is the world’s first Common Criteria certificate of a smart card involving formal assurances from the EAL7 level the company claims, which provides high confidence in open multi-application cards as it ensures that each embedded application is completely and securely isolated from the others and that this security process has been mathematically proven. The certification was performed by the French DCSSI (Central Administration for Information Systems Security – Direction Centrale de la Sécurité des Systèmes d’Information). • Infineon Technologies is to be the sole chip supplier for the patient healthcare card in the US. Siemens, Mount Sinai Medical Center and Elmhurst Hospital Center have formed a health smart card alliance to deploy up to 1.2 million patient health smart cards to link 45 affiliated and related medical facilities in the New York metro area. The patient health smart cards are issued by the medical facilities with the patient’s printed photo. To use the card, the patient inserts the card into a card reader and enters a PIN to unlock the data on the smart card security crypto-controller. The crypto-controller securely stores the demographic data for the patient, including name, gender, contact information, allergies, current medical history and lab results. The smart card initiative uses a Siemens smart card operating system (OS) which is embedded onto the contact-based Infineon smart card controller SLE 66CX680PE.
Card Technology Today
3