According to APCA chief executive Chris Hamilton, the “figures provide no support for the suggestion that 'tap and go' chip cards are at greater risk of fraud. They show that the much bigger challenge is online fraud, as we all spend more time and money in cyberspace”.
To be fair, the submissions and work on this parliamentary report were undertaken nearly a year ago and since then there has been greater communication between the financial services industry and the police.
The Australasian Risk Council, made up of the industry and police, now meets quarterly to discuss new technology, emerging risks and crime prevention strategies.
But the emergence of the inquiry report does perpetuate some illogical or unsubstantiated anecdotal analysis of payment crime.
The inquiry has even called for contactless cards to be made “opt-in” for the technology they offer – which would be counterproductive given the average ticket size for fraud on these cards is lower than with contact fraud.
"The committee recommends that financial institutions which issue debit and credit cards create an 'opt in' function that requires customers to consent to contactless payment technology features being activated on their cards," the report said.
The history of card fraud globally is very consistent: fraud and other crime migrate to the oldest, lowest security jurisdictions and environments. In the 90s, this was magnetic stripe cards in Britain, prompting a rapid move to chip cards and EMV security.
Australia has always been a relatively rapid adopter of new technologies and has been well down the global fraud ranks. As the APCA data show, the biggest risk areas are online – where safer technologies like single use, digital tokens are on the horizon – and data stolen to create magnetic stripe cards via skimming.
The parliamentary report cited “evidence” presented by Victoria Police of a “significant increase” in deception offences in which new technology had enabled offenders to commit multiple low value transactions with stolen credit cards.
However, the richer data available with new chip cards means bank and card scheme systems are able to more quickly pick up dodgy transactions and block cards – again a security improvement.
In its submission, Victoria Police argued “the major banks provide a Zero Liability Policy to customers who are victims of fraudulent transactions. This policy is clearly advertised in conjunction with 'Tap and Go' technology. Widespread promotion of the Zero Liability Policy is expected to motivate offenders who are likely to see that the victim will not be at a personal loss”.
That's strikes me as a deduction worthy of Inspector Clouseau. So the crims will break into a house or car, rifle through a wallet or handbag, extract only the cards on which they can see the wi-fi tap'n'go mark, while leaving cash and other valuable untouched, because they only want to steal from the big, bad banks?
The criminal class now has a social conscience.
But actually, shouldn't the police be happier if the crims steal and use these cards? As opposed to cash or other older technologies?
Every tap'n'go transaction is traceable. The time and location of any transaction could be cross-checked with other data, including CCTV. Surely that means the chances of identifying a perp are far greater than if they simply stole cash?
Again, since this submission and the inquiry hearings, much more consultation has taken place but it is important to emphasise there is still no evidence at all of tap'n'go driving increased crime. Indeed, given the data from APCA, it is contributing to less.
Technology obviously brings new risks as well as benefits but critically those risks need to be properly understood – particularly if imagined risks are lined up against demonstrable benefits. APCA data show two-thirds ($A200.6 million) of card-not-present fraud occurred overseas in 2014 (up from $124.5 million in 2013). So are we going to stop Australians using payment cards to shop with offshore merchants?
Or rather, as APCA's Hamilton says, should technology be part of the solution? Tokenisation is a technique that replaces sensitive information, such as a card number, with a non-sensitive replacement value or token. If captured, the token itself cannot be used for normal card-not-present transactions and as such is of no value to criminals.
Hamilton notes the extra security layer complements existing card-not-present fraud prevention measures including enforcing standards to protect card data, stronger cardholder authentication techniques and enhancing real-time fraud detection tools.
This is what the US industry has recognised as well as it seeks to raise the hurdles for criminals stealing petrol.