Have crims developed a social conscience with tap'n'go?

The mass theft of payment card data aside, the biggest payments scam going in the United States at the moment is petrol theft – even as the cost of fuel falls.

Many US “gas” stations are self-service with credit card payment at the pump. However, most US cards are still magnetic stripe, not chip. And most US payment terminals have not been upgraded to the so-called EMV standard of security that chip cards require.

"Figures provide no support for the suggestion that 'tap and go' chip cards are at greater risk of fraud."
Chris Hamilton, APCA chief executive

The consequence is fake or stolen cards – many manufactured from data ripped off in the large scale data thefts – are used to buy large amounts of fuel which is then sold on the black market.

But if these fuel pumps only took the contactless chip cards – tap'n'go – so popular in Australia and growing in usage elsewhere, this particular fraud would drop dramatically.

Why? Because chip cards are not easy to replicate the way magnetic stripe cards are. So-called “skimming” devices, surreptitiously attached to payment terminal or ATMs, can't capture chip card data.

Tap'n'go adds an extra level of security as the card never leaves the owner's hand. Only cards actually stolen could be used, a far lower number than fake cards created from mass data thefts and skimming.

Yet, according to an Australian Parliamentary Inquiry report just released, citing a submission by Victorian Police, contactless cards are generating more crime.

This will be news to the US where card companies, schemes and petrol stations are frantically working together to replace the old, mag stripe-centric system with a chip-based one. Big merchants will be able to accept chip by October 1 but the more secure protocols won't apply to US petrol stations until 2017.

According to the Wall St Journal, the US crime wave has been driven by a flood of stolen credit-card data easily accessible online, “much of which was swiped in high-profile breaches”.

Yet the concern of the Victorian Police, picked up by the parliamentary inquiry, is contactless tap'n'go cards constitute a major new incentive for crime.

There is, however, no data to support this. The latest data from the Australian Payments Clearing Association (APCA), the payments industry self-regulatory body, shows an increase in fraud in the online environment, reflecting a global trend towards increasing cybercrime risks.

In 2014 fraud on Australian cards and cheques increased from 16.2c to 20.8c cents per $1,000 spent. Fraud on Australian payment cards increased from 46.6c to 58.8c in every $1,000 spent. Card-not-present fraud, occurring mainly online, by phone or by mail, accounted for 94 per cent of the increase in card fraud.

Click image to zoom Tap image to zoom

Source: APCA

But contactless tap'n'go transactions are card present – the card is physically in the hands of the user at the real world merchant.

Click image to zoom Tap image to zoom

Source: APCA

According to APCA chief executive Chris Hamilton, the “figures provide no support for the suggestion that 'tap and go' chip cards are at greater risk of fraud. They show that the much bigger challenge is online fraud, as we all spend more time and money in cyberspace”.

To be fair, the submissions and work on this parliamentary report were undertaken nearly a year ago and since then there has been greater communication between the financial services industry and the police.

The Australasian Risk Council, made up of the industry and police, now meets quarterly to discuss new technology, emerging risks and crime prevention strategies.

But the emergence of the inquiry report does perpetuate some illogical or unsubstantiated anecdotal analysis of payment crime.

The inquiry has even called for contactless cards to be made “opt-in” for the technology they offer – which would be counterproductive given the average ticket size for fraud on these cards is lower than with contact fraud.

"The committee recommends that financial institutions which issue debit and credit cards create an 'opt in' function that requires customers to consent to contactless payment technology features being activated on their cards," the report said.

The history of card fraud globally is very consistent: fraud and other crime migrate to the oldest, lowest security jurisdictions and environments. In the 90s, this was magnetic stripe cards in Britain, prompting a rapid move to chip cards and EMV security.

Australia has always been a relatively rapid adopter of new technologies and has been well down the global fraud ranks. As the APCA data show, the biggest risk areas are online – where safer technologies like single use, digital tokens are on the horizon – and data stolen to create magnetic stripe cards via skimming.

The parliamentary report cited “evidence” presented by Victoria Police of a “significant increase” in deception offences in which new technology had enabled offenders to commit multiple low value transactions with stolen credit cards.

However, the richer data available with new chip cards means bank and card scheme systems are able to more quickly pick up dodgy transactions and block cards – again a security improvement.

In its submission, Victoria Police argued “the major banks provide a Zero Liability Policy to customers who are victims of fraudulent transactions. This policy is clearly advertised in conjunction with 'Tap and Go' technology. Widespread promotion of the Zero Liability Policy is expected to motivate offenders who are likely to see that the victim will not be at a personal loss”.

That's strikes me as a deduction worthy of Inspector Clouseau. So the crims will break into a house or car, rifle through a wallet or handbag, extract only the cards on which they can see the wi-fi tap'n'go mark, while leaving cash and other valuable untouched, because they only want to steal from the big, bad banks?

The criminal class now has a social conscience.

But actually, shouldn't the police be happier if the crims steal and use these cards? As opposed to cash or other older technologies?

Every tap'n'go transaction is traceable. The time and location of any transaction could be cross-checked with other data, including CCTV. Surely that means the chances of identifying a perp are far greater than if they simply stole cash?

Again, since this submission and the inquiry hearings, much more consultation has taken place but it is important to emphasise there is still no evidence at all of tap'n'go driving increased crime. Indeed, given the data from APCA, it is contributing to less.

Technology obviously brings new risks as well as benefits but critically those risks need to be properly understood – particularly if imagined risks are lined up against demonstrable benefits. APCA data show two-thirds ($A200.6 million) of card-not-present fraud occurred overseas in 2014 (up from $124.5 million in 2013). So are we going to stop Australians using payment cards to shop with offshore merchants?

Or rather, as APCA's Hamilton says, should technology be part of the solution? Tokenisation is a technique that replaces sensitive information, such as a card number, with a non-sensitive replacement value or token. If captured, the token itself cannot be used for normal card-not-present transactions and as such is of no value to criminals.

Hamilton notes the extra security layer complements existing card-not-present fraud prevention measures including enforcing standards to protect card data, stronger cardholder authentication techniques and enhancing real-time fraud detection tools.

This is what the US industry has recognised as well as it seeks to raise the hurdles for criminals stealing petrol.

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

09 Jun 2014

Do crims tap-and-go?

Andrew Cornell | Past Managing Editor, bluenotes

In Melbourne’s Docklands precinct, where the ANZ mothership is berthed, there’s dozens of small cafes and lunch spots. Almost all accept contactless card payments, the so-called “tap and go” system.

14 Jan 2015

Tapping the biggest shift in consumer payments

Lance Blockley | Managing Director Consulting, RFi Group

For many, many years I have presented at payments conferences about how consumer payments are habit forming. People tend to be “locked in” to how they pay for things by the time they are 30 years old. A much stronger – not just slightly stronger - “value proposition” is needed to knock them out of their old payment habit and into something new.

22 May 2015

Forget tech toys, tap'n'go payment is what will replace cash

Alan Shields | Chief Data Officer, RFi Group

Every day there appears to be new payment technology being developed and it is easy to get excited – well, as a payments wonk anyway - at the prospect of a less-cash, more-digital payments scenario.