APACS reports credit card fraud figures for UK
November 7th, 2006 Posted in Credit Card Fraud, Europe, PCI DSSAmbersail is reporting that APACS, the UK payments association, has released their latest credit card fraud statistics. Here’s some of the findings:
- A rise in phishing attacks has lead to a 55% rise in losses from online fraud against banks, reaching £23m (specifically from phishing attacks) in the first half of 2006.
- Overall card fraud losses also fell by 5 per cent in first six months of 2006, from £219.5m to £209.3m
- ATM fraud is also up - £65m was stolen last year.
The reason for this is that many European countries have moved to Chip-PIN based merchant transactions. This coupled with the fact that many European retailers still use X.25 connections between store locations and their home office instead of VPN that is used heavily in the US. This use of legacy connections actually helps reduce the instance of fraud at the retail store because there is no direct connection to the Internet.
The benefit that Chip-PIN adds to the security of European merchants will not be realized in the US due to the high deployment costs of such a system. Canadians may see similar decreases in card present transaction fraud as they begin to implement Chip-PIN.
This is supported by the APACS report noting the increase in online fraud and the decrease in retail fraud within the UK.
CNP [card not present] fraud now accounts for 46% of all losses but grew by just 5% year-on-year, compared to a 29% increase between 2004 and 2005.
Update: SANS also mentions this story was covered by the following news sources:
The SANS editor Pescatore notes:
It is really meaningless to focus on the number of phishing emails or virus email. It’s like counting raindrops in a rainstorm - you really only care about how wet you get, not how many drops fall. We’ve seen fewer phishing incidents succeed, and the overall damage flatten - but the average damage per incident has increased. The attacks are definitely more targeted and going after higher value targets.
It is NOT meaningless to focus on phishing when it relates to credit card fraud. This is because the types of phishing attacks used are called “spear phishing”
These days it’s a network of carders who each have a specific role. Roman Vega of Boa Factory fame was known for having lawyers, botnet owners, hackers, traffickers, and pushers all on staff. These days the professional carder will knock over several merchants and store the information without using it for up to two years. Once they have amassed enough information they join the databases together forming a master datasheet on peoples lives.
Once they join databases with your credit card number and others with your e-mail address they can perform ’spear phishing’ where they send you a targeted e-mail, with your credit card number, asking for your PIN number.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
6 Responses to “APACS reports credit card fraud figures for UK”
By Y.K.Raja on Nov 8, 2006
Fake documents have made signature system unreliable while pin-hole cameras have made PIN number system unreliable. Is it not obvious that unless banks implement ID KEY system which has been invented to make both these systems reliable fraud crimes will continue grow?
ID KEY system will eliminate the need for us to protect our personal details, PIN numbers etc. from fraudsters.
*Signatures personalised with ID stickers will deter fraud because fraudsters have option to misuse victim’s personal details but not their appearance (true identity or visible biometric).
*Invisible Card Key Code needed to activate ATM transaction will make it meaningless for fraudsters to skim cards and pick PIN numbers.
By datasecurity on Nov 8, 2006
I am not familiar with the ID KEY technology you are referring to, but reducing fraud is not a technical problem. Anyone can create a system that can reduce or eliminate credit card fraud (how about cryptographically signed chips you implant in people?)
The problem is that changing the entire payment infrastructure to support this new technology is VERY costly. This is why you see smaller countries such as those in SE Asia and Europe as the first to deploy new technologies, such as Chip-PIN.
By David Whitehouse on Dec 21, 2006
The DSS (Data Security Standards) set by the PCI (Payment Card Industry) provide a standard set of guidelines that can help prevent all types of credit card fraud, with many companies still not complying to these basic guidelines, I don’t see the point of introducing more advanced technologies, such as Chip and PIN. Many companies aren’t even aware that there are different levels of compliance, for those of you that do not know of these, please see http:/pci.evolve-online.com/pci-for-merchants.asp for a rough guideline.
By datasecurity on Dec 22, 2006
David,
It seems to me that you do not understand what Chip-PIN actually is! It can greatly reduce the volume of credit card theft and is a positive move for [most of] Europe.
I would advise against using your web site for the different levels because the levels are defined by card association and by region. The PCI SSC sets the “rules of engagement” via the PCI DSS, but it is the individual card associations and regions (if applicable) that enforce the requirements.
-Datasecurity
By Lewis on Jan 5, 2007
The best way to protect yourself against fraud is to check the monthly credit card statements you receive. By looking at your statements, you’ll easily be able to tell if your account has suffered any type of fraud. If you notice any type of fraudulent charges, you should instantly contact your credit card company and inform them. This way, they look into it and try to retrieve the money that was illegally stolen from you.