Combating online consumer fraud in a practical and cost effective way

These sorts of article always seem to start with a plethora of worrying statistics that illustrate the prevalence of online consumer fraud.

This one doesn’t.

The problem is growing so fast that it is important to consider what actions should be taken to prevent consumer fraud rather then rehash statistics that are invariably already out of date.

There are a number of initiatives in the UK designed to help reduce consumer online fraud. Get Safe Online is one laudable example whose aim is to educate the consumer about the potential risks of transacting online.

Another example is the push by the banking organisation APACS which is promoting the CAP / DPA standard* to their membership. This is sometimes referred to as Chip and PIN at home. A number of banks that have signed up to this standard have decided to ship card readers to millions of consumers. The customer’s credit or debit card will be able to interact with the card reader and generate a one time password (OTP) which will help them access their online banking more securely.

With one or two caveats, the security associated with this implementation is a positive step forward. This is especially true when complementary technologies such as back office Risk Based Authentication and Extended Validation SSL are used as part of a layered approach to security.

What needs careful consideration is the usability and cost.

The size of the card reader means that consumers are unlikely to carry these around with them. This makes the Chip and PIN solution highly impractical given that most people mostly access online services from work and home, or perhaps when travelling with work or on holiday.

From a cost perspective, there is an argument for a single token or card reader being an appropriate expense, especially when the CAP / DPA token readers are in theory interoperable across many banks cards. The industry should also consider an alternative solution that embeds the OTP generation functionality directly into the credit card itself or into devices such as the mobile phone that the consumer already carries around with them. This eliminates the need for the consumer to carry the card reader with them as they move about making them more willing to adopt this higher level of security.

Would it also not be more cost effective and practical if no matter what second authentication factor was adopted, that it could be used wherever one had an online relationship, not just in retail banking?

Currently the majority of online fraud is aimed at the retail banking sector, but there are other high profile companies which have been affected, and who have implemented consumer facing measures to combat online fraud.

Trailblazers such as PayPal (online payment provider), eBay (online auction) and Charles Schwab (online brokerage), have all implemented two factor authentication based on an interoperable system where the consumer only has one token that can be used across all sites or at any place online who adopts that technology. That could include the UK banks.

The industry should focus on the mobile phone as the ultimate credential to generate the OTP. Consumers carry their phones religiously making it the most consumer-friendly option. The technologies exist to do this today at a cost which is far more attractive than issuing separate card readers or tokens.

With the right technologies deployed we can reduce the level of fraud to an acceptable level while minimizing any negative impact to the consumer experience.

Now that is a scenario which would reduce the level of worrying statistics in articles like this.

* Chip Authentication Protocal from MasterCard and Dynamic Passcode Authentication from Visa

About the author

Simon Church, Vice President, EMEA
Simon Church joined VeriSign in June 2006. Promoted to head of the combined EMEA business, he has aligned it closer to the market opportunity, yielding 140 percent year-on-year growth. He joined VeriSign from NetIQ, where he was VP and GM for EMEA. Before NetIQ, he launched the EMEA subsidiary of Mission Critical Software and was part of the management team through successful IPOs. Prior to Mission Critical he led a successful MBO from LBMS. He has more than 19 years experience in IT and holds a B.Sc. in Computing and Operational Research from Leeds Metropolitan University.