COMMENT
C
ard Not Present Attacks
on the Rise
For years, banks and consumers
have worries about complex attacks – such
as Man-in-the-Browser (MITB) hacks and
magnetic stripe cloning that occurs at the
point of sale (POS). But advanced security
technology is better equipped to address
MITB attacks, and magnetic stripe attacks
are thwarted by chip-based Europay,
Mastercard and Visa (EMV) cards and POS
systems.
As MITB and POS-based attacks are
more carefully scrutinized and addressed,
criminal hackers are now moving their
attacks to more vulnerable online channels
via Card Not Present (CNP) Online Fraud.
In this situation, an attacker uses a copy
of a consumer card number, expiry date
and CVV to make an on-line purchase of
goods. In 2013, the European Central Bank
identified that this type of attack increased
by 24.7 percent, resulting in fraud that
totaled more than 950 million euros.
The European banking community is
taking this growing threat seriously. On
December 19, 2014, the European Banking
Authority (EBA) published its final Security
of Internet Payments guidelines. To address
the rising number of CNP attacks, the EBA
has called for banks to ensure that a strong
authentication solution is used to protect
customers. All but three of the 28 European
countries that make up the European
Union have agreed to institute laws for
compliance with these guidelines to fight
Card Not Present fraud (The UK, Estonia,
Slovakia opted out).
Consumers in the driver’s seat
Millions of dollars are spent annually on
identifying whether transactions are being
made by cardholders or by impersonators.
And, while defeating fraud is a top concern,
and regulatory
Guidelines – like those recently adopted by
the EBA - help protect the consumer, there
is a need for a balanced approach which
takes both the user experience and security
into account.
User experience is paramount to customer
satisfaction — and no one is willing to deal
with a clunky security solution. If security
introduces too much friction, it leads to
abandoned shopping carts and incomplete
online transactions as users get frustrated
and go elsewhere to spend their money.
But lax security leads to distrust. As service
providers migrate more services online, they
must balance security with user experience.
It’s a delicate dance, and if an enterprise
gets it wrong, its consumers will look
elsewhere.
IF SECURITY INTRODUCES TOO MUCH FRICTION, IT LEADS TO
ABANDONED SHOPPING CARTS AND INCOMPLETE ONLINE
TRANSACTIONS AS USERS GET FRUSTRATED AND GO ELSEWHERE
TO SPEND THEIR MONEY
24
INTELLIGENTCIO
www.intelligentcio.com