原始網址:http://www.wsj.com/articles/credit-card-scammers-embrace-online-shopping-1477387802
Credit-Card Scammers Flock to Online ShoppingUse of stolen card data on Internet climbs; ‘no one is standing there to authenticate you’0:00 / 0:00The use of stolen credit cards on the internet is rising, as criminals make more fraudulent purchases online to bypass stricter in-person retail security measures. WSJ’s Lee Hawkins explains.By ROBIN SIDELUpdated Oct. 25, 2016 3:44 p.m. ET82 COMMENTSJust like legitimate shoppers, criminals are buying more goods and services online with credit cards.
The rate of online card fraud is rising sharply as a growing number of purchases take place on the internet while brick-and-mortar merchants race to lock down vulnerabilities in the checkout line. That is prompting new steps to try to curb the threat: The credit-card industry on Tuesday announced a plan to encourage online merchants to provide card issuers with more detailed customer information that could be used to catch fraudulent purchases.
More than 7.5% of online merchants’ revenue is eaten up by the cost of actual fraud and costs associated with fraud-prevention tools, according to a survey released Tuesday by Javelin Strategy & Research, a consulting firm that specializes in the payments industry. “As the volume of e-commerce transactions increases, it becomes harder for merchants to discern between legitimate and fraudulent activity,” according to the study by Javelin, a unit of Greenwich Associates LLC.
Aite Group LLC, another consulting firm, estimated in May that so-called card-not-present fraud will rise to $4 billion this year from $3.2 billion in 2015. It expects that figure to jump to $7.2 billion in 2020.
RELATED
View the Full ReportAs a result, online merchants and the card industry are scrambling to create products and procedures that can quickly identify fraudulent transactions when an unseen customer taps card information into a computer or mobile device. “In card-not-present transactions, there are so many different kinds of merchants and the fraud manifests in so many different ways that there really isn’t a one-size-fits-all solution,” says Julie Conroy, an analyst at Aite.
Among other solutions, the card industry is touting technology called tokenization. This replaces cardholder information such as account numbers and expiration dates with a unique series of numbers that validates the customer’s identity. That way, hackers can’t steal actual card data if a merchant’s payment system is breached.
And Tuesday, the industry introduced new standards for card issuers to put technology in place that will accept additional data from merchants who want to authenticate transactions. The move will allow merchants to send information such as the customer email address, billing and shipping details to the banks as additional tools to verify that the purchase is authentic.
ENLARGEMerchants now send only limited information to card issuers for authentication, such as the purchase amount and the name of the business.
The growing problem of online card fraud comes at a time when criminals are increasingly being stymied at the checkout line. Computer chips that are embedded in credit and debit cards make it far more difficult for thieves to use stolen card data to create counterfeit cards.
In card-not-present transactions, “no one is standing there to authenticate you so it is the path of least resistance,” says Tom Byrnes, chief marketing officer at Vesta Corp., a company that helps online merchants tackle fraud. Vesta sponsored the Javelin study.
Fraud is particularly difficult for online merchants because they are on the hook to pay the cost of bogus transactions, yet they also are under pressure to deliver products to customers quickly. That is especially the case for merchants that sell digital goods such as music or videogame downloads.
The Javelin study found that digital-only merchants are spending more than other online merchants to combat fraud, with 8.6% of their revenue being used to cover fraud losses and fraud management.
‘We have had to build a lot of infrastructure to protect our business.’—Trevor Nies, Microsoft Corp.At Microsoft Corp., a team of data scientists analyzes transactions that are flagged as high risk in an attempt to determine if the card being used actually belongs to the customer. In some cases, the company will track down the customer by phone to verify the identity.
“We have had to build a lot of infrastructure to protect our business,” says Trevor Nies, senior director for risk operations and analytics at Microsoft. Products that are particularly popular, such as Xbox videogames, “give us a big X on our back, for sure,” he says.
Scammers also are targeting online travel agencies, using stolen cards to book hotel rooms and flights and then moving up the reservation date by calling the lodging company and airline directly, says James Houlihan, co-founder of Paladin Group, a fraud-prevention consulting firm. “Fraudsters want to look like normal customers so when they’re hiding between good customers, it is hard for a company to pick them off,” he says.
Industry experts say it is too soon to attribute the rise in card-not-present fraud directly to the shift in more secure payment technology at brick-and-mortar merchants. That is especially the case since millions of physical merchants still haven’t upgraded their equipment to accept the new chip cards.
Still, other countries such as the U.K. and Canada that adopted chip-card technology in physical stores saw fraud migrate to online channels. The U.S. is one of the last developed countries to start using chip-based cards, so that shift still may be down the road, industry specialists say.
Write to Robin Sidel at [email protected]
在資訊安全上,至少需要兩個因素才能有效認證,這是目前業界的共同認知。
每個標準對於因素的選擇,有很多權衡。像指紋、虹膜雖然難以複製,但也無法更換,所以我覺得一組良好的密碼配上可以撤銷的卡片,確實是比較容易的做法。
另外,以手機取代卡片的 FIDO(https://fidoalliance.org/about/overview/)與 Mobile Connect(https://developer.mobileconnect.io/)技術,是業界在回應易用和安全的雙重要求下,提出的認證架構,或許也可參考。
謝謝政委的指教,也能在這裡得到很多的意見交流,謝謝!!