Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Latest Card Fraud Statistics for Australia FY2017

The Australian Payments Network (formerly the Australian Payments Clearing Association, APCA) releases http://auspaynet.com.au/resources/fraud-statistics/"card fraud statistics every six months for the preceding 12m period. For well over a decade now, Lockstep has been monitoring these figures, plotting the trend data and analysing what the industry is doing (and not doing) about Card Not Present fraud. Here is our summary for the most recent financial year 2017 stats.

CNP trends pic to FY 2017 b

Total card fraud went up only 3% from FY16 to FY17; Card Not Present (CNP) fraud was up 10% to $443 million, representing 86% of all fraud perpetrated on Australian payment cards.

CNP fraud is enabled by the difficulty merchants (and merchant servers) have telling the difference between original cardholder details and stolen data. Criminals procure stolen details in enormous volumes and replay them against vulnerable shopping sites.

A proper foundational fix to replay attack is easily within reach, which would re-use the same cryptography that solves skimming and carding, and would restore a seamless payment experience for card holders. Apple for one has grasped the nettle, and is using its Secure Element-based Apple Pay method (established now for card present NFC payments) for Card Not Present transactions, in the app.

See also my 2012 paper Calling for a Uniform Approach to Card Fraud Offline and On" (PDF).

Abstract

The credit card payments system is a paragon of standardisation. No other industry has such a strong history of driving and adopting uniform technologies, infrastructure and business processes. No matter where you keep a bank account, you can use a globally branded credit card to go shopping in almost every corner of the world. The universal Four Party settlement model, and a long-standing card standard that works the same with ATMs and merchant terminals everywhere underpin seamless convenience. So with this determination to facilitate trustworthy and supremely convenient spending in every corner of the earth, it’s astonishing that the industry is still yet to standardise Internet payments. We settled on the EMV standard for in-store transactions, but online we use a wide range of confusing and largely ineffective security measures. As a result, Card Not Present (CNP) fraud is growing unchecked.

This article argues that all card payments should be properly secured using standardised hardware. In particular, CNP transactions should use the very same EMV chip and cryptography as do card present payments.

Posted in Payments