Risk Management

  Positive Iden
at the Poi


The Ultimate

Fraud Prevention Tool

by George E. Devitt

   Credit card fraud will cost the card payment industry more than $4 billion this year. Fraud affects the entire industry­merchants, acquirers, issuers and consumers. Importantly, fraud is responsible for higher merchant discounts (through interchange fees). Most fraud results from an individual using a card (or card number) that was not legitimately issued to him.
   If merchants could positively confirm that the person using the card is, indeed, the person to whom the card was issued, a large percentage of fraud would be eliminated. In fact there is a profit potential in cutting fraud at the point-of-sale, as it would result in substantial savings for card issuers, and even acquirers. The technologies needed to cut fraud through the verification of cardholder identity are no longer in the realm of science fiction: they are available today in a cost effective and practical format.
   Before moving, lets examine some identification basics. In some markets today, retailers are requesting a driver's license when a bankcard is presented for payment. A driver's license ­ or passport, birth certificate, social security card, etc. ­ is simply a claim of identity. It is not a proof of identity. Indeed, there are websites today through which anyone can order a fraudulent driver's license or other form of identification that is virtually indistinguishable from the legitimate document.
   Our methods of validating claims of ID are imprecise: pictures compared to their bearers' appearance, looking at scrawls that may resemblance signatures, all of it highly subjective and haphazard. Often the presence of a document that appears reasonable, or a card that looks OK, is accepted as proof of ID. Widely available and sophisticated imaging and copying technologies only compound the problem, as they make the job of forgers easy. Cards can be forged or skimmed. Even PINs can be obtained through "shoulder surfing" or electronic bugs, or simply just given away. It's no wonder fraud that is escalating at such an accelerated pace. This is especially a big problem with credit and signature-based debit cards, which are essentially defenseless against the new skimming technologies available to crooks.
   A magnetic stripe card only proves that the person presenting it has the card with the correct data on it, or in the case of a remote transaction, has the card number. Smart cards, although secure against forgery, don't prove identity either. They are just stronger claims of ID. Because smart cards cannot be easily duplicated, they are capable of eliminating skimming, or about 35% of fraud. But that still leaves a lot of fraud in the market. Smart cards combined with PINs come closer to ID verification, but they still fall short because of identity theft, carelessness in recording PIN numbers, or coercion to reveal the PIN. In many countries, PINs are required when making purchases; however, the current implenentation ofthe EMV standard in the United States does not require the entry of a PIN when a smart card is used at the point-of-sale. Additionally, the card associations are reluctant to mandate PINs because to do so would change how consumers use the cards.
   What the industry needs is a simple and cost effective means of verifying cardholder identity. The method should be compatible with both existing magnetic stripe cards and future smart cards. Most importantly, the solution has to be cost effective: fraud is around $0.50 per card per year. Any solution attacking it must cost less.
   Biometrics technology has the potential of delivering on this promise of eradicating fraud in a cost-effective and simple manner. While there is general agreement on the benefits of biometrics, there is little consensus on what form of biometrics to deploy. The most commonly known methods are facial recognition, retinal scan, iris scan, palm print, fingerprint, voice recognition and signature dynamics. When considering these different methods ­ especially from the card industry's point of view ­ we must keep several criteria in mind. Firstly, the technology must be reliable, mature and suitable for mass production. It must be cost effective. It must not be intrusive or threatening. It must be easy to use and must require minimal disruption to consumers.
   These criteria eliminate many of these from consideration for the point-of-sale. Retinal scans require elaborate equipment and the subject must remain still while looking at the scanner. Iris scans use a powerful infrared light to heat up the iris, a process that requires considerable cooperation from the subject and that many may find intrusive. Palm print biometrics requires a large scanner. Voice recognition and signature dynamics are not pure biometrics as they are behavior-related and provide poor repeatability.
   Today, fingerprint-based techniques appear to offer the most practical, cost-effective and generally deployable form of biometrics. The technologies are well established and a fingerprint scanner need not be much bigger then the fingertip, while the data generated is rich enough for reliable identification. Several scanning chips are quickly becoming cost effective. The biggest drawback of fingerprint-based ID is the public's perception of an invasion of privacy.
   Any fingerprint-based biometrics scheme will have to reassure the public that it will not diminish privacy or reduce personal liberty. It must not use, create, transmit or store fingerprint images in the identification process. Rather, the system must use certain characteristics of the fingerprint to establish vectors, which create a number ­ which is essentially a 256 digit PIN, or what we call "FingerPIN' ­ which can be use for ID verification. This process is strictly one-way. In other words, from fingerprint the scanner can derive the "FingerPIN", but it is not possible to recreate the image of fingerprint from such derived data. In fact, FingerPINs are not unique; just as PIN-s are not unique! What is unique is the combination of the card and the FingerPIN. An analogy to today's PINs may be appropriate. A four digit PIN has only 9,999 possible combinations. That means that every 10,000th person has the same PIN. What is unique, however, is the combination of the PIN and the consumer's online debit card number.
   This type of simple system is eminently suited for point-of-sale environments where cards ­ and their users ­ are registered when they first encounter the system. The same simple peripheral scanner device that used for verification can be used for enrollment, which would made secure by presenting supporting ID (drivers license, etc.) Such a scanner can be easily and quickly connected to the card payment terminal at a cost of approximately $100 - $150 per device. For enrollment, the consumer swipes a card, places a finger on the sensor, and provides several documents of identity. The FingerPIN thus created is transmitted to a database, where it is stored under the card number it is registered enrolled with. This database may be maintained by a large retailer, by an acquirer, or by a third-party service provider. The incremental cost of adding the finger-scanning peripheral is only a fraction of the cost of the terminal itself. This cost, on a per card bases, works out to be $0.30 per year, which is lower than the fraud it would eliminate ($120, 4 year life, 100 cards for every terminal). Additionally, the device can easily be added to most terminals already installed. And the system works with both magnetic stripe cards and smart cards.
   Bringing positive identification to the point-of-sale not only serves our industry by dramatically reducing card-based fraud, but also represents an additional revenue opportunity for Independent Sales Organizations, acquiring processors, value-added resellers and others. It is time we do something about fraud!