converting online browsers into online shoppers by reducing security concerns
DESCRIPTION
Prezentacija "Converting online browsers into online shoppers by reducing security concerns" koju je Žarko Vukadinović održao na konferenciji E-trgovina 2010 21. aprila 2010. godine na Paliću.TRANSCRIPT
1 E-trgovina, Palić, April 2010
CONVERTING ONLINE BROWSERSINTO ONLINE SHOPPERS
BY REDUCING SECURITY CONCERNS
Žarko VukadinovićHead of E-banking Unit
Payment Cards and Direct Channels Department
2
Albert Gonzalez (born 1981) is a computer hacker and computer criminal who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 trough 2007 – the biggest such fraud in history.
Source: Wikipedia
WASHINGTON, 2009. Federal prosecutors on Monday charged a Miami man with the largest case of credit and debit card data theft ever in the US, accusing the one-time government informant of swiping 130 million accounts on top of 40 million he stole previously. Albert Gonzalez, 28, broke his own record for identity theft by hacking into retail networks, according to prosecutors, though they say his illicit computer exploits ended when he went to jail on charges stemming from an earlier case.Gonzalez is a former informant for the U.S. Secret Service who helped the agency hunt hackers. The agency later found out that had also been working with criminals and feeding them information on ongoing investigations, even warning off at least one individual, according to authorities...
FROM “BACKYARD HACKING” TO ORGANIZED CRIME
VERDICT: 2
0 YEARS
Security threats are continuously increasing and are becoming global phenomenon
Phishingper mail/links
Man-in-the-Middle per mail/links, as virus
Man-in-the-Browser “The Trojan”, extremely powerful, have no observable symptoms, will be prevalent
Combination of existing threats, new threats, transferring of focus from financial services to other institutions and usage of social engineering techniques.
3
ONLINE SECURITY FROM MERCHANTS PERSPECTIVE
Risk management processes conducted by merchants in order to prevent online fraud:
1. Automated screeningProfit leaks
2. Manual reviewStaffing & Scalability; 18%
of orders3. Accept/Reject operations
Lost sales; 4.6% of orders are rejected
4. Fraud/Claim ManagementFraud Loss &
Administration
70% of merchants manually review suspicious orders 5% of merchants manually review every order
23% of chargebacks in 2009. were fraud reason-coded
1.6% of orders in 2009. proved to be fraudulent
Merchants are expecting to lose an average of 1.8% of their overall online revenue in 2010. to payment fraud
One third of merchants are seeing that percentage of online revenue lost to fraud increases year-to-year
Greatest Business Threats
10
15
15
51
52
57
13
20
20
42
54
52
0
9
10
23
6
25
0 10 20 30 40 50 60
Internal fraud
Hackers causing maliciousdamage
Viruses
Systems failure
Theft of customer data
Online fraud
% of Merchants
2007
2008
2009
Fraud as a greatest business threat, as seen by the merchants, is increasing
Source: Sixth Annual UK Online Fraud Report, 2010 edition, CyberSource
4
ONLINE SECURITY FROM CONSUMERS PERSPECTIVE
In 2009. 50% of consumers still didn’t used online shopping, comparing to 51% in 2008. and 54% in 2007.
67% of non-shoppers just like to buy on street
47% of non-shoppers stated that they are concerned about the security aspects
Consumers: Sources of Information About Online Safety
4
6
17
31
32
44
46
58
59
0 10 20 30 40 50 60 70
Don't know
None of these
Education establishments/adult courses
Independent websites or guides
Internet service provider
Issuing bank
Positive stories in the media about the benefits ofonline shopping
Friends/family/colleagues
Negative stories in the media highlighting crimes orlosses of data
% of Consumers
Key motivator for shopping Online
61
73
83
0 20 40 60 80 100
Greater cost savings
Access to a wide range of productsand services
Saving time and hassle
% of Costumers
On the total consumers sample, 71% stated that they are concerned with the level of risk when purchasing over the web, which is increase in 5% comparing to 2008.
59% of consumers stated that they heard more negative stories then positive
Just over a third of consumers have been a victim of online credit card fraud, or know someone that has
Source: Sixth Annual UK Online Fraud Report, 2010 edition, CyberSource
5
ONLINE SECURITY FROM CONSUMERS PERSPECTIVE
Over the years, there have been a few minor changes in the measures that consumers take to protect themselves when buying on the Internet
Consumers are becoming aware that the followings roles in Internet shopping process could provide higher security:
Banks with their products and services
Government
Themselves
Source: Sixth Annual UK Online Fraud Report, 2010 edition, CyberSource
Consumers: Responsibility for Safer Online Shopping
1
7
5
12
12
12
12
16
24
3
10
4
8
9
13
19
9
24
0 5 10 15 20 25 30
None of these
Don't know
Police
You, yourself
Government
Card schemes (Visa,MasterCard)
Internet service provider
Banks
Retailers
% of Consumers
2007
2009
Consumers: Security Measures for Shopping Online
50
69
85
85
57
68
85
86
56
69
82
84
0 10 20 30 40 50 60 70 80 90 100
Use a credit card rather than a debit card
Use MasterCard SecureCode or Verified byVisa schemes
Shop online with reputable name retailers
Look for signs that the page is secure
% of Costumers
2007
2008
2009
6
PRODUCTS INSPIRED BY MARKET DEMANDSSeveral products were developed during last two decades (first Internet transaction in 1992.). Some of them less or more successful,
but only rear were able to assure efficient prevention in online fraud.
Address Verification ServiceConsumer was asked to present his address which should be paired with the one registered in his issuing bank
Card Verification NumberCVC/CVV number printed on the back of the card
SMS alertConsumer is informed by his bank on the mobile phone number he registered in his bank that the purchase has
occurred, presenting him the details about the transaction (date, amount, place/url,...)
Virtual cardsCards designed only for online shopping. Before shopping consumer must assign necessary amount of many from his account to the card.
MasterCard SecureCode and Verified by VISABased on 3D Secure protocol, created and standardized by VISA and MasterCard in 2002. If one of party doesn't participates, “liability shift” is applied.
Static PasswordConsumer is redirected to the secure web page of the issuing bank in order to authenticate himself by presenting
the password Dynamic Password
Consumer is redirected to the secure web page of the issuing bank in order to authenticate himself by presenting the password generated by the card’s chip on the card reader, after entering the card’s PIN on reader
7
Service designed for prevention of MasterCard and Maestro cards misuse by enabling PIN based transaction over the Internet
Having CAP certified card reader is a prerequisite for service usage Gemalto, Vasco, Xiring, Todos,... Could be obtained in Banca Intesa branches from May
15th
Service available for every existing and every new Banca Intesa Maestro or Master card
Debit cards automatically enrolled Only SecureCode enabled Maestro cards can participate on Internet, over 500,000 issued
cards Credit cards must be enrolled by card user
User must enroll his card, Simple enrollment procedure, Enrollment URL https://online.bancaintesabeograd/enrollment/
Converting Internet transaction form “card not present” to “card present transaction”
1. Look for logo on merchant’s web site when shopping online
2. After presenting card data you will be redirected to the Banca Intesa’s secure web page
a) Check out the SSL certificate and personal message on the page in order to be sure that you are at the bank’s authentication page
b) Check out the transaction data (Merchant name, Amount, Date, Card number)
3. Insert the card in the reader and enter the PIN in the reader
4. After PIN verification you will be asked to enter in the reader challenge presented on the authentication web page
5. Enter the Password generated by the reader on authentication page and submit the transaction
CHIP AUTHENTICATION PROGRAM – CAP
Tool for bringing online shopping security and consumer confidence to the new level
8
HOW DOES IT LOOK LIKE?
9
AUTHENTICATION IS WHAT MAKES IT SECURE
Two Factor Authentication principle implemented – “what you have and what you know”
I trust my cardcard’s chip as a security device (CAP application, Private key, Transaction counter)
I have my card only original card can create correct cryptogram
I know my PINPIN must be presented to the chip trough card reader, must be validated before creation of cryptogram and the result of validation is included in cryptogram
Customer authentication and transaction signing – “what you see is what you sign”Input data (Challenge, Amount, Currency) included in cryptogram
CAP advantages in comparing to static password authentication model
Preventing multiply transaction
Preventing fraudulent transaction
Authentication dependable on risk parameters
“Back-door” security modules Risk assessment, Fraud detection, Anomaly detection
Constant education in order to increase security awareness of customers
Could security be measured in money?
PREVENTING THEFT Phishing Man-in-the-Middle Man-in-the-Browser
STATIC PASSWORD No No No
CAP BASED PASSWORD Yes Depending on authentication mode Yes
10
WHY ARE WE DOING THIS?
... create customers needs.
Exclusive representative of American Express for Serbia
... are lieder in new technologies appliance.
Card business
First in implementing EMV, MC PayPass and MC CAP
Only bank in Serbia with >1million issued cards
Internet banking
~100,000 retail and corporate users
>12.5 million Internet transactions with amount of ~15 billion € in 2009.
... define the direction of market development.
Only bank in Serbia licensed for VISA and MC Internet acquiring
53 live merchants
~73,000 transactions with amount of ~10 million € for 2009.
because we …
11
WILL THIS BE ENOUGH?
Now this is not the end.
It is not even the begining of the end.
But, it is, perhaps, the end of the begining.
Sir Winston Churchill
November 1942