Personal identification numbers (PINs) are everywhere. These numeric versions of the password have been at the heart of data security for decades, but time moves on and according to Dave Orme, SVP at IDEX Biometrics, it is becoming evident that the PIN is no longer fit for purpose. It is too insecure and leaving consumers exposed to fraud.

Why bin the PIN?

In a world that is increasingly reliant on technology to complete even the most security-sensitive tasks, PIN usage is ludicrously insecure. People do silly things with their PINs; they write them down, share them and use predictable number combinations that can easily be discovered via social media or other means. And this is entirely understandable: PINs must be both memorable and obscure, unforgettable to the owner but difficult for others to work out. Previous research has shown that when people were asked about their bank card usage, more than half (53%) shared their PIN with another person, 34% of those who used a PIN for more than one application used the same PIN for all of them and more than a third (34%) of respondents used their banking PIN for unrelated purposes, such as voicemail codes and internet passwords, as well. In the same study, not only survey respondents but also leaked and aggregated PIN data from other sources revealed that the use of dates as PINs is astonishingly common1.

But if the PIN has had its day, what are we going to replace it with?

Biometrics

Biometrics may seem to be the obvious response to this problem: fingerprint sensors, iris recognition and voice recognition have already been trialled in various contexts, including financial services. In fact, wherever security is absolutely crucial, you are almost certain to find a biometric sensor — passports, government ID and telephone banking are all applications in which biometric authentication has proven highly successful.

For biometric authentication to work, there has to be a correct (reference) version of the voice, iris or fingerprint stored, and this requires a sensor. The search for a flexible, lightweight, but resilient, fingerprint sensor that is also straightforward for the general public to use, has been the holy grail of payment card security for quite some time.

It is one thing to build a sensor into a smartphone or door lock, but quite another to attach it to a flexible plastic payment card. A major advantage of fingerprint sensors for payment cards is that the security data is much more difficult to hack.

Not only are fingerprints very difficult to forge, once registered they are only recorded on the card and not kept in a central data repository in the way that PINs often are - making them inaccessible to anyone who is not physically present with the card.

Your newly flexible friend

Fortunately, the impossible has now been achieved. The level of technology that has been developed behind the sensor makes it simple for the user to enrol their fingerprint at home, and once that is done they can use the card over existing secure payment infrastructures.

Once it is registered and in use, it can recognise prints from wet or dry fingers and knows the difference between the fingerprint and image ‘noise’ (smears, smudging etc.) that is often found alongside fingerprints. The result is a very flexible, durable sensor that provides fast and accurate authentication.

The PIN is dead, long live the sensor

Trials of payment cards using fingerprint sensor technology are now complete or under way in multiple markets, including the US, Mexico, Cyprus, Japan, the Middle East and South Africa. Financial giants including Visa and Mastercard have already expressed their commitment to biometric cards with fingerprint sensors, and some are set to begin roll-out from the latter half of 2018. Mastercard, in particular, has specified remote enrolment as a ‘must have’ on its biometric cards, not only for user convenience but also as means to ensure that biometrics replace the PIN swiftly, easily and in large volumes2.

With the biometric card revolution now well under way, it’s time to say farewell to the PIN and look forward to an upsurge in biometric payment card adoption in the very near future.

1 Bonneau J, Preibusch S and Anderson R. A birthday present every eleven wallets? The security of customer-chosen banking PINs: https://www.cl.cam.ac.uk/~rja14/Papers/BPA12-FC-banking_pin_security.pdf

2 Mastercard announces remote enrolment on biometric credit cards: https://mobileidworld.com/mastercard-remote-enrollment-biometric-credit-cards-905021/

Banks and card companies prevented £1,458.6 million in unauthorised financial fraud last year, equivalent to £2 in every £3 of attempted unauthorised fraud being stopped, the latest data from UK Finance shows.

In 2017, fraud losses on payment cards fell 8% year-on-year to £566.0 million. At the same time, card spending increased by 7%, meaning card fraud as a proportion of spending equates to 7.0p for every £100 spent – the lowest level since 2012. In 2016 the figure stood at 8.3p.

For the first time, annual data on losses due to authorised push payment scams (also known as APP or authorised bank transfer scams) has also been collated. A total of £236.0 million was lost through such scams in 2017.

The unauthorised fraud data on payment cards, remote banking and cheques for 2017 shows:

• Combined total losses fell by 5% to £731.8 million.
• Losses due to unauthorised transactions on payment cards fell 8% year-on-year to £566.0 million. The industry helped prevent £984.9 million in attempted unauthorised card fraud.
• Losses due to unauthorised remote banking fraud totalled £156.1 million, a 14% rise on 2016. Banks prevented £261.4 million of unauthorised remote banking fraud, 27% more than last year.
• Cheque fraud losses fell 28% in 2017 to £9.8 million. This is the lowest annual total on record. £212.3 million of attempted unauthorised cheque fraud was prevented.
• There were 1,910,490 reported cases of unauthorised financial fraud, a rise of 3% compared to the year before.

The new authorised push payment scams data, collected for the first time in 2017, shows:

• There were 43,875 reported cases of authorised push payment scams with a total value of £236.0 million. 88% of this total were retail consumers, losing an average of £2,784, and the remainder were businesses who lost on average £24,355 per case.
• Financial providers were able to return £60.8 million (26%) of the authorised push payment scam losses in 2017.

Katy Worobec, Managing Director of Economic Crime at UK Finance, said: “Fraud is an issue that affects the whole of society, and one which everyone must come together to tackle. The finance industry is committed to playing its part – investing in advanced security systems to protect customers, introducing new standards on how banks respond to scam victims, and working with the Joint Fraud Taskforce to deter and disrupt criminals and better trace, freeze and return stolen funds.

“We are also supporting the Payment Systems Regulator on its complex work on authorised push payment scams, providing the secretariat for its new steering group. It’s a challenging timetable, but it is important that we get it right to stop financial crime and for the benefit of customers.”

The finance industry is responding to the ongoing threat of all types of fraud and scams by:

• Helping to prevent customers being duped by criminals by raising awareness of how to stay safe through the Take Five to Stop Fraud campaign, in conjunction with the Home Office.
• Working with government and law enforcement to deter and disrupt criminals and better trace, freeze and return stolen funds, while calling for new powers on information sharing to allow banks to share data to detect and prevent financial crime better.
• Implementing new standards to ensure those who have fallen victim to fraud or scams get the help they need, including around-the-clock availability of fraud teams, to make it easier and better for the customer, and, where possible, improve the likelihood of their funds being recovered. UK Finance will also be the secretariat for the PSR’s new steering group on authorised push payment scams².
• Working with government on making possible legislative changes to account opening procedures to help the industry act more proactively on suspicion of fraud and prevent criminals from accessing financial systems.
• -Rolling out the Banking Protocol – a ground-breaking rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds taking place – to every police force area in the UK. In 2017, while it was still being introduced across the country, the Protocol prevented £13.3 million of fraud and led to 129 arrests.
• Sponsoring the Dedicated Card and Payment Crime Unit⁵, a specialist police unit which tackles the organised criminal groups responsible for financial fraud and scams. This has led to a combined value in savings and disruptions in criminal activity of close to £30 million in 2017.
• Exploring new ways to track stolen funds moved between multiple bank accounts.

To help everyone stay safe from fraud and scams, Take Five to Stop Fraud urges customers to follow the campaign advice:

• A genuine bank or organisation will never contact you out of the blue to ask for your PIN, full password or to move money to another account. Only give out your personal or financial details to use a service that you have given your consent to, that you trust and that you are expecting to be contacted by.
• Don’t be tricked into giving a fraudster access to your personal or financial details. Never automatically click on a link in an unexpected email or text.
• Always question uninvited approaches in case it’s a scam. Instead, contact the company directly using a known email or phone number.

Tony Blake, Senior Fraud Prevention Officer at the Dedicated Card and Payment Crime Unit, said: “With criminals using social engineering to target people and businesses directly, it’s vital that everyone follows the advice of the Take Five campaign. Always stop and think if you are ever asked for your personal or financial details. Remember, no bank or genuine organisation will ever contact you out of the blue and ask you to transfer money to another account.”

Unauthorised fraud

In an unauthorised fraudulent transaction, the account holder does not provide authorisation for the payment to proceed and the transaction is carried out by a third-party.

Authorised fraud

In an authorised push payment (APP) scam, the account holder themselves authorises the payment to be made to another account. If a customer authorises the payment themselves, current legislation means that they have no legal protection to cover them for losses – which is different for an unauthorised transaction.

Banks will always endeavour to help customers recover money stolen through an authorised push payment scam but customers typically only approach their bank after the payment has been processed, once they realise they have been duped. By this time the criminal has often withdrawn the stolen funds and the customer’s money has gone. Alongside the extensive work already underway through the Joint Fraud Taskforce, UK Finance is also currently working with the Payment Systems Regulator on its proposals to tackle these scams.

Behind the data

Fraud intelligence points towards criminals’ use of social engineering tactics as a key driver of both unauthorised and authorised fraud losses. Social engineering is a method through which criminals manipulate people into divulging personal or financial details, or into transferring money directly to them, for example thorough impersonation scams and deception.

In an impersonation scam, a fraudster contacts a customer by phone, text message or email pretending to represent a trusted organisation, such as a bank, the police, a utility company or a government department. Under this guise, the criminal then convinces their victim into following their demands, sometimes making several separate approaches as part of one scam.

Data breaches also continue to be a major contributor to fraud losses. Criminals use stolen data to commit fraud directly, for example card details are used to make unauthorised purchases online or personal details used to apply for credit cards. Stolen personal and financial information is also used by criminals to target individuals in impersonation and deception scams, and can add apparent authenticity to their approach.

(Source: UK Finance)

“If you are not taking care of your customer, your competitor will” – Bob Hooey. And that’s exactly where loyalty programs come in. Why do they work? Rob Meakin, Managing Director at Loyalty Pro, explains.

Those are words for any business leader, retailer or independent store owner to live by. But actually, are you taking care of your customer? Are you putting them first, or your business first?

The difference between the customer of 2008 and 2018 is very different. Ten years ago, online retail was a relative youngster, the high street dominated retail purchasing and waiting 3-5 days for an online purchase to arrive wasn’t considered strange. Nowadays, customer loyalty has shifted from brand to service, Amazon now offers delivery within an hour and consumers do a vast amount of their shopping online.

The decline of the high street store and rise of online shopping have reduced footfall and revenue for many companies looking to compete in an increasingly shrinking space, particularly those in the independent retail space.

In a country with increasing inflation, tightening purse strings and a lack of confidence in its economic future, gaining customers’ loyalty and increasing repeat purchases is more important now than ever before.

Whether you’re an independent coffee shop owner or Managing Director of a local toy store, everyone is looking for a solution to increase footfall and entice the customer back.

Empowering the customer

This solution lies within a loyalty programme that addresses the needs and wants of the customer first and the business second. Yet far too often, loyalty schemes are designed with the latter in mind. Look at Tesco – they attempted to redesign their loyalty offering to make it “simpler” for the customer, but appeared to put their business interests first.

And what happened? The move not only alienated customers, but the social media and general public backlash was so pronounced that it forced the supermarket to delay rolling out their new scheme. What Tesco didn’t do was to think about what the customer wanted. Or if it did, it certainly didn’t do enough market research on it.

It put the supermarket on the back foot and facing a PR nightmare. It took power away from the customer by “simplifying” its vouchers, but what this ultimately meant was reducing some of the vouchers’ values. This was very much egg on the face for the UK’s biggest retailer.

The sweet spot of simplicity

Pulling wool over customers’ eyes in the case of the above example won’t go down too well. But actually, businesses are able to create a loyalty scheme that can find that perfect spot of simplicity and genuine reward.

If you’re a business that relies on repeat custom, you need an easy loyalty solution and one that isn’t going to drive away your customers, and you need to make sure you’re satiating the needs of everyone. In practice, not everyone wants loyalty in the same way; this means that you need to ensure that you’re covering both an app and a loyalty card – and even paper vouchers in some instances.

And there’s no use overcomplicating a points-based system, either. It’s not just about simplicity, but simplicity through choice; after all, it’s what you can do with the points that matters. Offer a discount or promotion at your own store. Allow the customer to donate to a choice of charities in the area. Work with other community stores and business owners to increase loyalty in the region.

Personalising your offering

If you do decide to offer promotions and discounts at your own store, make sure that the rewards you are offering the customer are tailored and personalised to that customer. Using the latest loyalty solutions that can take your data, enhance it and give you a complete customer view are essential for bringing the customer back to the store.

It’s about being clever with the data you have. If a customer is going into your coffee chain Mondays, Wednesday and Fridays generally, why not offer a personalised discount on the Tuesday and the Thursday too, specific to that customer? These days, consumers want the VIP treatment and to be part of the ‘membership economy’ – and you can do that through tailored schemes that cut through.

In this age of wavering customer loyalty, you need to deploy a loyalty scheme that is honest, personalised and simple. But these concepts are not mutually exclusive when we’re talking about loyalty in 2018.

Put your customer first so your competitor won’t have to.

Figures released by UK Finance find the number of debit and credit card transactions grew by 12% in the UK in the year to the end of June, the highest annual rate since 2008. The value of spending also rose, accelerating to 7.2%.

Lenders are currently facing the pending challenge of upping their game after The Bank of England's Prudential Regulation Authority (PRA) highlighted the need to address lending concerns.

Ian Bradbury, Chief Technology Officer, Financial Services Business at Fujitsu UK and Ireland, told Finance Monthly:

“With the use of contactless payment cards soaring by over 140% in the past year alone, the news that UK credit and debit card spending is growing at its fastest rate in nine years comes as no surprise. We expect contactless payments to become an increasingly important feature in the British payments landscape. Making up around a third of all plastic card transactions – up from around 10% just a couple of years ago – the convenience and ease of contactless payment means that such transactions are continuing to gain traction with the public. Not only this, the high-growth adoption of contactless payments underlines the fact that consumers and retailers choose to adopt solutions that are secure, quick and easy to use, as well as ubiquitous.

Contactless payments are not only easier to use than Chip and Pin, they are in many ways more practical than small change and small notes. The significant parallel growth in debit card transactions also suggests that this is not growth just fuelled by debt and easy credit – much of this increase will be a result of contactless payments being made purely due to ease. What’s more, contactless payments have the added value of fuelling other payment solutions such as Apple and Google pay and other wearable technology – which can’t be done as easily with Chip and Pin.

Finally, the success of contactless payments demonstrates that consumers are quick to adopt new payments solutions that focus heavily on improving the consumer experience. However, because consumer experience can cover many aspects including convenience, security, speed and ubiquity, it’s vital that providers put in place ways to improve the experience over current solutions. If future payment solutions do not address all of these areas – which are fast-becoming a customer expectation – then they are unlikely to be successful.”

September marks the 10^th anniversary of the contactless card, and in the last decade we’ve seen its use soar, particularly in recent years. Barclaycard believes its use will push a further 300% in the next four years.

 Finance Monthly has heard from Ian Bradbury, CTO for Financial Services at Fujitsu UK and Ireland, who shares his insights on how contactless has developed over the past ten years, and where he expects the payments landscape to go next.

It is hard to believe that contactless cards have now been around for a decade, as we have only in recent years seen them receive significant uptake with consumers. What was once seen as ‘scary’ and ‘unsafe’ to use, is now – thanks to its ease and education – resonating and growing in popularity with today’s consumers and now responsible for a third of all card transactions.

We expect this adoption of contactless payments to only grow, and become an increasingly important feature in the British payments landscape. Ultimately, both consumers and retailers are choosing to adopt solutions that are secure, quick and easy to use, as well as ubiquitous.

Not only are contactless payments quicker and easier to use than Chip and Pin, they are in a variety of ways more practical than small change and notes. The notable corresponding growth in debit card transactions also implies that this is not just growth fuelled by debt and easy credit – much of this increase will be a result of contactless payments being made purely due to ease. Moreover, contactless payments have the added value of fuelling other payment solutions such as Apple and Android pay and other wearable technology, which isn’t so easily done with Chip and Pin.

The success of contactless payments highlights consumers today are quick to adopt new payments solutions that focus on improving their experience. That said, because consumer experience can cover many aspects including convenience, security, speed and ubiquity, it’s essential that providers put in place ways to improve the experience over current solutions. If future payment solutions do not address all of these areas – which are fast-becoming an everyday expectation from consumers – then they are unlikely to be successful.

Analytic software firm FICO recently released an interactive map of European card fraud, which shows that card fraud losses for 19 European countries hit approximately €1.8 billion, a new high. The UK saw the highest losses at £618 million, a 9% rise over 2015, topping the previous peak in card fraud, set in 2008 after the introduction of chip and PIN.

Card not present (CNP) fraud has gone from 50% of gross fraud losses in 2008 to 70% in 2016. Ten countries saw an increase in fraud losses, while eight saw a decrease. The map is based on data from Euromonitor International, with additional information from the UK Cards Association.

“The growth in online spending and CNP fraud brings new challenges for banks and retailers, as criminals thwarted by chip & PIN have moved to a less risky channel,” said Martin Warwick, senior consultant for fraud at FICO. “Hiding amongst the growth in online purchases is great from a criminal point of view, but finding and stopping fraudulent transactions just gets tougher. Spotting the ‘needle in a haystack’ requires new behavioural analytics and artificial intelligence, combined with enhanced information from outside the traditional data contained within a purchase.”

In 2015 the UK’s card fraud rise was the highest in Europe, but in 2016 two countries saw higher rises — Poland (+10%) and Sweden (+18%). The UK’s rise from 2015 to 2016 was just half of that from 2014 to 2015.

France had the highest basis points at 8.9 (ratio of fraud losses to sales) among the 19 European countries, compared to 7 basis points for the UK. However, French card spending is half that in UK, making UK losses much greater. Together, the UK and France account for 73% of the total loses among the 19 countries in 2016, followed by Germany, Spain, Russia, Italy and Sweden.

Fighting Back with AI

FICO is working with banks to advance the use of machine learning and artificial intelligence to identify fraud faster. The key, Warwick says, is to spot anomalies without putting friction into the transaction.

“It’s no longer just about identifying patterns that are unusual for the customer — we’re also looking at anomalies at the mobile device, IP address and merchant level,” said Scott Zoldi, FICO chief analytics officer. “All of these have ‘behaviors’ just as individuals do, and we’re using our 25 years of experience in artificial intelligence to identify those.”

Mobile analytics is an important area here, said Zoldi, who developed or co-developed half of the company’s 70 patents in artificial intelligence and machine learning. “FICO has developed archetype analytics that taps into the rich source of mobile context such as advanced geolocation, allowing us to use that information in FICO Falcon Fraud manager to make real-time decisions during a transaction,” Zoldi said. “These analytics draw on our patented work with customer behaviour archetypes.”

Banks and card issuers are also beginning to step up their use of real-time customer communication. “Contacting consumers early using automated two-way SMS is a key solution to making sure the transactions are valid,” Warwick said. “If this is fully automated and tied into the fraud solution — as it is with FICO Customer Communication Services and the FICO Falcon Platform — then cases can be closed without human intervention and consumers can be allowed to continue to spend when and where they want.”

(Source: FICO)

The number of purchases using debit and credit cards has more than doubled in the past 10 years, as contactless payments and online retail have driven a change in the way consumers pay, a new report from The UK Cards Association shows.

Debit and credit cards were used to make 16.4 billion purchases in 2016, up 146% from 6.7 billion in 2006. It means that 518 card payments were made every second last year by cardholders both in the UK and travelling overseas.

Over the past decade the growth in the number of card transactions has outstripped the rise in the amount spent, showing consumers’ increasing preference for using cards instead of cash for lower value payments. Last year the average value of a card transaction fell to £43.47, its lowest level in 15 years.

The new report, UK Card Payments 2017, highlights the impact of the growth in online spending and contactless payments. By the end of 2016, four in 10 (39%) card transactions were either online or made using a contactless card, compared to a quarter (24%) the previous year.

Graham Peacop, Chief Executive of The UK Cards Association, said: “Card payments play a central role in our economy, with spending equivalent to a third of the UK’s GDP. As consumers continue to make the switch from cash to contactless and with the rise of the app-economy, we forecast that the number of card payments will grow substantially over the next decade too.”

With card payments providing significant benefits to businesses, the number of retailers accepting cards increased to just over 1 million last year. The number of individual outlets accepting cards has jumped by 63% in the last 10 years to 1.3 million in 2016.

A total of £709 billion was spent by UK debit and credit card holders both domestically and overseas last year. Debit cards represented 75% of this total, amounting to £530 billion. This month is the 30th anniversary of the introduction of the debit card to the UK.

Payment cards were used for three-quarters (77%) of all retail spending in the UK last year. Cardholders spent the most on food and drink (£114 billion), followed by other services (£100 billion), financial services (£80 billion) and entertainment (£57 billion). A third of all card purchases in 2016 were made at supermarkets, while every fifth payment was on entertainment.

In 2016, there have been significant developments in the delivery of digital services to consumers, such as in-app purchasing and a new trend of fusing social media formats with payment capabilities.

In the next decade, the increasing use of contactless and mobile payments, particularly by younger people, will be a major source of growth for debit card payments, the report says.

The volume of debit card purchases is forecast to grow by 57% to 18.2 billion in 2026, four times the number made in 2006. In a decade’s time, half of all debit card transactions (51%) will be contactless. Credit card transactions are expected to increase to 3.7 billion by 2026.

(Source: The UK Cards Association)