Consumer security confidence and migration to chip and PIN is high on the agenda of those involved in the Middle East's cards market. Chris Woods from Thales eSecurity, spoke to Ruth McKee
Security fears about online banking are starting to drive customers back to branch banking. As such, security experts believe banks need to view enhanced security measures as more than just the risk versus cost equation, and consider the wider cost implications of not making the appropriate changes.
How serious are security fears of consumers?
During the Internet explosion five years ago everyone was jumping on the Internet shopping and banking bandwagon. Most of the issues surrounding Internet banking are associated with security, but it's such an attractive way to bank. Credit card bills, in those days, involved writing a cheque, writing in the stub of the credit card invoice, posting it, and waiting for five days for it to be sorted. Paying credit card bills over the Internet is instant. But the nagging doubt is still one of security. 'Who is watching what is going on, and who is looking at my password? Over the last five years in the world of Internet, passwords are the big news.
Customers are picking up on this threat and the banks are reluctant to spend extra money on improving security, unless there is some customer resistance to the services they are providing. It seems that customers are becoming less and less confident about security on the Internet and a lot of reports we are seeing, certainly in Europe, are indicating that customers are going back to the banks. There are more people writing cheques now. There are more people going into the branches to do their banking than there was, and clearly the banks are a bit reluctant for that trend to continue. I think they are now seriously looking at improving the security of the services and systems that they are offering to Internet users.
Is ATM fraud a problem in this region?
Certainly in the UAE there was some activity a year or so ago, where criminals were attaching cameras to ATM machines, and dummy readers in front of the magnetic strip reader. So when a customer came along and put in their card, the data was being 'skimmed' and the magnetic strip was read by this dummy reader.
When they typed in their PIN, the camera was watching the number and sending the information to a guy in a van up the road, and of course the customer was not aware that they had just had their card skimmed and the PIN stolen. A credit card or a debit card could then be manufactured quite easily. Until the fraud software in the bank figured out that something was not quite right, they would have taken whatever the limit for cash is on each cash machine in the area. That's still going on.
How can we overcome this?
One solution is chip and PIN. This relies on the chip to hold information securely rather than just using the information on the magnetic stripe and the chip itself is significantly more secure than the magnetic strip which is very easy to read. This is why the world is going 'chip and PIN'. If you have the information inside a chip, you can't actually access it because there are security procedures and designs that prevent you reading the information. The problem right now is that there is dual technology on the chip and PIN cards, so whilst the chip is the preferred method of doing a transaction these days, the magnetic strip is still on there holding the information. So when the card is used where there isn't a chip reader, and there are countries that don't have them, the card will default to the magnetic strip.
What else is new in the cards security market?
Visa and MasterCard are pushing to improve the security of online trading using credit and debit cards, where you can, with a very simple and fairly cheap handheld reader, do an ATM transaction online. You can put your card into the reader, it asks you to type in your PIN, which is the same PIN you use to withdraw cash or pay at a POS terminal, and it generates a one-time password so that you can then use to logon to the Internet and you can't use that password ever again. So customers may feel more comfortable about using this type of technology.
This is slow on the uptake because banks have actually got to spend money. It's $10 for each customer that they want to give this capability to, because they have got to give them a reader. I think that because people are starting to spend more time in branches, and are feeling more reluctant to do Internet banking because of the security issues, you can see why banks might want to spend a little bit more money to invest in the security of their Internet services.
The other possibility is three-factor authentication which is probably going to be for passports, i.e. biometrics, but that is probably going to be too much for banking. It's all a question of risk and cost. The banks are identifying the risk of not providing two-factor authentication to the market. How much are they going to lose? Are they going to lose money or customers? If they are losing customers then how much will they have to spend to retain the customers, or to attract more? It's like the way issuers for credit and debit cards are thinking about what other applications they can add, like loyalty. Migrating to chip, and CAP is a business driver for the banks. With all the banks we are talking to about migrating to chip, we are telling them to look at loyalty, CAP and all the other applications that could be added just to make the business benefit the bank more. Security is something we think they should be looking at.
Tell me about the Middle East's progression in its migration to EMV?
EMV is being driven by the card associations. They have been driving the move from magnetic strip for the last 10 years, when at the time, they envisioned a problem with fraud with the technology.
The UAE has been the leader in the region for migration, probably because of the nature of the tourist situation there. There are a lot of people visiting from Europe with the new chip and PIN cards, and maybe the UAE wanted to be one of the first to capture these transactions. The rest of the region is slowly moving towards EMV, although it's taken longer than we in the industry thought. There was a date by which everyone in the region should be acquiring EMV, and that was January 1 this year.
The next serious migration to EMV in the region is Saudi Arabia, and all the banks are going to be issuing EMV cards, either late this year or early next, and that has been mandated by the banking authority in Saudi, SAMA. Pakistan has started, and India is thinking about it, but there is quite a big cost involved, and it's really been driven by the customers and the card associations. It should be finished in the Middle East by the end of next year. We are seeing a nice steady take up, but it's a big investment.
© Banker Middle East 2006
