Showing posts with label online payment security issues. Show all posts
Showing posts with label online payment security issues. Show all posts

Friday, May 6, 2011

Online Payments Security Part. III

Banks are not the only one to offer new payment solutions. Weneo, an adapted version of the online payment inherited "Moneo" offers a USB key that stores electronic money units, to make secure purchases of small amounts (below 30 €) on the internet without disclosing their bank details.

The market for trusted third party also whets the appetite. The historical actor PayPal (credit institution licensed in Luxembourg, for its European operations) is now challenged by Google Checkout (ELMI registered in the United Kingdom). In France there are also some establishments such as payment or Limonetik Cards-Off, which is also responsible for completing the transaction by credit card instead of the merchant site. The buyer did not then enter their bank details to the merchant site.

Also there are companies like Secuvad offering integrated solutions to secure payments (fraud detection real-time scoring and historical bases), but these solutions if they protect traders, does not protect the buyer himself.

The surprise could come from so many;  Buyst, authorized payment institution recently created by Orange,  SFR, Bouygues Telecom and Atos Origin, surfing the development of Smartphone and offering both secure payments m-commerce and e-commerce via the mobile phone.

It is unclear whether these new entrants will have hard time to major banks in the field of online payments. Still, they are laboratories of innovation than traditional banks must watch closely.

Online Payments Security Part. II

The strong authentication devices: 3D Secure e-Card ...

Thus, in order to identify the owners of cards, but also and especially to strengthen the security of online payments, some banks have introduced single-use maps (such as e-Carte Bleue) from 2002. Electronic clone a credit card, they provide a single use code generated by the user on the site of his bank card from her real. Once payment is made with this code, it is no longer usable for any other purchases. But this type of solution prolongs the act of buying and makes it less suitable for repeated payments of small amounts (news article, listening to the unit ...). It also represents a considerable cost both to the bank and for the user, and has been poorly received by the public.

Therefore, some banks have decided to implement the system in 2008 "3D Secure". Any buyer must take on a secure page on the bank a secret code known only to him, as well as authenticating the cardholder. The debate remains about the nature of this code. Used to launch 3DS, date of birth as the user PIN is gradually put aside in favor of an SMS sent by the bank, the most popular solution among Internet users, or a code transmitted by a "token “.  It remains to weigh the cost of these solutions, which can range from 0.5 to over 10 € per cardholder per year.

Unfortunately, this system proved to be confusing in practice much more than expected to the Internet. Very little communication was made to holders of cards, whether through banks or online shopping sites, most buyers were confused and even frightened at the appearance of a separate page asking them for such as their date of birth, and that at the most critical of the act of purchase: payment. Many of them have therefore preferred to abandon their purchases for fear of attempted fraud or phishing ... Consequently; a large number of sites selling online immediately contacted their banks to exit the 3D Secure system, after finding a reduction in sales volume up to 20%.

The challenge is therefore to secure adequate payments to deter fraudsters, without complicating the process of payment and impacting end of the chain volume of sales.

Online Payments Security Part. I

The credit card is by far the payment method preferred by two third of the people in the world by using the Internet regularly to access their purchases directly on the Internet. But it is also the use of the card that is increasingly threatened by fraud. Indeed, the total amount of fraudulent transactions on the Internet is growing much larger than the amount of fraud carried out by other channels (using a stolen use card number to purchase by mail order over the phone etc.).

This observation, which is not new, had led banks and systems vendors to offer more secure during the 2000s. The generalization of SSL (Secure Socket Layer) has limited the flight card numbers during data transfers between bank buyer, seller, and their respective banks. Adding a cipher text security "arbitrary" helped to stem the proliferation of generating fraudulent card numbers with valid 16 digits (which follow a very specific algorithm). Sellers have also limited the storage of this information in their databases, to prevent intrusion attempts in their massive e-commerce platforms. Finally, the payment terminal are masking a part of the card number on the invoice slips and allows the payer to introduce its own map without intervention by the cashier, which limits data retrieval via the retail channel. But other fraud techniques have over taken it.

The major risk lies in failure to identify the buyer as the rightful holder of the card that is a strong authentication. It leaves the door open to other techniques for recovering the coordinates, such as "phishing" (to believe that a cardholder is for an interlocutor trusted by mail or through a fake website) particularly popular in recent years.

Certainly, if the buyer is not the rightful holder, then the genuine holder may challenge the transaction as the law allows it and then be reimbursed free of transaction amount. But this leads to increasing costs for banks and continues to fuel some psychological barriers among potential users of e-commerce.