Fraud is increasingly shifting to “card-not-present” (CNP) transactions carried out mainly online due to the rise of e-commerce around the world. It represents 65% of the total card fraud. Oberthur Technologies has developed a ready-to-go solution for banks and financial institutions including the card issuance and the server which secures online transactions by shortening the validity of the cryptogram security code : MOTION CODE™.
Oberthur Technologies is currently in discussions with UK banks about rolling out the technology and will have cards “in the hands” of consumers in France by the end of the year.
Dynamic Security Code cards feature a mini-screen on the back, displaying the security code (a 3 or 4-digit code usually printed onto the back of a payment card) used for online purchases, refreshed automatically and randomly every hour, without the cardholders having to press any button or install any special plug-in on their internet browser. Thus, if the card data gets stolen, this card data becomes useless in the next hour.
For issuers, a specific server synchronized with the algorithm and refreshing rules defined in the cards is needed and supported by Oberthur Technologies offer.
E-merchants won’t have to modify their website: the cryptogram code generated by the card is used as a standard one, on existing payment pages without the need for extra button or pop-up window of any kind.
For the cardholder, this is fully transparent: no plug-in to install on their web browser, no button to press, the code appears at the same location on the card, the key benefit being the code’s dynamic generation and periodical refresh. The refresh timing is defined by the card issuer, for instance each hour.
Cardholders keep shopping online as usual, except that their data is better protected thanks to a more secure card offering an ephemeral security code.
Prof Alan Woodward, a cybersecurity expert from Surrey University said “In some ways, it’s surprising it has taken so long for this to appear.”
“The technology has existed for some time so now it will be a case of persuading card processors that it is worth doing,” said Prof Woodward. “It may be costly for card operators as some extra infrastructure will be required to ensure our cards stay synchronised with the operator, but it happens already for many banks with the dongles they issue for login.”
A minor drawback of the card is that customers will no longer be able to memorise their security code and will need to check the card every time they want to make an online purchase.
There are several ways that fraudsters get hold of credit card details – from the online theft of data to skimmers that are attached to cash machines. Skimmers – often homemade devices – that are attached to a cash machine, can steal information from the card’s magnetic strip and pin code with the help of a fake ATM pin pad or web camera.
Banks are working on new authentication solutions, based on biometrics – regarded as a more secure way to identify customers. But a study from security firm Kaspersky Labs suggests that cybercriminals are already planning to exploit these new technologies. It found at least 12 sellers offering skimmers capable of stealing victims’ fingerprints. Other underground sellers are already researching devices that could obtain data from palm, vein and iris recognition systems.
David Emm, principal security researcher at Kaspersky, said the Motion Code card would “reduce the window of opportunity” for a thief with a stolen card but added it would be a stronger proposition if the security code was generated on “another device”.
“Banks should consider applying a multitude of cybersecurity solutions to minimise unauthorised access to such information,” he said.
“Consumers must also be aware of their digital footprint, installing security updates promptly, using strong and unique passwords, applying caution when using public wi-fi networks and not revealing too much information about ourselves online.”
Be the first to comment