Converting online browsers into online shoppers by reducing security concerns


Published on

Prezentacija "Converting online browsers into online shoppers by reducing security concerns" koju je Žarko Vukadinović održao na konferenciji E-trgovina 2010 21. aprila 2010. godine na Paliću.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Naslovni slajd
  • Converting online browsers into online shoppers by reducing security concerns

    1. 1. E-trgovina, Palić, April 2010 CONVERTING ONLINE BROWSERS INTO ONLINE SHOPPERS BY REDUCING SECURITY CONCERNS Žarko Vukadinović Head of E-banking Unit Payment Cards and Direct Channels Department
    2. 2. Albert Gonzalez (born 1981) is a computer hacker and computer criminal who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 trough 2007 – the biggest such fraud in history. Source: Wikipedia WASHINGTON, 2009. Federal prosecutors on Monday charged a Miami man with the largest case of credit and debit card data theft ever in the US, accusing the one-time government informant of swiping 130 million accounts on top of 40 million he stole previously. Albert Gonzalez, 28, broke his own record for identity theft by hacking into retail networks, according to prosecutors, though they say his illicit computer exploits ended when he went to jail on charges stemming from an earlier case. Gonzalez is a former informant for the U.S. Secret Service who helped the agency hunt hackers. The agency later found out that had also been working with criminals and feeding them information on ongoing investigations, even warning off at least one individual, according to authorities... FROM “BACKYARD HACKING” TO ORGANIZED CRIME VERDICT: 20 YEARS <ul><li>Security threats are continuously increasing and are becoming global phenomenon </li></ul><ul><li>Phishing </li></ul><ul><li>per mail/links </li></ul><ul><li>Man-in-the-Middle </li></ul><ul><li>per mail/links, as virus </li></ul><ul><li>Man-in-the-Browser </li></ul><ul><li>“ The Trojan”, extremely powerful, have no observable symptoms, will be prevalent </li></ul><ul><li>Combination of existing threats, new threats, transferring of focus from financial services to other institutions and usage of social engineering techniques. </li></ul>
    3. 3. ONLINE SECURITY FROM MERCHANTS PERSPECTIVE <ul><li>Risk management processes conducted by merchants in order to prevent online fraud: </li></ul><ul><li>Automated screening </li></ul><ul><ul><li>Profit leaks </li></ul></ul><ul><li>Manual review </li></ul><ul><ul><li>Staffing & Scalability; 18% of orders </li></ul></ul><ul><li>Accept/Reject operations </li></ul><ul><ul><li>Lost sales; 4.6% of orders are rejected </li></ul></ul><ul><li>Fraud/Claim Management </li></ul><ul><ul><li>Fraud Loss & Administration </li></ul></ul><ul><li>70% of merchants manually review suspicious orders </li></ul><ul><li>5% of merchants manually review every order </li></ul><ul><li>23% of chargebacks in 2009. were fraud reason-coded </li></ul><ul><li>1.6% of orders in 2009. proved to be fraudulent </li></ul><ul><li>Merchants are expecting to lose an average of 1.8% of their overall online revenue in 2010. to payment fraud </li></ul><ul><li>One third of merchants are seeing that percentage of online revenue lost to fraud increases year-to-year </li></ul>Fraud as a greatest business threat, as seen by the merchants, is increasing Source: Sixth Annual UK Online Fraud Report, 2010 edition, CyberSource
    4. 4. ONLINE SECURITY FROM CONSUMERS PERSPECTIVE <ul><li>In 2009. 50% of consumers still didn’t used online shopping, comparing to 51% in 2008. and 54% in 2007. </li></ul><ul><li>67% of non-shoppers just like to buy on street </li></ul><ul><li>47% of non-shoppers stated that they are concerned about the security aspects </li></ul><ul><li>On the total consumers sample, 71% stated that they are concerned with the level of risk when purchasing over the web, which is increase in 5% comparing to 2008. </li></ul><ul><li>59% of consumers stated that they heard more negative stories then positive </li></ul><ul><li>Just over a third of consumers have been a victim of online credit card fraud, or know someone that has </li></ul>Source: Sixth Annual UK Online Fraud Report, 2010 edition, CyberSource
    5. 5. ONLINE SECURITY FROM CONSUMERS PERSPECTIVE Over the years, there have been a few minor changes in the measures that consumers take to protect themselves when buying on the Internet <ul><li>Consumers are becoming aware that the followings roles in Internet shopping process could provide higher security: </li></ul><ul><li>Banks with their products and services </li></ul><ul><li>Government </li></ul><ul><li>Themselves </li></ul>Source: Sixth Annual UK Online Fraud Report, 2010 edition, CyberSource
    6. 6. PRODUCTS INSPIRED BY MARKET DEMANDS <ul><li>Several products were developed during last two decades (first Internet transaction in 1992.). Some of them less or more successful, but only rear were able to assure efficient prevention in online fraud. </li></ul><ul><li>Address Verification Service </li></ul><ul><li>Consumer was asked to present his address which should be paired with the one registered in his issuing bank </li></ul><ul><li>Card Verification Number </li></ul><ul><li>CVC/CVV number printed on the back of the card </li></ul><ul><li>SMS alert </li></ul><ul><li>Consumer is informed by his bank on the mobile phone number he registered in his bank that the purchase has occurred, presenting him the details about the transaction (date, amount, place/url,...) </li></ul><ul><li>Virtual cards </li></ul><ul><li>Cards designed only for online shopping. Before shopping consumer must assign necessary amount of many from his account to the card. </li></ul><ul><li>MasterCard SecureCode and Verified by VISA </li></ul><ul><li>Based on 3D Secure protocol, created and standardized by VISA and MasterCard in 2002. If one of party doesn't participates, “liability shift” is applied. </li></ul><ul><ul><li>Static Password </li></ul></ul><ul><ul><li>Consumer is redirected to the secure web page of the issuing bank in order to authenticate himself by presenting the password </li></ul></ul><ul><ul><li>Dynamic Password </li></ul></ul><ul><li>Consumer is redirected to the secure web page of the issuing bank in order to authenticate himself by presenting the password generated by the card’s chip on the card reader, after entering the card’s PIN on reader </li></ul>
    7. 7. <ul><li>Service designed for prevention of MasterCard and Maestro cards misuse by enabling PIN based transaction over the Internet </li></ul><ul><li>Having CAP certified card reader is a prerequisite for service usage </li></ul><ul><li>Gemalto, Vasco, Xiring, Todos,... Could be obtained in Banca Intesa branches from May 15th </li></ul><ul><li>Service available for every existing and every new Banca Intesa Maestro or Master card </li></ul><ul><ul><li>Debit cards automatically enrolled </li></ul></ul><ul><li>Only SecureCode enabled Maestro cards can participate on Internet, over 500,000 issued cards </li></ul><ul><ul><li>Credit cards must be enrolled by card user </li></ul></ul><ul><li>User must enroll his card, Simple enrollment procedure, Enrollment URL https://online.bancaintesabeograd/enrollment/ </li></ul><ul><li>Converting Internet transaction form “card not present” to “card present transaction” </li></ul><ul><li>Look for logo on merchant’s web site when shopping online </li></ul><ul><li>After presenting card data you will be redirected to the Banca Intesa’s secure web page </li></ul><ul><ul><li>Check out the SSL certificate and personal message on the page in order to be sure that you are at the bank’s authentication page </li></ul></ul><ul><ul><li>Check out the transaction data (Merchant name, Amount, Date, Card number) </li></ul></ul><ul><li>Insert the card in the reader and enter the PIN in the reader </li></ul><ul><li>After PIN verification you will be asked to enter in the reader challenge presented on the authentication web page </li></ul><ul><li>Enter the Password generated by the reader on authentication page and submit the transaction </li></ul>CHIP AUTHENTICATION PROGRAM – CAP Tool for bringing online shopping security and consumer confidence to the new level
    9. 9. AUTHENTICATION IS WHAT MAKES IT SECURE <ul><li>Two Factor Authentication principle implemented – “what you have and what you know” </li></ul><ul><li>I trust my card </li></ul><ul><li>card’s chip as a security device (CAP application, Private key, Transaction counter) </li></ul><ul><li>I have my card </li></ul><ul><li> only original card can create correct cryptogram </li></ul><ul><li>I know my PIN </li></ul><ul><li>PIN must be presented to the chip trough card reader, must be validated before creation of cryptogram and the result of validation is included in cryptogram </li></ul><ul><li>Customer authentication and transaction signing – “what you see is what you sign” </li></ul><ul><li>Input data (Challenge, Amount, Currency) included in cryptogram </li></ul><ul><li>CAP advantages in comparing to static password authentication model </li></ul><ul><li>Preventing multiply transaction </li></ul><ul><li>Preventing fraudulent transaction </li></ul><ul><li>Authentication dependable on risk parameters </li></ul><ul><li>“ Back-door” security modules </li></ul><ul><li>Risk assessment, Fraud detection, Anomaly detection </li></ul><ul><li>Constant education in order to increase security awareness of customers </li></ul>Could security be measured in money? Yes Depending on authentication mode Yes CAP BASED PASSWORD No No No STATIC PASSWORD Man-in-the-Browser Man-in-the-Middle Phishing PREVENTING THEFT
    10. 10. WHY ARE WE DOING THIS? <ul><li>... create customers needs. </li></ul><ul><li>Exclusive representative of American Express for Serbia </li></ul><ul><li>... are lieder in new technologies appliance. </li></ul><ul><li>Card business </li></ul><ul><li>First in implementing EMV, MC PayPass and MC CAP </li></ul><ul><li>Only bank in Serbia with >1million issued cards </li></ul><ul><li>Internet banking </li></ul><ul><li>~100,000 retail and corporate users </li></ul><ul><li>>1 2.5 million Internet transactions with amount of ~15 billion € in 2009. </li></ul><ul><li>... define the direction of market development. </li></ul><ul><li>Only bank in Serbia licensed for VISA and MC Internet acquiring </li></ul><ul><li>53 live merchants </li></ul><ul><li>~73,000 transactions with amount of ~10 million € for 2009. </li></ul>because we …
    11. 11. WILL THIS BE ENOUGH? Now this is not the end. It is not even the begining of the end. But, it is, perhaps, the end of the begining. Sir Winston Churchill November 1942