Zafar: Banks need to outsmart criminals

As banking migrates to the Internet, so too does payment fraud. Banks will have to be one step ahead of organised criminals to protect online payments, argues security expert Samee Zafar. EURACTIV spoke to the banking security expert, who has been advising banks in the City of London on the EU's Payments Services Directive (PSD), which is expected to boost online payments.

Banking security expert Samee Zafar is a management consultant at Edgar, Dunn & Company.

To read a shortened version of this interview, please click here

How has the Payments Services Directive (PSD) been received in the City of London, where you work?

There is a lot of push-back from smaller players who are worried by the fact that each institution will be able to operate cross-border, providing them with a lot more competition. But from an EU perspective, the PSD is also the right vision. 

With the dramatic rise in online transactions in Europe and around the world, credit card fraud and identity theft seem to be on the rise. Should consumers be worried about their financial data when making payments?

We should not be worried about making online card payments but become increasingly vigilant and disciplined about how and where we use our cards online. Fraudsters are getting better and better at tricking consumers to part with their personal data. Provided we follow some simple rules such as identifying phishing emails, we should be able to shop safely online. In any case, consumers are protected against fraud in most markets for credit card payments. 

The Payment Services Directive allows member states to write their own rules relating to data privacy. Do you think it is wise for Europe to have national differences in this legislation?

Ideally there should be a common policy across all member states. However, the PSD is a directive and not a regulation, which means it cannot mandate things but leaves a lot for interpretation. As a result there will be differences in legislation in a number of areas, but member states must adopt the directive. The basic provisions will have to be implemented, but there will be different interpretations stemming from how payments are treated in a specific state. This happened with the E-Money Directive and as a result there was a lot of regulatory arbitrage. 

This leads to questions about how much information we share online to conduct transactions. Should the public be worried about the amount of their financial data that is collected?

Yes, and people should ask their banks or other providers actively about how the data will be protected and why a certain type of information is required. But as networks expand and our lives increasingly depend on the online/mobile world, it is inevitable that most of our information will be online. The way forward lies in developing systems and procedures that continuously frustrate the organised criminals from accessing these online, and not in hiding away personal data. 

"Protection against data breaches cannot be limited to electronic communications networks alone, but may need to be addressed in new EU rules which cover online services as well," EU InfoSociety Commissioner Viviane Reding said in a speech last year. What can the EU do to regulate data protection online?

Online banking security is already quite advanced and effective. Additional measures such as chip-and-PIN devices distributed by some banks to make online payments secure make me personally less worried about online banking. But as more and more non-banks offer (and many already do) payment services under the Payment Services Directive or the eMoney Directive – all security aspects will have to be very carefully monitored. 

EU Judicial Affairs Commissioner Jacques Barrot will assess the possibility of introducing a mandatory notification of personal data breaches. Do you think that will achieve anything?

Individuals have the right to know if their personal data have been exposed through any breaches of security. But there are multiple issues that need to be considered if anything is to be mandated, such as fraudsters' phishing – sending messages to individuals to trick them into disclosing their data – how the breach should be communicated, what the nature of the breach was and whether it was harmful. 

You mentioned that some banks have good online fraud prevention mechanisms and some don't. So what are the more secure online services doing differently?

This is more to do with card payments. Some banks have policies and systems that identify patterns or other indications where fraud may take place and are quick to frustrate fraudulent attacks. What is required is an alway- evolving online (and now also mobile) security strategy that keeps one step ahead of the criminals. 

It seems that online fraud is now an actual industry with major criminal gangs operating. Do you believe this to be the case?

Yes. It is an internationally organised industry whose members are highly resourceful in finding ways to circumvent the checks and balances implemented by card companies. We also hear of databases being hacked and the theft of card records. Certain segments are more vulnerable online, such as travel and entertainment, where criminals use credit cards to buy travel products. 

With online crime at such a scale, what is the impact on banking institutions and card issuers?

Card issuers and other payment providers need to evaluate their exposure to online fraud and develop a suitable fraud prevention strategy to keep the impact as low as possible. Even with all the right measures it is very possible that a certain percentage of customer accounts are compromised at any given point in time. Fraudsters constantly monitor which banks have sound security policies and measures and which ones do not. They usually leave the former alone and attack the latter in droves. 

What are banks and financial institutions doing to make cards and transactions more secure?

In the physical world, of course the chip and PIN helps in almost cutting down POS [point-of-sale] fraud to nothing, but not every market has fully implemented chip and PIN, which results in fraud migrating to these markets. In the online world there is a constant battle between banking security experts and criminals engaged in a continuous struggle to develop better security techniques and novel ways of hacking them respectively. 

Is that enough?

The online security strategies of all banks are not equal. Some have a way to go to ensure they communicate with their customers to guide them on a continuous basis and to have strong mechanisms in place to prevent fraud and track any fraudulent transactions as soon as they take place. Weaknesses are exploited by organised gangs who are looking for easy pickings, with a motive of doing as many fraudulent transactions on a card as possible before they are discovered. 

Subscribe to our newsletters

Subscribe