Risk Assessment: Smartcard fraud scam Warning

Risk Assessment Department of Computer and Information Sciences, University of Strathclyde and Associates. Security is a balance between confidentiality, authentication and integrity versus convenience, cost and reliability. Figure 4 illustrates the balance that must be struck by stakeholders when implementing technical solutions to counter security vulnerabilities,

Abstract. The introduction of smartcard technologies has reduced the incidence

of card fraud in the UK, but there are still significant losses from fraudulent

card use. In this paper we detail the context of smartcard introduction and describe

the types of fraud that remain a threat to cardholders and other stakeholders

in the card system. We conclude with a risk analysis from the cardholder’s

perspective and recommend greater cardholder awareness of such

risks. Susan Burns, George R. S. Weir

Department of Computer and Information Sciences, University of Strathclyde,

Glasgow G1 1XH, UK

Risk Assessment. Department of Computer and Information Sciences, University of Strathclyde and Associates. Security is a balance between confidentiality, authentication and integrity versus convenience, cost and reliability. Figure 4 illustrates the balance that must be struck by stakeholders when implementing technical solutions to counter security vulnerabilities, essentially this boils down to cost versus benefits.

This generic approach can be applied to security measures for smart card payments,

whereby:

• Cost is the amount it costs the card issuer and card scheme to support the plastic

card payments, including the cost of implementing changes to the system e.g.

longer keys or moving to online authentication to validate all card transactions;

• Performance considers convenience and reliability e.g. avoiding reputational

damage or inconvenience for customers or retailers;

• Risk is remaining level of risk which the security measures have not fully mitigated.

This could be financial loss, additional costs, loss of market share, reputational

damage, corporate embarrassment, legal or regulatory investigation or risk

to personal safety.

The potential loss or exposure from a given risk can be reduced through assessing and

management of the risk (Figure 5). Effective risk reduction methods may leave an

element of residual risk, but will bring benefits, although these may not always be financial, e.g., they could be reputational benefits.

A risk map is a technique to analyse and illustrate risks, likely causal events and potential

impacts [10]. The links shown are not always exhaustive but demonstrate the

potentially wide ranging impacts of each risk and support analysis of outcomes and

mitigation actions. As a tool, they also allow flexibility to consider how the impact of

one risk, e.g., card stolen, can be compounded by the occurrence of other risks, such

as the PIN having been obtained.

Figure 6 illustrates a risk map analysis for the cardholder, based upon four primary

risk conditions, card obtained by fraudsters, card details obtained by fraudsters, PIN

obtained by fraudsters, and PIN forgotten by cardholder. The associated cardholder

events represent the contexts in which the risks are created, and the impact arising

from these circumstances is also indicated.

For the cardholder, the key risks centre on the components for which the cardholder

is responsible, namely the smartcard, the PIN and documents such as statements

and receipts that contain card details. The events include some that are within

the cardholder’s control, e.g., keeping a note of the PIN number, but others such as a compromised terminal are beyond cardholder control.

Summary and Conclusions. Risk Assessment Department of Computer and Information Sciences, University of Strathclyde and Associates. The introduction of smartcards to the UK marketplace has had a significant effect in reducing the incidence of card fraud, but further steps are required to prevent continued instances of fraud. A key step in this direction is to clarify the roles, responsibilities and risks faced by the different stakeholders in the card process. Furthermore, ‘awareness raising’ in which cardholders become more conscious of their risks and responsibilities may afford the best defence against consumer fraud. Our analysis of the card process, stakeholders and cardholder risks may contribute to this awareness. 

Strathclyde ANTI-PHISHING AS A WEB-BASED USER SERVICE Scam

Strathclyde University Associates Warning - This paper describes the recent phenomenon of phishing, in which email messages are sent to unwitting recipients in

order to elicit personal information and perpetrate identity theft and financial fraud. A variety of existing techniques for

addressing this problem are detailed and a novel approach to the provision of phishing advice is introduced. This takes

the form of a Web-based user-service to which users may forward suspect email messages for inspection. The Anti-

Phishing Web Service rates the suspect email and provides a Web-based report that the submitter may view. This

approach promises benefits in the form of added security for the end-user and insight on the factors that are most

revealing of phishing attacks. Keywords detail as Phishing, spam, email scams.

Strathclyde University Associates Introduction. Phishing scams are an increasingly common method of identity theft. They begin with an email message that

appears to originate with an established legitimate organization. The email usually asks the recipient to

submit personal information on a website. However, the email is fraudulent and has actually been sent with

criminal intent. Unfortunately, many email users are unsophisticated in the ways of email and being unable to

spot phishing attempts, they innocently follow the instructions contained therein. A consequence of this

innocence may be significant financial loss.

This paper describes the nature of phishing scams and the associated problems email users face in

identifying phishing emails. In addition, we describe a software solution (the Anti-Phishing Web Service)

that aims to assist with the phishing problem.

Email, spam and scams on Strathclyde University and SCER Associates. The term ‘spam’ commonly refers to unsolicited bulk email. Unsolicited email includes sales and job

enquiries specifically addressed to a particular recipient without their prior knowledge or request. Bulk email

includes mailing lists and newsletters to which the recipient has subscribed. Spam is the intersection of these

email varieties – it is both unsolicited and bulk.

The majority of spam emails advertise products such as computer software or drugs. With negligible cost

and effort required to send spam, it now accounts for around 76% of all email messages (Gaudin, 2004).

Many infrequent email users now find it difficult to locate legitimate email in their mailbox. As a result, the

effectiveness of email as a communication medium has been severely reduced.

To combat this growing problem, most Internet Service Providers (ISPs) prohibit the sending of spam

from their networks. Some spammers use multiple free ISP accounts to send spam, whereby, if one of these

free accounts is terminated, another can be quickly created. Another popular method of despatching spam is

through virus infested PCs, usually belonging to unsuspecting home broadband users (Leyden, 2004a).

Despite attempts to reduce the problem, the incidence of spam continues to increase.

Many countries, including the UK and the US, have introduced laws to prevent the sending of spam (BBC

News, 2003). However, these laws have had little effect, since most spam originates from outside the

legislating country. There are also loopholes and inadequacies in these laws. For example, the US Can Spam

Act requires individuals to opt-out of spam, rather than opt-in. EU anti-spam laws also have problems,

because business email addresses are exempt from the legislation.

Since most legal attempts to address spam have met with limited success, many ISPs and email users now

rely heavily on email filters to remove spam. Spam filters perform a series of tests on each incoming email

and combine the results to determine whether the message is spam or legitimate. Spam filtering takes place at

the mail transfer agent (MTA) or mail user agent (MUA). Popular MTA spam filters include SpamAssassin

and Brightmail. Many MUA, such as Eudora and Mozilla Mail, now provide integrated spam filters. Without

spam filters and related spam blacklists many users might otherwise simply abandon the use of email.

While the majority of spam emails are advertisements for products, some messages aim to entice the

recipient into scams. Common email scams include pyramid schemes that promise very high returns on an

initial investment (Wikipedia, 2006a). Unfortunately, such ‘investors’ have no chance of receiving any return

on their initial outlay. Perhaps the most popular email scam is the Nigerian money transfer (Wikipedia,

2006b). This scam asks the recipient for help with the transfer of money from a Nigerian bank account,

promising a large payment in return. Once entered, the investor is asked for sums of money to help with the

fictitious transfer process. Of course, no money transfer is ever received by the unwitting subjects of this

criminal operation.

The Phishing Process Warning by Christopher Cranston

Department of Computer and Information Sciences, University of Strathclyde, Glasgow

Strathclyde University and Associates - Most phishing attacks take four distinct steps toward defrauding unwary recipients: (1) the scam operators set

up the phishing website. This website usually imitates an established, legitimate site; (2) using guessed or

copied email addresses, the scammers send out emails purporting to come from the legitimate site; (3) the

recipient downloads their email and receives the phishing message. The email asks the user to click on a

hyperlink and enter personal details on the resulting website. If the user clicks on the hyperlink the phishing

site will be displayed. If duped, the user may then enter the requested personal information; (4) the recipient's

personal details are now held by the scam operators. The scammers may now assume the identity of the

recipient and gain illicit access to funds. These steps are elaborated below.

Step 1: Construct the Phishing Website

The first task is to establish a phishing website. These are simple to set up, requiring little more than an

Internet-connected computer serving web pages. The Web pages are usually altered copies of pages

belonging to the targeted organisation. Sometimes, the phishing site appears as a pop-up window over the

legitimate site. Generally, phishing sites are contrived to appear authentic.

Most phishing sites do not have a domain name and Web links to the site in the phishing email usually

take the form of IP addresses, e.g. http://61.71.120.10/citi/index.php. Sometimes phishing sites do use

domain names, often cleverly crafted to mimic established sites, e.g. http://www.usbank-secure.biz/.

However, registering a domain name entails some financial cost and provides additional information that

may be used to track the perpetrators.

Strathclyde University and Associates - Recent analysis by the Anti-Phishing Working Group (APWG) found that most (27%) of phishing sites

were hosted in the US (op. cit.). This was closely followed by South Korea with 20% and China with 16%.

For comparison, the UK hosted only 1% of phishing sites. The report also estimated that 25% of phishing

sites were hosted on hacked computers, without their owners’ knowledge. Finally, the report states that on

average phishing sites are only live for 2.25 days - the longest noted was a site serving content for 15 days.

Sites with a longer lifespan tend to operate from countries where there may be difficulties in closing down

sites, where there are different or no Internet crime laws.

Step 2: Write and Send Phishing Emails

Once the phishing site is set-up, the next step is for large numbers of phishing emails to be sent out. For this

to be possible the scam operators must collate a large number of email addresses. These are acquired using

address harvesting techniques perfected by spammers. Like other spammers, phishing scam operators must

accumulate as many email addresses as possible in order to maximize the response rate.

Address harvesting techniques vary, but one popular methods is to use programs that search the web for

published email addresses. These programs target Usenet posts, web forums, mailing lists and guest books,

since these resources are likely to contain email addresses (Hird, 2002). Another technique is dictionarybased

address generation. Finally, rather than collect addresses themselves, phishing scammers may simply

purchase a list of addresses from an unscrupulous third party. Regardless of the selected technique, large

numbers of addresses are acquired by the scammers. Although many of these addresses will be malformed,

duplicates or out-of-date, and many of the valid addresses will belong to individuals who are not customers

of the organization being impersonated (and so cannot be defrauded by the scam), this will not deter the

scammers, since sending email is of negligible cost. The scammers’ concern is simply to maximize the

quantity of phishing emails sent.

The content of a phishing email is often carefully crafted. A typical email attempts to alarm the recipient

by describing security or maintenance issues at an established legitimate organization. The message will ask

the recipient to resolve these issues by confirming personal information on a web page. An embedded

hyperlink in the email often provides easy access to the web page. This hyperlink is often disguised to

resemble a link to the legitimate website, although it points to the phishing site.

Some emails contain embedded forms for users to enter their personal details. This removes the need for a

separate phishing web site. Other phishing emails do not ask for personal details at all, but urge the user to

install an attached piece of software. Software offered in this way is usually malicious and may be a virus,

worm, Trojan horse or spyware program. Spyware programs are particularly dangerous, as they can intercept

and transmit sensitive personal information, without the user's knowledge.

Regardless of whether the goal is to have recipients visit a web page, enter details in a form or install a

program, the user must be convinced that the email is authentic. To accomplish this, phishing emails often

contain images, slogans or disclaimers taken from the organization being impersonated. Fortunately not all

phishing emails look authentic. Many have poor spelling or grammar and may also bear little resemblance to

legitimate emails from the genuine organization. Such clues may alert users to the email's true purpose.

When phishing emails are sent out, it is common to spoof the sender's address. Spoofing the sender's

address is possible since the current email Simple Mail Transfer Protocol (SMTP) does not validate the

purported ‘From’ address. This loophole allows scammers to send phishing emails that appear to come from

legitimate organizations. A recent Anti-Phishing Working Group Report indicates that in June 2004, 92% of

phishing emails were sent with a spoofed sender's address. This technique is prevalent as it convinces many

recipients that the email is authentic.

Once phishing emails have been written, disguised and addressed, the final step is to send them. This step

employs standard spamming techniques, e.g., sending the phishing emails using someone else's mail server.

In the past this was easily done through open relays and open proxies. Although these vulnerabilities are now

rare, they are still occasionally used to send spam and phishing emails. Todays phishing emails are

commonly sent from mail servers or proxies running on virus infected machines. Viruses such as Sobig

contain built-in SMTP servers, turning infected machines into unwitting spam senders (Sophos, 2006). This

permits the perpetrators to remain hidden, while an estimated 60% of all spam is sent using virus infected

machines (Spamhaus, 2003).

Smartcard Scam Warning: Stakeholders – University of Strathclyde and Associates

Stakeholders by Susan Burns, George R. S. Weir, Department of Computer and Information Sciences, University of Strathclyde and Associates, Glasgow G1 1XH, UK

Although cardholders are usually the focus of concern in matters of card fraud, there

are other stakeholders in the establishment, use and maintenance of smartcards. These

stakeholders are (1) cardholders; (2) merchants; (3) Acquirers; and each of these has

roles, responsibilities and risks in operation of the card system.

Research indicates that we can all do more to defeat criminals, particularly where

basic security measures are involved. Statistics, such as the following [8], are particularly

alarming and highlight the need for cardholders to be aware of the risk and impact

if they fail to protect their PIN number and card details:

• 25% of all UK residents have disclosed their PIN to someone else, exposing them

to heightened risk of fraud and potentially making them liable for any card fraud

losses they may suffer;

• 27% of Britons use the same PIN for all their cards and the average adult has four

cards each;

• 44% of people still allow their cards out of their sight (in restaurants and bars for

example) when settling a bill;

• 51% of online shoppers do not fully appreciate that the start of a website address

changes from ‘http’ to ‘https’ when they enter a website made secure for purchasing.

The key recommendation for cardholders is that they should be security conscious

and take all practical precautions when undertaking a card payment. Cardholder

complacency is still a large factor in card fraud levels. While card issuers are unlikely

to acknowledge vulnerabilities, in order to avoid adverse reputational impacts, increased

cardholder awareness of the risks and impacts associated with known vulnerabilities

in the Chip and PIN system, will ensure that they become less complacent.

The large variety of card terminals makes it difficult for a cardholder to identify

one that has been tampered with, but there are other ways they can notice fraudulent

actions, for example by being familiar with merchant best practices. This would allow

them to raise alarms with other staff members if suspicious behaviour is observed,

e.g., swiping a card prior to inserting it into a card terminal or watching a PIN

being entered. Cardholders should also check their credit card and current account

statements to identify any illicit transactions. One measure to limit exposure for a

debit card linked to a current account is to establish a second account containing a

smaller balance for use in card transactions.

Stakeholders by Susan Burns, George R. S. Weir, Department of Computer and Information Sciences, University of Strathclyde and Associates, Glasgow. The agreements which merchants have with their acquirers spell out the terms under

which they can accept card payments. The terminals supplied by the acquirers determine

floor limits and undertake the Chip and PIN authorisation process. Vulnerabilities

exist when fraudsters have access to terminals and so merchants should seek

to address and improve staff awareness of process vulnerabilities that could lead to

card fraud through training. Staff should be trained in card transaction processes and

be empowered to request additional authorisation via a Code 10 call where they deem

necessary and know how to do this without putting themselves at risk.

Stakeholders by Susan Burns, George R. S. Weir, Department of Computer and Information Sciences, University of Strathclyde and Associates, Glasgow. Merchants must also be alert to the fact that they are a prime target for fraudsters.

Smartcard Scam: Stakeholders – University of Strathclyde and Associates. They have a responsibility to be vigilant and monitor transactions and any suspicious

staff activities. References should be checked when hiring new staff. Systems holding

customer and transaction data must be adequately protected. Any concerns raised

by customers about staff undertaking card transactions should be investigated. Card

present merchants have various ways of reading and processing card details e.g. staff

inserts card, cardholder inserts card or card is swiped and this can make it difficult for

cardholders to know what would constitute a suspicious action by a member of staff.

Acquirer guidelines should be followed to minimise the risk of chargeback for

both card present and CNP transactions. The planned rollout of ‘contactless’ cards in

the UK towards the end of 2007 may introduce further concerns for merchants as only

one in three low value transactions would be flagged for verification by PIN. For a

CNP merchant there are specific challenges as Chip and PIN is not currently an option

for this type of transaction and it is an area where card fraud has risen significantly.

The Address Verification System (AVS) allows retailers to verify the billing address

supplied with that associated with the cardholder and Card Security Code (CSC)

allows retailers to cross check a special security code held on the back of the card.

Card schemes are also introducing positive identification measures such as Verified

by Visa and MasterCard Secure Code to help merchants. Merchants should protect

themselves against chargeback’s by introducing these measures for on-line transactions.

By 30th June 2007, all CNP merchants must have introduced this measure or at

least have a plan in place to do so. Chargeback of disputed transactions is likely for

any non-compliant merchants.

Smartcard Scam: Stakeholders – University of Strathclyde and Associates. The acquirer or merchant acquirer is the bank retained by the retailer to process

payment card transactions on their behalf. Acquirers are responsible for paying the

merchant for the transactions they process. They do this on receipt of card transaction

details from retailers by passing them to the card issuer for authorisation and processing.

Acquirers are also responsible for obtaining transaction authorisation prior to the

delivery of goods and/or services.

The responsibility for maintenance and upgrades to card terminals also lies with

acquirers who risk who must provide clear instructions and guidelines to merchants in

order to minimise instances of card fraud and chargeback. Acquirers are increasingly

using fraud detection software to detect patterns that could be due to fraudulent activity.

This can be helpful in identifying and investigating unusual patterns of transactions.

Trends in Smartcard Scam Warning: Lost and Stolen Fraud

Susan Burns, George R. S. Weir, Department of Computer and Information Sciences, University of Strathclyde, Glasgow G1 1XH, UK

A recent report from the European Security Transport Association (ESTA) found that

nearly 20% of the adult population in Great Britain has been targeted as part of a

credit or debit card scam. As a result, the UK has been termed the ‘Card Fraud Capital

of Europe’ , with UK citizens twice as likely to become victims of card fraud as

other Europeans. Plastic card fraud is a lucrative exploit for criminals and the proceeds

may be used to fund organised crime. Smart payment cards (Chip and PIN

cards) were introduced in the UK to replace magnetic stripe cards and support PIN

verification of card transactions. By the end of 2005, more than 107 million of the

141.6 million cards in the UK had been upgraded to smart cards [2]. Levels of plastic

card fraud fell by 13% to £439.4 million in 2005 [3] and again to £428 million in

2006 (Figure 1). The reduction has been widely attributed to the rollout of smart

cards with Chip and PIN authentication.

Trends in Smartcard Scam, Department of Computer and Information Sciences, University of Strathclyde and Associates: Lost and Stolen Fraud. This type of fraud occurs when a card is lost by the cardholder or is stolen from them. Fraudsters can then use the card to obtain goods and services. Once the cardholder notices their card is gone, they will contact the card issuer but as it can take time to realise the card has gone, most fraud of this type takes place before the card has been reported as lost or stolen.

Levels of this type of fraud have remained static for the past five years but the introduction

of Chip and PIN is expected to reduce this by making it more difficult for

fraudsters to use a lost or stolen card in person at a retail outlet. Prior to Chip and

PIN, the retailer would verify that the signature on the sales voucher matched that

written on the back of the card. The signature strip was signed by the cardholder in

ink and was subject to wear and tear over the lifetime of the card.

University of Strathclyde and Associates - Mail Non-Receipt. This occurs where a card is stolen when it is in transit from the issuing bank or building

society to the cardholder. This is similar to lost and stolen fraud since it takes

time for the cardholder to realise that a card has not arrived. This delay is often compounded

by the fact that cards are often sent out automatically by the issuers rather

than at request of the cardholder, e.g. when a card is nearing its expiry date. Card issuers

have endeavoured to reduce levels of this type of fraud by using secure mail

services and/or requiring the cardholder to phone and activate the card before it can

be used. However, fraudsters could still intercept cards in transit and skim the details

before re-mailing them to the cardholder. Once the cardholder activates the card, the

fraudster can also use the counterfeit card produced using the skimmed details.

Credit card cheques, often sent to cardholders on an unsolicited basis by the card

issuing company, also offer criminals an additional means of obtaining unauthorised

spending against a card account.

Card Not Present, Trends in Smartcard Scam: Lost and Stolen Fraud. This type of fraud covers any card transactions where the cardholder is not physically

present, i.e. those conducted over the internet, telephone, fax and mail order, and is

now the largest type of card fraud in the UK [6]. Fraudsters obtain details of a card,

i.e. cardholder name, card number and the 3 digit security number from the back of

the card, and can use these to pay for goods or services over the internet, phone, fax

or mail order. Companies reliant on Card Not Present (CNP) transactions are unable

to check the physical security features of the card to determine if it is genuine and

cannot rely on signature or PIN authentication. Equally, there is no check that the information

is being provided by the genuine cardholder.