Online fraud 'ahead' of credit-card companies: experts

MEMPHIS (Reuters) - The top security experts at the world's two biggest credit-card associations said on Monday that the battle against internet-based thieves had reached a stalemate and the industry would have to spend millions of dollars over the next decade just to keep up with the criminals.

Speaking at an conference here, John Shaughnessy, senior vice president for fraud prevention at Visa USA and Suzanne Lynch, vice president for security and risk services at MasterCard International, said that organised crime rings -- with the help, in many cases, of former Soviet KGB cryptographers -- were successfully using the internet and "crimeware" software programs to circumvent the defenses credit-card issuers erected against them.

The picture they presented of an escalating struggle between commerce and criminality offered little hope of quick relief for consumers worried about identity theft or for investors in card-issuing banks concerned about security's escalating costs.

The credit-card companies were battling loosely knit, elusive criminal networks responsible for much of the fraud, they said.

"They're very, very good at what they're doing," Shaughnessy told attendees at the Bank Card Conference, "and they're a few steps ahead of us in a couple of areas. They've done their homework about the payments system and because of (them) we all have a chance to lose some sleep at night."

The sobering assessment came one day after Symantec, the world's biggest security software maker, released a report that showed hacking was no longer just the pass-time of precocious teenagers, but now was the province of organised criminals looking to gain access to personal information of computer users -- and their assets.

Symantec said that viruses designed to capture confidential information made up three-quarters of the top 50 viruses, worms and Trojans during the first six months of 2005, up from 54 percent in the last six months of 2004.

Visa's Shaughnessy said FBI data showed the number of internet-related credit-card crime reports rose 66 percent in 2004 and the average reported loss associated with the online scams tripled to US$2400 from US$800 in 2003.

Part of that jump reflects the rise of business done on the internet, Lynch and Shaughnessy said. But part of it also reflects the increasing sophistication of the criminals.

"We build a 10-foot wall," Lynch said, "and the bad guys build an 11-foot ladder."

While the criminals are increasingly savvy, Shaughnessy and Lynch said that in many cases they were inadvertently helped by sloppy security policies within the payment chain itself -- and by slip-ups by merchants, third-party processors or the credit-card companies themselves.

"I will say that of all the hacks we've seen -- and we've seen hundreds and hundreds of these -- had the third-party been in compliance (with association rules), they probably wouldn't have been hacked," he said.

Shaughnessy said Visa and others were looking at ways of protecting data so that even if a consumer's credit card information was compromised, it would be useless to the criminal. But he warned it would take many years, and lots of money, to set up such a system.

"This is going to take big investments over a number of years and we're talking hundreds of millions of dollars to come up with a secure system," he said. "Maybe 10 years from now we'll have it solved...It's a tough situation."

Made tougher by the speed with which the criminals exploit even the most harmless information breaches, Lynch said.

Lynch said that as the Red Cross began issuing MasterCard debit cards to victims of Hurricane Katrina earlier this month, a newspaper photographer working on a story about the program took a picture of one recipient holding a card. The photo was quickly posted on the internet. "Within eight hours," Lynch said, "there was fraud on the card."

"Somebody had seen the picture -- and unfortunately they hadn't blocked the number -- and so somebody used the card fraudulently."

credit card fraud online fraud security theft